Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
Sigma rule (View on GitHub)
1title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
2id: 91048c0d-5b81-4b85-a099-c9ee4fb87979
3status: test
4description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
5references:
6 - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
7author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
8date: 2023-04-20
9modified: 2025-10-19
10tags:
11 - attack.execution
12 - detection.emerging-threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_parent:
18 ParentImage|contains|all:
19 - 'aspera'
20 - '\ruby'
21 selection_special_child_powershell_img:
22 Image|endswith:
23 - '\powershell.exe'
24 - '\powershell_ise.exe'
25 selection_special_child_powershell_cli:
26 - CommandLine|contains:
27 - ' echo '
28 - '-dumpmode'
29 - '-ssh'
30 - '.dmp'
31 - 'add-MpPreference'
32 - 'adscredentials'
33 - 'bitsadmin'
34 - 'certutil'
35 - 'csvhost.exe'
36 - 'DownloadFile'
37 - 'DownloadString'
38 - 'dsquery'
39 - 'ekern.exe'
40 - 'FromBase64String'
41 - 'iex '
42 - 'iex('
43 - 'Invoke-Expression'
44 - 'Invoke-WebRequest'
45 - 'localgroup administrators'
46 - 'o365accountconfiguration'
47 - 'samaccountname='
48 - 'set-MpPreference'
49 - 'svhost.exe'
50 - 'System.IO.Compression'
51 - 'System.IO.MemoryStream'
52 - 'usoprivate'
53 - 'usoshared'
54 - 'whoami'
55 - CommandLine|re:
56 - '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
57 - 'net\s+user'
58 - 'net\s+group'
59 - 'query\s+session'
60 selection_special_child_lsass_1:
61 CommandLine|contains: 'lsass'
62 selection_special_child_lsass_2:
63 CommandLine|contains:
64 - 'procdump'
65 - 'tasklist'
66 - 'findstr'
67 selection_child_wget:
68 Image|endswith: '\wget.exe'
69 CommandLine|contains: 'http'
70 selection_child_curl:
71 Image|endswith: '\curl.exe'
72 CommandLine|contains: 'http'
73 selection_child_script:
74 CommandLine|contains:
75 - 'E:jscript'
76 - 'e:vbscript'
77 selection_child_localgroup:
78 CommandLine|contains|all:
79 - 'localgroup Administrators'
80 - '/add'
81 selection_child_net:
82 CommandLine|contains: 'net' # Covers net1
83 CommandLine|contains|all:
84 - 'user'
85 - '/add'
86 selection_child_reg:
87 - CommandLine|contains|all:
88 - 'reg add'
89 - 'DisableAntiSpyware'
90 - '\Microsoft\Windows Defender'
91 - CommandLine|contains|all:
92 - 'reg add'
93 - 'DisableRestrictedAdmin'
94 - 'CurrentControlSet\Control\Lsa'
95 selection_child_wmic_1:
96 CommandLine|contains|all:
97 - 'wmic'
98 - 'process call create'
99 selection_child_wmic_2:
100 CommandLine|contains|all:
101 - 'wmic'
102 - 'delete'
103 - 'shadowcopy'
104 selection_child_vssadmin:
105 CommandLine|contains|all:
106 - 'vssadmin'
107 - 'delete'
108 - 'shadows'
109 selection_child_wbadmin:
110 CommandLine|contains|all:
111 - 'wbadmin'
112 - 'delete'
113 - 'catalog'
114 condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
115falsepositives:
116 - Unlikely
117level: critical
References
-
A mature subgroup of Mint Sandstorm is weaponizing N-day vulnerabilities in apps & conducting phishing campaigns to access environments.
Read More
Related rules
- Mint Sandstorm - ManageEngine Suspicious Process Execution
- Potential Snatch Ransomware Activity
- Turla Group Commands May 2020
- Blue Mockingbird
- CVE-2021-31979 CVE-2021-33771 Exploits