Emerging Threatcriticaltest
Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), MSTICCreated Thu Apr 20Updated Sun Oct 1991048c0d-5b81-4b85-a099-c9ee4fb879792023
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic15 selectors
detection:
selection_parent:
ParentImage|contains|all:
- 'aspera'
- '\ruby'
selection_special_child_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
selection_special_child_powershell_cli:
- CommandLine|contains:
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'o365accountconfiguration'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- CommandLine|re:
- '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
- 'net\s+user'
- 'net\s+group'
- 'query\s+session'
selection_special_child_lsass_1:
CommandLine|contains: 'lsass'
selection_special_child_lsass_2:
CommandLine|contains:
- 'procdump'
- 'tasklist'
- 'findstr'
selection_child_wget:
Image|endswith: '\wget.exe'
CommandLine|contains: 'http'
selection_child_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: 'http'
selection_child_script:
CommandLine|contains:
- 'E:jscript'
- 'e:vbscript'
selection_child_localgroup:
CommandLine|contains|all:
- 'localgroup Administrators'
- '/add'
selection_child_net:
CommandLine|contains: 'net' # Covers net1
CommandLine|contains|all:
- 'user'
- '/add'
selection_child_reg:
- CommandLine|contains|all:
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- CommandLine|contains|all:
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
selection_child_wmic_1:
CommandLine|contains|all:
- 'wmic'
- 'process call create'
selection_child_wmic_2:
CommandLine|contains|all:
- 'wmic'
- 'delete'
- 'shadowcopy'
selection_child_vssadmin:
CommandLine|contains|all:
- 'vssadmin'
- 'delete'
- 'shadows'
selection_child_wbadmin:
CommandLine|contains|all:
- 'wbadmin'
- 'delete'
- 'catalog'
condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
References
MITRE ATT&CK
Tactics
Other
detection.emerging-threats
Rule Metadata
Rule ID
91048c0d-5b81-4b85-a099-c9ee4fb87979
Status
test
Level
critical
Type
Emerging Threat
Created
Thu Apr 20
Modified
Sun Oct 19
Path
rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml
Raw Tags
attack.executiondetection.emerging-threats