Emerging Threathightest
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems), François HubautCreated Fri Dec 20Updated Sun Oct 091cfac73c-be78-4f9a-9b08-5bde0c3953ab2019
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Definition
The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
Detection Logic
Detection Logic1 selector
detection:
selection:
CommandLine|contains:
- 'checkadmin.exe 127.0.0.1 -all'
- 'netsh advfirewall firewall add rule name=powershell dir=in'
- 'cmd /c powershell.exe -ep bypass -file c:\s.ps1'
- '/tn win32times /f'
- 'create win32times binPath='
- '\c$\windows\system32\devmgr.dll'
- ' -exec bypass -enc JgAg'
- 'type *keepass\KeePass.config.xml'
- 'iie.exe iie.txt'
- 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\'
condition: selectionFalse Positives
Administrators that use checkadmin.exe tool to enumerate local administrators
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.emerging-threats
Rule Metadata
Rule ID
1cfac73c-be78-4f9a-9b08-5bde0c3953ab
Status
test
Level
high
Type
Emerging Threat
Created
Fri Dec 20
Modified
Sun Oct 09
Path
rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.discoveryattack.t1012attack.defense-evasionattack.t1036.004attack.t1027attack.executionattack.t1053.005attack.t1059.001detection.emerging-threats