Mint Sandstorm - AsperaFaspex Suspicious Process Execution

Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm

Sigma rule (View on GitHub)

  1title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
  2id: 91048c0d-5b81-4b85-a099-c9ee4fb87979
  3status: test
  4description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
  5references:
  6    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
  7author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
  8date: 2023-04-20
  9modified: 2023-04-25
 10tags:
 11    - attack.execution
 12    - detection.emerging-threats
 13logsource:
 14    category: process_creation
 15    product: windows
 16detection:
 17    selection_parent:
 18        ParentImage|contains|all:
 19            - 'aspera'
 20            - '\ruby'
 21    selection_special_child_powershell_img:
 22        Image|endswith:
 23            - '\powershell.exe'
 24            - '\powershell_ise.exe'
 25    selection_special_child_powershell_cli:
 26        - CommandLine|contains:
 27              - ' echo '
 28              - '-dumpmode'
 29              - '-ssh'
 30              - '.dmp'
 31              - 'add-MpPreference'
 32              - 'adscredentials'
 33              - 'bitsadmin'
 34              - 'certutil'
 35              - 'csvhost.exe'
 36              - 'DownloadFile'
 37              - 'DownloadString'
 38              - 'dsquery'
 39              - 'ekern.exe'
 40              - 'FromBase64String'
 41              - 'iex '
 42              - 'iex('
 43              - 'Invoke-Expression'
 44              - 'Invoke-WebRequest'
 45              - 'localgroup administrators'
 46              - 'net group'
 47              - 'net user'
 48              - 'o365accountconfiguration'
 49              - 'query session'
 50              - 'samaccountname='
 51              - 'set-MpPreference'
 52              - 'svhost.exe'
 53              - 'System.IO.Compression'
 54              - 'System.IO.MemoryStream'
 55              - 'usoprivate'
 56              - 'usoshared'
 57              - 'whoami'
 58        - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
 59    selection_special_child_lsass_1:
 60        CommandLine|contains: 'lsass'
 61    selection_special_child_lsass_2:
 62        CommandLine|contains:
 63            - 'procdump'
 64            - 'tasklist'
 65            - 'findstr'
 66    selection_child_wget:
 67        Image|endswith: '\wget.exe'
 68        CommandLine|contains: 'http'
 69    selection_child_curl:
 70        Image|endswith: '\curl.exe'
 71        CommandLine|contains: 'http'
 72    selection_child_script:
 73        CommandLine|contains:
 74            - 'E:jscript'
 75            - 'e:vbscript'
 76    selection_child_localgroup:
 77        CommandLine|contains|all:
 78            - 'localgroup Administrators'
 79            - '/add'
 80    selection_child_net:
 81        CommandLine|contains: 'net' # Covers net1
 82        CommandLine|contains|all:
 83            - 'user'
 84            - '/add'
 85    selection_child_reg:
 86        - CommandLine|contains|all:
 87              - 'reg add'
 88              - 'DisableAntiSpyware'
 89              - '\Microsoft\Windows Defender'
 90        - CommandLine|contains|all:
 91              - 'reg add'
 92              - 'DisableRestrictedAdmin'
 93              - 'CurrentControlSet\Control\Lsa'
 94    selection_child_wmic_1:
 95        CommandLine|contains|all:
 96            - 'wmic'
 97            - 'process call create'
 98    selection_child_wmic_2:
 99        CommandLine|contains|all:
100            - 'wmic'
101            - 'delete'
102            - 'shadowcopy'
103    selection_child_vssadmin:
104        CommandLine|contains|all:
105            - 'vssadmin'
106            - 'delete'
107            - 'shadows'
108    selection_child_wbadmin:
109        CommandLine|contains|all:
110            - 'wbadmin'
111            - 'delete'
112            - 'catalog'
113    condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
114falsepositives:
115    - Unlikely
116level: critical

References

Related rules

to-top