IOC Sigma: GreenBug APT Group Activities

Greenbug APT is an Iranian-based cyber-espionage unit that has been active since at least June 2016. The group most likely uses spear-phishing attacks to compromise targeted organizations. Adversaries use multiple tools to compromise other systems on the network after an initial compromise, and steal user names and passwords from operating systems, email accounts, and web browsers. In 2017, the credentials collected by the Greenbug group were used in attacks of another Iranian APT group deploying destructive Shamoon wiper malware.

Their new campaign started in April 2019 and lasted for more than a year targeting telecommunications companies in South Asia. Greenbug uses off-the-shelf and living-off-the-land tools, it seems the group is interested in gaining access to database servers: adversaries steal credentials and then use them to test connectivity to these servers. Their focus on stealing credentials and on establishing connections with database servers shows that the group is aiming to achieve high-level access to a victim’s network – the access that if exploited could cause havoc on a compromised network very quickly. This level of access, if leveraged by actors using disruptive malware or ransomware, could shut down an organization’s entire network very quickly. 

The new rule by Emir Erdogan released in Threat Detection Marketplace helps to detect Greenbug APT activities and their attempts to install additional tools:

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio

EDR: CrowdStrike, Carbon Black, Elastic Endpoint


Tactics: Execution, Persistence, Privilege Escalation,

Techniques: PowerShell (T1086), PowerShell Profile (T1504), Scheduled Task (T1053), Web Shell (T1100)