apt tropictrooper | SOC Hunt Feed

Hunt Hypothesis

Adversaries leveraging the Tropictrooper APT may use custom PowerShell scripts to execute malicious payloads, often through initial access vectors like phishing emails. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential long-term persistence and data exfiltration activities.

KQL Query

DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc"
| top 100 by Timestamp desc

Analytic Rule Definition

id: f035c5e9-af5f-4ba7-8242-03faf3e096cf
name: apt tropictrooper
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_tropictrooper.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where Timestamp > ago(7d)
  | where ProcessCommandLine contains "abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc"
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/apt tropictrooper.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe is running a maintenance script that includes PowerShell commands similar to those used by Tropictrooper.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" and process.command_line contains "schtasks.exe /create"
Scenario: Admin Performing PowerShell Remoting (PSRemoting)
Description: An administrator is using PowerShell remoting (WinRM) to execute commands across multiple servers, which may include commands that resemble Tropictrooper’s C2 activity.
Filter/Exclusion: process.parent_process_name == "winrm.exe" or process.command_line contains "Invoke-Command"
Scenario: Windows Event Log Cleanup Job
Description: A legitimate job using eventvwr.exe or wevtutil.exe is cleaning up old event logs, which may involve command-line operations that resemble malicious activity.
Filter/Exclusion: process.parent_process_name == "eventvwr.exe" or process.command_line contains "wevtutil.exe"
Scenario: Software Update Deployment via Group Policy
Description: A Group Policy Object (GPO) is deploying updates using gpupdate.exe or msiexec.exe, which may include command-line arguments that match Tropictrooper’s behavior.
Filter/Exclusion: process.parent_process_name == "gpupdate.exe" or process.command_line contains "msiexec.exe /i"
Scenario: Database Backup Using SQL Server Agent Job
Description: A SQL Server Agent job is running a backup script that includes PowerShell or command-line tools, which may trigger the rule due to similar command patterns.
Filter/Exclusion: `