APT31 Judgement Panda Activity

Oct 23, 2025 · attack.collection attack.lateral-movement attack.credential-access attack.g0128 attack.t1003.001 attack.t1560.001 detection.emerging-threats ·

Share on:

Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report

Sigma rule (View on GitHub)

 1title: APT31 Judgement Panda Activity
 2id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
 3status: test
 4description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
 5references:
 6    - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
 7author: Florian Roth (Nextron Systems)
 8date: 2019-02-21
 9modified: 2023-03-10
10tags:
11    - attack.collection
12    - attack.lateral-movement
13    - attack.credential-access
14    - attack.g0128
15    - attack.t1003.001
16    - attack.t1560.001
17    - detection.emerging-threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_ldifde:
23        CommandLine|contains|all:
24            - 'ldifde'
25            - '-f -n'
26            - 'eprod.ldf'
27    selection_lateral_movement:
28        CommandLine|contains|all:
29            - 'copy \\\\'
30            - 'c$'
31        CommandLine|contains:
32            - '\aaaa\procdump64.exe'
33            - '\aaaa\netsess.exe'
34            - '\aaaa\7za.exe'
35            - '\c$\aaaa\'
36    condition: 1 of selection_*
37falsepositives:
38    - Unlikely
39level: critical

References

Global Threat Report 2019 | DocumentCloud

Page of 77 Zoom

Read More

APT31 Judgement Panda Activity

Sigma rule (View on GitHub)

References

Global Threat Report 2019 | DocumentCloud

Related rules