Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Sigma rule (View on GitHub)
1title: Blue Mockingbird
2id: c3198a27-23a0-4c2c-af19-e5328d49680e
3related:
4 - id: ce239692-aa94-41b3-b32f-9cab259c96ea
5 type: merged
6status: test
7description: Attempts to detect system changes made by Blue Mockingbird
8references:
9 - https://redcanary.com/blog/blue-mockingbird-cryptominer/
10author: Trent Liffick (@tliffick)
11date: 2020-05-14
12modified: 2022-10-09
13tags:
14 - attack.execution
15 - attack.t1112
16 - attack.t1047
17 - detection.emerging-threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 sc_cmd:
23 Image|endswith: '\cmd.exe'
24 CommandLine|contains|all:
25 - 'sc config'
26 - 'wercplsupporte.dll'
27 wmic_cmd:
28 Image|endswith: '\wmic.exe'
29 CommandLine|endswith: 'COR_PROFILER'
30 condition: sc_cmd or wmic_cmd
31falsepositives:
32 - Unknown
33level: high
References
-
Red Canary Intel is monitoring a potentially novel threat that is deploying Monero cryptocurrency-mining DLLs on Windows machines at multiple organizations.
Read More
Related rules
- Blue Mockingbird - Registry
- Potential Maze Ransomware Activity
- Potential Ursnif Malware Activity - Registry
- UNC2452 PowerShell Pattern
- APT29 2018 Phishing Campaign CommandLine Indicators