title: APT29
author: Florian Roth
date: 2018/12/04
description: This method detects a suspicious PowerShell command line combination
  as used by APT29 in a campaign against U.S. think tanks.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: '*-noni*'
  SELECTION_3:
    CommandLine: '*-ep*'
  SELECTION_4:
    CommandLine: '*bypass*'
  SELECTION_5:
    CommandLine: '*$*'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5)
falsepositives:
- unknown
id: 033fe7d6-66d1-4240-ac6b-28908009c71f
level: critical
logsource:
  category: process_creation
  product: windows
modified: 2020/08/26
references:
- https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
- https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
status: experimental
tags:
- attack.execution
- attack.g0016
- attack.t1086
- attack.t1059
- attack.t1059.001
ruletype: SIGMA