Blue Mockingbird

Oct 23, 2025 · attack.persistence attack.defense-evasion attack.execution attack.t1112 attack.t1047 detection.emerging-threats ·

Share on:

Attempts to detect system changes made by Blue Mockingbird

Sigma rule (View on GitHub)

 1title: Blue Mockingbird
 2id: c3198a27-23a0-4c2c-af19-e5328d49680e
 3related:
 4    - id: ce239692-aa94-41b3-b32f-9cab259c96ea
 5      type: merged
 6status: test
 7description: Attempts to detect system changes made by Blue Mockingbird
 8references:
 9    - https://redcanary.com/blog/blue-mockingbird-cryptominer/
10author: Trent Liffick (@tliffick)
11date: 2020-05-14
12modified: 2022-10-09
13tags:
14    - attack.persistence
15    - attack.defense-evasion
16    - attack.execution
17    - attack.t1112
18    - attack.t1047
19    - detection.emerging-threats
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    sc_cmd:
25        Image|endswith: '\cmd.exe'
26        CommandLine|contains|all:
27            - 'sc config'
28            - 'wercplsupporte.dll'
29    wmic_cmd:
30        Image|endswith: '\wmic.exe'
31        CommandLine|endswith: 'COR_PROFILER'
32    condition: sc_cmd or wmic_cmd
33falsepositives:
34    - Unknown
35level: high

References

Blue Mockingbird activity mines Monero cryptocurrency

Red Canary Intel is monitoring a potentially novel threat that is deploying Monero cryptocurrency-mining DLLs on Windows machines at multiple organizations.

Read More

Blue Mockingbird

Sigma rule (View on GitHub)

References

Blue Mockingbird activity mines Monero cryptocurrency

Related rules