Emerging Threathightest

Operation Wocao Activity - Security

Detects activity mentioned in Operation Wocao report

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems), François HubautCreated Fri Dec 20Updated Sun Nov 2774ad4314-482e-4c3e-b237-3f7ed3b9ca8d2019

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Detection Logic

detection:
    selection:
        EventID: 4799
        TargetUserName|startswith: 'Administr'
        CallerProcessName|endswith: '\checkadmin.exe'
    condition: selection

False Positives

Administrators that use checkadmin.exe tool to enumerate local administrators

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0007 · Discovery TA0005 · Defense Evasion TA0002 · Execution

Techniques

T1012 · Query Registry T1027 · Obfuscated Files or Information

Sub-techniques

T1036.004 · Masquerade Task or Service T1053.005 · Scheduled Task T1059.001 · PowerShell

Other

detection.emerging-threats

Rule Metadata

Rule ID

74ad4314-482e-4c3e-b237-3f7ed3b9ca8d

Status

test

Level

high

Type

Emerging Threat

Created

Fri Dec 20

Modified

Sun Nov 27

Author

Florian Roth (Nextron Systems), François Hubaut

Path

rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.discoveryattack.t1012attack.defense-evasionattack.t1036.004attack.t1027attack.executionattack.t1053.005attack.t1059.001detection.emerging-threats

View on GitHub