Nasreddine Bencherchali
27 lines
920 B
YAML
27 lines
920 B
YAML
title: Potential EmpireMonkey Activity
|
|
id: 10152a7b-b566-438f-a33c-390b607d1c8d
|
|
status: test
|
|
description: Detects potential EmpireMonkey APT activity
|
|
references:
|
|
- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
|
|
- https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
|
|
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
|
|
date: 2019-04-02
|
|
modified: 2023-03-09
|
|
tags:
|
|
- attack.stealth
|
|
- attack.t1218.010
|
|
- detection.emerging-threats
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
CommandLine|contains|all:
|
|
- '/e:jscript' # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine
|
|
- '\Local\Temp\Errors.bat'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unlikely
|
|
level: high
|