Onyx Sleet APT File Creation Indicators
Detects file creation activity that is related to Onyx Sleet APT activity
Sigma rule (View on GitHub)
1title: Onyx Sleet APT File Creation Indicators
2id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b
3status: experimental
4description: Detects file creation activity that is related to Onyx Sleet APT activity
5references:
6 - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/10/24
9tags:
10 - attack.execution
11 - detection.emerging_threats
12logsource:
13 category: file_event
14 product: windows
15detection:
16 selection:
17 TargetFilename|endswith: ':\Windows\ADFS\bg\inetmgr.exe'
18 condition: selection
19falsepositives:
20 - Unlikely
21level: high
References
Related rules
- Diamond Sleet APT File Creation Indicators
- Diamond Sleet APT Process Activity Indicators
- Diamond Sleet APT Scheduled Task Creation
- CVE-2021-1675 Print Spooler Exploitation Filename Pattern
- CVE-2021-26858 Exchange Exploitation