Emerging Threatcriticaltest
Mint Sandstorm - ManageEngine Suspicious Process Execution
Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), MSTICCreated Thu Apr 20Updated Sun Oct 1958d8341a-5849-44cd-8ac8-8b020413a31b2023
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic17 selectors
detection:
selection_parent_path:
ParentImage|contains:
- 'manageengine'
- 'ServiceDesk'
selection_parent_image:
ParentImage|contains: '\java'
selection_special_child_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
selection_special_child_powershell_cli:
- CommandLine|contains:
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'o365accountconfiguration'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
- CommandLine|re: 'net\s+user'
- CommandLine|re: 'net\s+group'
- CommandLine|re: 'query\ssession'
selection_special_child_lsass_1:
CommandLine|contains: 'lsass'
selection_special_child_lsass_2:
CommandLine|contains:
- 'procdump'
- 'tasklist'
- 'findstr'
selection_child_wget:
Image|endswith: '\wget.exe'
CommandLine|contains: 'http'
selection_child_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: 'http'
selection_child_script:
CommandLine|contains:
- 'E:jscript'
- 'e:vbscript'
selection_child_localgroup:
CommandLine|contains|all:
- 'localgroup Administrators'
- '/add'
selection_child_net:
CommandLine|contains: 'net' # Covers net1
CommandLine|contains|all:
- 'user'
- '/add'
selection_child_reg:
- CommandLine|contains|all:
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- CommandLine|contains|all:
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
selection_child_wmic_1:
CommandLine|contains|all:
- 'wmic'
- 'process call create'
selection_child_wmic_2:
CommandLine|contains|all:
- 'wmic'
- 'delete'
- 'shadowcopy'
selection_child_vssadmin:
CommandLine|contains|all:
- 'vssadmin'
- 'delete'
- 'shadows'
selection_child_wbadmin:
CommandLine|contains|all:
- 'wbadmin'
- 'delete'
- 'catalog'
filter_main:
CommandLine|contains|all:
- 'download.microsoft.com'
- 'manageengine.com'
- 'msiexec'
condition: all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_mainFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
MITRE ATT&CK
Tactics
Other
detection.emerging-threats
Rule Metadata
Rule ID
58d8341a-5849-44cd-8ac8-8b020413a31b
Status
test
Level
critical
Type
Emerging Threat
Created
Thu Apr 20
Modified
Sun Oct 19
Path
rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml
Raw Tags
attack.executiondetection.emerging-threats