security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/process_creation/proc_creation_win_apt_empiremonkey.yml
T
Nasreddine Bencherchali d7083f6175 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-03-13 10:48:08 +01:00

26 lines
903 B
YAML
Raw Blame History

title: Potential EmpireMonkey Activity
id: 10152a7b-b566-438f-a33c-390b607d1c8d
status: experimental
description: Detects potential EmpireMonkey APT activity
references:
- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
- https://malpedia.caad.fkie.fraunhofer.de/actor/anthropoid_spider
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
date: 2019/04/02
modified: 2023/03/09
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '/e:jscript' # This is a guess since the report doesn't mention the method of execution. This assumes that it is achieved via specifying the execution engine
- '\Local\Temp\Errors.bat'
condition: selection
falsepositives:
- Unlikely
level: high
Reference in New Issue View Git Blame Copy Permalink