title: Blue Mockingbird
author: Trent Liffick (@tliffick)
date: 2020/05/14
description: Attempts to detect system changes made by Blue Mockingbird
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\cmd.exe'
  SELECTION_3:
    CommandLine: '*sc config*'
  SELECTION_4:
    CommandLine: '*wercplsupporte.dll*'
  SELECTION_5:
    Image: '*\wmic.exe'
  SELECTION_6:
    CommandLine: '*COR_PROFILER'
  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4) or (SELECTION_5
    and SELECTION_6)))
falsepositives:
- unknown
id: c3198a27-23a0-4c2c-af19-e5328d49680e
level: high
logsource:
  category: process_creation
  product: windows
modified: 2021/09/11
references:
- https://redcanary.com/blog/blue-mockingbird-cryptominer/
related:
- id: ce239692-aa94-41b3-b32f-9cab259c96ea
  type: merged
status: experimental
tags:
- attack.execution
- attack.t1112
- attack.t1047
ruletype: SIGMA