APT31 Judgement Panda Activity
Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
Sigma rule (View on GitHub)
1title: APT31 Judgement Panda Activity
2id: 03e2746e-2b31-42f1-ab7a-eb39365b2422
3status: test
4description: Detects APT31 Judgement Panda activity as described in the Crowdstrike 2019 Global Threat Report
5references:
6 - https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
7author: Florian Roth (Nextron Systems)
8date: 2019/02/21
9modified: 2023/03/10
10tags:
11 - attack.lateral_movement
12 - attack.credential_access
13 - attack.g0128
14 - attack.t1003.001
15 - attack.t1560.001
16 - detection.emerging_threats
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_ldifde:
22 CommandLine|contains|all:
23 - 'ldifde'
24 - '-f -n'
25 - 'eprod.ldf'
26 selection_lateral_movement:
27 CommandLine|contains|all:
28 - 'copy \\\\'
29 - 'c$'
30 CommandLine|contains:
31 - '\aaaa\procdump64.exe'
32 - '\aaaa\netsess.exe'
33 - '\aaaa\7za.exe'
34 - '\c$\aaaa\'
35 condition: 1 of selection_*
36falsepositives:
37 - Unlikely
38level: critical
References
Related rules
- Mimikatz Use
- Potential CVE-2021-42278 Exploitation Attempt
- Potential Russian APT Credential Theft Activity
- HackTool - Dumpert Process Dumper Default File
- Abnormal LSASS Child and Parent Process Relationships (RedCanary Threat Detection Report)