Emerging Threatcriticaltest
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Florian Roth (Nextron Systems)Created Wed Jan 20Updated Sun Oct 09b7155193-8a81-4d8f-805d-88de864ca50c2020
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_cli_1:
CommandLine|contains|all:
- 'Invoke-WMIMethod win32_process -name create -argumentlist'
- 'rundll32 c:\windows'
selection_cli_2:
CommandLine|contains|all:
- 'wmic /node:'
- 'process call create "rundll32 c:\windows'
condition: 1 of selection_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.emerging-threats
Rule Metadata
Rule ID
b7155193-8a81-4d8f-805d-88de864ca50c
Status
test
Level
critical
Type
Emerging Threat
Created
Wed Jan 20
Modified
Sun Oct 09
Path
rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_ps.yml
Raw Tags
attack.executionattack.t1059.001attack.t1047detection.emerging-threats