Onyx Sleet APT File Creation Indicators

Oct 28, 2023 · attack.execution detection.emerging_threats ·

Detects file creation activity that is related to Onyx Sleet APT activity

Sigma rule (View on GitHub)

 1title: Onyx Sleet APT File Creation Indicators
 2id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b
 3status: experimental
 4description: Detects file creation activity that is related to Onyx Sleet APT activity
 5references:
 6    - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/10/24
 9tags:
10    - attack.execution
11    - detection.emerging_threats
12logsource:
13    category: file_event
14    product: windows
15detection:
16    selection:
17        TargetFilename|endswith: ':\Windows\ADFS\bg\inetmgr.exe'
18    condition: selection
19falsepositives:
20    - Unlikely
21level: high

References

https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

Read More

Onyx Sleet APT File Creation Indicators

Sigma rule (View on GitHub)

References

https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

Related rules