Analytics Story: Earth Estries
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to Earth Estries, a sophisticated threat actor targeting various sectors with espionage-focused campaigns. Monitor for indicators such as spear-phishing emails, unauthorized access attempts, and lateral movement within your network. Investigate anomalous data exfiltration patterns and command-and-control (C2) traffic consistent with known tactics, techniques, and procedures (TTPs) of this group. Combining threat intelligence with advanced monitoring tools helps identify potential Earth Estries activity early, enabling swift response to mitigate risks effectively.
Why it matters
Earth Estries is a highly capable threat actor known for conducting targeted espionage campaigns against diverse sectors, including government, technology, and critical infrastructure. This group leverages sophisticated tactics such as spear-phishing, credential theft, and exploiting software vulnerabilities to gain initial access. Once inside a network, Earth Estries demonstrates expertise in lateral movement, privilege escalation, and covert data exfiltration. Their use of custom malware and command-and-control (C2) infrastructures highlights their adaptability. Detecting their activity requires robust threat intelligence and proactive monitoring of unusual behaviors and network anomalies.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Powershell Script Block Logging 4104 |  Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
| Sysmon EventID 1 | Windows |
xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
| Windows Event Log Security 4698 | Windows |
xmlwineventlog |
XmlWinEventLog:Security |
References
Source: GitHub | Version: 1