Emerging Threatcriticaltest

Greenbug Espionage Group Indicators

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems)Created Wed May 20Updated Thu Mar 093711eee4-a808-4849-8a14-faf733da36122020

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        Image|endswith:
            - ':\ProgramData\adobe\Adobe.exe'
            - ':\ProgramData\oracle\local.exe'
            - '\revshell.exe'
            - '\infopagesbackup\ncat.exe'
            - ':\ProgramData\comms\comms.exe'
    selection_msf:
        CommandLine|contains|all:
            - '-ExecutionPolicy Bypass -File'
            - '\msf.ps1'
    selection_ncat:
        CommandLine|contains|all:
            - 'infopagesbackup'
            - '\ncat'
            - '-e cmd.exe'
    selection_powershell:
        CommandLine|contains:
            - 'system.Data.SqlClient.SqlDataAdapter($cmd); [void]$da.fill'
            - '-nop -w hidden -c $k=new-object'
            - '[Net.CredentialCache]::DefaultCredentials;IEX '
            - ' -nop -w hidden -c $m=new-object net.webclient;$m'
            - '-noninteractive -executionpolicy bypass whoami'
            - '-noninteractive -executionpolicy bypass netstat -a'
    selection_other:
        CommandLine|contains: 'L3NlcnZlcj1'  # base64 encoded '/server='
    condition: 1 of selection_*