APT29 thinktanks | SOC Hunt Feed

Hunt Hypothesis

Adversaries are leveraging thinktanks as a tactic to blend in with legitimate research activities and evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential APT29 campaigns that use indirect communication channels to exfiltrate data and maintain persistence.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where ProcessCommandLine has "-noni -ep bypass $"
| top 100 by Timestamp desc

Analytic Rule Definition

id: 40446d6e-745d-4689-a477-6b6a43a15755
name: APT29 thinktanks
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_apt29_thinktanks.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where ProcessCommandLine has "-noni -ep bypass $"
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/APT29 thinktanks.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a PowerShell script to update system configurations or perform maintenance, which may include downloading files from a known infrastructure.
Filter/Exclusion: process.parent_process_name : "schtasks.exe" or process.name : "schtasks.exe"
Scenario: Admin Performing File Integrity Check
Description: An administrator uses a tool like Sysinternals Process Explorer or Microsoft PowerShell to check file integrity or analyze system behavior, which may involve file downloads or network activity.
Filter/Exclusion: process.name : "Process Explorer.exe" or process.name : "powershell.exe" AND user : "admin_user"
Scenario: Automated Software Update via Microsoft Intune
Description: A company uses Microsoft Intune to push updates to endpoints, which may involve downloading files from Microsoft servers or third-party repositories.
Filter/Exclusion: process.name : "msiexec.exe" or process.name : "intunewin.exe"
Scenario: Legitimate Use of PowerShell for Reporting
Description: A user runs a PowerShell script to generate reports or export data, which may include downloading temporary files or connecting to internal services.
Filter/Exclusion: process.name : "powershell.exe" AND command_line : "Export-Csv" or process.name : "powershell.exe" AND user : "reporting_user"
Scenario: Backup Job Using Veeam or Acronis
Description: A backup job initiated by Veeam or Acronis may involve network activity or file transfers that could be flagged by the rule.
Filter/Exclusion: process.name : "veeam.exe" or process.name : "acronis.exe"