Mint Sandstorm - ManageEngine Suspicious Process Execution
Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
Sigma rule (View on GitHub)
1title: Mint Sandstorm - ManageEngine Suspicious Process Execution
2id: 58d8341a-5849-44cd-8ac8-8b020413a31b
3status: test
4description: Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
5references:
6 - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
7author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
8date: 2023-04-20
9modified: 2023-04-25
10tags:
11 - attack.execution
12 - detection.emerging-threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_parent_path:
18 ParentImage|contains:
19 - 'manageengine'
20 - 'ServiceDesk'
21 selection_parent_image:
22 ParentImage|contains: '\java'
23 selection_special_child_powershell_img:
24 Image|endswith:
25 - '\powershell.exe'
26 - '\powershell_ise.exe'
27 selection_special_child_powershell_cli:
28 - CommandLine|contains:
29 - ' echo '
30 - '-dumpmode'
31 - '-ssh'
32 - '.dmp'
33 - 'add-MpPreference'
34 - 'adscredentials'
35 - 'bitsadmin'
36 - 'certutil'
37 - 'csvhost.exe'
38 - 'DownloadFile'
39 - 'DownloadString'
40 - 'dsquery'
41 - 'ekern.exe'
42 - 'FromBase64String'
43 - 'iex '
44 - 'iex('
45 - 'Invoke-Expression'
46 - 'Invoke-WebRequest'
47 - 'localgroup administrators'
48 - 'net group'
49 - 'net user'
50 - 'o365accountconfiguration'
51 - 'query session'
52 - 'samaccountname='
53 - 'set-MpPreference'
54 - 'svhost.exe'
55 - 'System.IO.Compression'
56 - 'System.IO.MemoryStream'
57 - 'usoprivate'
58 - 'usoshared'
59 - 'whoami'
60 - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
61 selection_special_child_lsass_1:
62 CommandLine|contains: 'lsass'
63 selection_special_child_lsass_2:
64 CommandLine|contains:
65 - 'procdump'
66 - 'tasklist'
67 - 'findstr'
68 selection_child_wget:
69 Image|endswith: '\wget.exe'
70 CommandLine|contains: 'http'
71 selection_child_curl:
72 Image|endswith: '\curl.exe'
73 CommandLine|contains: 'http'
74 selection_child_script:
75 CommandLine|contains:
76 - 'E:jscript'
77 - 'e:vbscript'
78 selection_child_localgroup:
79 CommandLine|contains|all:
80 - 'localgroup Administrators'
81 - '/add'
82 selection_child_net:
83 CommandLine|contains: 'net' # Covers net1
84 CommandLine|contains|all:
85 - 'user'
86 - '/add'
87 selection_child_reg:
88 - CommandLine|contains|all:
89 - 'reg add'
90 - 'DisableAntiSpyware'
91 - '\Microsoft\Windows Defender'
92 - CommandLine|contains|all:
93 - 'reg add'
94 - 'DisableRestrictedAdmin'
95 - 'CurrentControlSet\Control\Lsa'
96 selection_child_wmic_1:
97 CommandLine|contains|all:
98 - 'wmic'
99 - 'process call create'
100 selection_child_wmic_2:
101 CommandLine|contains|all:
102 - 'wmic'
103 - 'delete'
104 - 'shadowcopy'
105 selection_child_vssadmin:
106 CommandLine|contains|all:
107 - 'vssadmin'
108 - 'delete'
109 - 'shadows'
110 selection_child_wbadmin:
111 CommandLine|contains|all:
112 - 'wbadmin'
113 - 'delete'
114 - 'catalog'
115 filter_main:
116 CommandLine|contains|all:
117 - 'download.microsoft.com'
118 - 'manageengine.com'
119 - 'msiexec'
120 condition: all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main
121falsepositives:
122 - Unlikely
123level: critical
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern