Detection rules › Kusto Query Language

Identify Mango Sandstorm powershell commands

Author: Microsoft Security Research
Source: upstream

'The query below identifies powershell commands used by the threat actor Mango Sandstorm. Reference: https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/'

MITRE ATT&CK coverage

Tactic	Techniques
Lateral Movement	`T1570` Lateral Tool Transfer

Event coverage

Provider	Event ID	Title
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 3 branches

Stage 3: `extend`

Stage 4: `extend`

Stage 5: `extend`