Emerging Threatcriticalstable

APT29 2018 Phishing Campaign File Indicators

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

@41thexplorerCreated Tue Nov 20Updated Mon Feb 203a3f81ca-652c-482b-adeb-b1c804727f742018

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|contains:
            - 'ds7002.lnk'
            - 'ds7002.pdf'
            - 'ds7002.zip'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Sub-techniques

T1218.011 · Rundll32

Other

detection.emerging-threats

Related Rules

DerivedEmerging Threatcritical

APT29 2018 Phishing Campaign CommandLine Indicators

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

3a3f81ca-652c-482b-adeb-b1c804727f74

Status

stable

Level

critical

Type

Emerging Threat

Created

Tue Nov 20

Modified

Mon Feb 20

Author

@41thexplorer

Path

rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml

Raw Tags

attack.defense-evasionattack.t1218.011detection.emerging-threats

View on GitHub