APT31 Judgement Panda Activity

 1title: APT31 Judgement Panda Activity
 2id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
 3status: test
 4description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
 5references:
 6    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
 7author: Florian Roth (Nextron Systems)
 8date: 2019-02-21
 9modified: 2023-03-10
10tags:
11    - attack.lateral-movement
12    - attack.credential-access
13    - attack.g0128
14    - attack.t1003.001
15    - attack.t1560.001
16    - detection.emerging-threats
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_ldifde:
22        CommandLine|contains|all:
23            - 'ldifde'
24            - '-f -n'
25            - 'eprod.ldf'
26    selection_lateral_movement:
27        CommandLine|contains|all:
28            - 'copy \\\\'
29            - 'c$'
30        CommandLine|contains:
31            - '\aaaa\procdump64.exe'
32            - '\aaaa\netsess.exe'
33            - '\aaaa\7za.exe'
34            - '\c$\aaaa\'
35    condition: 1 of selection_*
36falsepositives:
37    - Unlikely
38level: critical