Skip to content

T1574.002 Diamond Sleet APT Process Activity Indicators

T1574.002 - Diamond Sleet APT Process Activity Indicators

DESCRIPTION

Detects process creation activity indicators related to Diamond Sleet APT

Example:

c:\ProgramData\Forest64.exe uTYNkfKxHiZrx3KJ

Related

Diamond Sleet

Reference:

https://github.com/SigmaHQ/sigma/blob/7509f6ab6bc32e7bca66fc638363a92dfbf0449d/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml
https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability

ATT&CK TACTICS

T1574.002 - Hijack Execution Flow: DLL Side-Loading

Data Source(s): Process

SENTINEL RULE QUERY

1
2
3
4
let selection = ' uTYNkfKxHiZrx3KJ';
DeviceProcessEvents
| where ActionType == "ProcessCreated"
| where ProcessCommandLine contains (selection) or InitiatingProcessCommandLine contains (selection)

Triage

  1. Initiate incident response process to analyse further on the suspicious activities
  2. Possibly related to Diamond Sleet activities

FalsePositive

Highly Unlikely, this is a high fidelity threat hunt rules

VERSION

Version 1.1 (date: 13/02/2024)