2020-05-14 23:33:08 -04:00
|
|
|
action: global
|
2020-05-14 22:58:23 -04:00
|
|
|
title: Blue Mockingbird
|
|
|
|
|
id: c3198a27-23a0-4c2c-af19-e5328d49680e
|
|
|
|
|
status: experimental
|
2020-05-14 23:18:33 -04:00
|
|
|
description: Attempts to detect system changes made by Blue Mockingbird
|
2020-05-14 22:58:23 -04:00
|
|
|
references:
|
|
|
|
|
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
|
|
|
|
|
tags:
|
|
|
|
|
- attack.execution
|
|
|
|
|
- attack.t1112
|
2020-05-14 23:04:14 -04:00
|
|
|
- attack.t1047
|
2020-05-14 23:33:08 -04:00
|
|
|
author: Trent Liffick (@tliffick)
|
2020-05-14 22:58:23 -04:00
|
|
|
date: 2020/05/14
|
2020-05-14 23:33:08 -04:00
|
|
|
falsepositives:
|
|
|
|
|
- unknown
|
|
|
|
|
level: high
|
2020-05-15 12:06:34 +02:00
|
|
|
detection:
|
|
|
|
|
condition: 1 of them
|
2020-05-14 22:58:23 -04:00
|
|
|
---
|
|
|
|
|
logsource:
|
|
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
|
|
|
|
detection:
|
2020-05-14 23:33:08 -04:00
|
|
|
exec_selection:
|
2020-05-15 11:33:36 +02:00
|
|
|
Image|endswith: '\cmd.exe'
|
2020-05-14 22:58:23 -04:00
|
|
|
CommandLine|contains|all:
|
2020-05-15 11:33:36 +02:00
|
|
|
- 'sc config'
|
|
|
|
|
- 'wercplsupporte.dll'
|
2020-05-14 22:58:23 -04:00
|
|
|
---
|
|
|
|
|
logsource:
|
|
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
|
|
|
|
detection:
|
2020-05-14 23:33:08 -04:00
|
|
|
wmic_cmd:
|
2020-05-15 11:33:36 +02:00
|
|
|
Image|endswith: '\wmic.exe'
|
|
|
|
|
CommandLine|endswith: 'COR_PROFILER'
|
2020-05-14 22:58:23 -04:00
|
|
|
---
|
|
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
service: sysmon
|
|
|
|
|
detection:
|
2020-05-14 23:33:08 -04:00
|
|
|
mod_reg:
|
2020-05-14 22:58:23 -04:00
|
|
|
EventID: 13
|
2020-05-15 11:33:36 +02:00
|
|
|
TargetObject|endswith:
|
|
|
|
|
- '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll'
|
