Mint Sandstorm - Log4J Wstomcat Process Execution

Nov 29, 2023 · attack.execution detection.emerging_threats ·

Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity

Sigma rule (View on GitHub)

 1title: Mint Sandstorm - Log4J Wstomcat Process Execution
 2id: 7c97c625-0350-4f0a-8943-f6cadc88125e
 3status: test
 4description: Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
 7author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
 8date: 2023/04/20
 9modified: 2023/11/29
10tags:
11    - attack.execution
12    - detection.emerging_threats
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith: '\ws_tomcatservice.exe'
19    filter_main_repadmin:
20        Image|endswith: '\repadmin.exe'
21    condition: selection and not 1 of filter_main_*
22falsepositives:
23    - Unknown
24level: high

References

https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/

Read More

Mint Sandstorm - Log4J Wstomcat Process Execution

Sigma rule (View on GitHub)

References

https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/

Related rules