Detecting APT29 With SOCFortress


APT29 is a threat group that has been attributed to the Russian government who have been in operation since at least 2008. This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Emu)

Starting Attack

A Windows server was deployed and the Caldera agent (sandcat.go-windows.exe) was installed on the Widows server. The APT29 operation was then kicked off:

Initial Observation

  1. We first see two alerts on the “EDR- _SUMMARY” dashboard that caught my eye.
  • Windows Sigcheck — VirusTotal Hit Above 10 Matches

Investigating Further

Now we are seeing a cause for concern. Let’s go ahead and build a filter that will provide us “WARNING” and “ALERT” level events for the host in question (SOCFORTRESS-CALDERA).

Wrap Up

This post only details a few of the malicious detections associated with APT29 and illustrates how the SOCFortress platform can help your SOC team pinpoint IoCs.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).