Mint Sandstorm - Log4J Wstomcat Process Execution
Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
Sigma rule (View on GitHub)
1title: Mint Sandstorm - Log4J Wstomcat Process Execution
2id: 7c97c625-0350-4f0a-8943-f6cadc88125e
3status: test
4description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
5references:
6 - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
7author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
8date: 2023-04-20
9modified: 2023-11-29
10tags:
11 - attack.execution
12 - detection.emerging-threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\ws_tomcatservice.exe'
19 filter_main_repadmin:
20 Image|endswith: '\repadmin.exe'
21 condition: selection and not 1 of filter_main_*
22falsepositives:
23 - Unknown
24level: high
References
-
A mature subgroup of Mint Sandstorm is weaponizing N-day vulnerabilities in apps & conducting phishing campaigns to access environments.
Read More
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation IPC Access