Onyx Sleet APT File Creation Indicators

 1title: Onyx Sleet APT File Creation Indicators
 2id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b
 3status: test
 4description: Detects file creation activity that is related to Onyx Sleet APT activity
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-10-24
 9tags:
10    - attack.execution
11    - detection.emerging-threats
12logsource:
13    category: file_event
14    product: windows
15detection:
16    selection:
17        TargetFilename|endswith: ':\Windows\ADFS\bg\inetmgr.exe'
18    condition: selection
19falsepositives:
20    - Unlikely
21level: high

References

• Multiple North Korean threat actors exploiting the TeamCity CVE-2023-42793 vulnerability | Microsoft Security Blog

  

  Microsoft has observed North Korean threat actors Diamond Sleet and Onyx Sleet exploiting Jet Brains TeamCity CVE-2023-42793 vulnerability.

  
  Read More

Related rules

• ChromeLoader Malware Execution
• DarkGate - Autoit3.EXE Execution Parameters
• DarkGate - Autoit3.EXE File Creation By Uncommon Process
• Diamond Sleet APT File Creation Indicators
• Diamond Sleet APT Process Activity Indicators