Thomas Patzke
18 lines
728 B
YAML
18 lines
728 B
YAML
title: TropicTrooper Campaign November 2018
|
|
id: 8c7090c3-e0a0-4944-bd08-08c3a0cecf79
|
|
author: '@41thexplorer, Windows Defender ATP'
|
|
status: stable
|
|
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
|
|
references:
|
|
- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1085
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
|
|
condition: selection
|
|
level: high |