security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d14e287cdf91e2a8b995de5bfbc3fa8540c1922b
blue-team-tools/rules/windows/process_creation/proc_creation_win_apt_mercury.yml
T
Nasreddine Bencherchali d7083f6175 fix: apply suggestions from code review 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-03-13 10:48:08 +01:00

26 lines
862 B
YAML
Raw Blame History

title: MERCURY APT Activity
id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d
status: experimental
description: Detects suspicious command line patterns seen being used by MERCURY APT
references:
- https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/
author: Florian Roth (Nextron Systems)
date: 2022/08/26
modified: 2023/03/10
tags:
- attack.execution
- attack.t1059.001
- attack.g0069
logsource:
category: process_creation
product: windows
detection:
selection_base:
CommandLine|contains|all:
- '-exec bypass -w 1 -enc'
- 'UwB0AGEAcgB0AC0ASgBvAGIAIAAtAFMAYwByAGkAcAB0AEIAbABvAGMAawAgAHsAKABzAGEAcABzACAAKAAiAHAA' # Start-Job -ScriptBlock
condition: all of selection*
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink