Potential APT Mustang Panda Activity Against Australian Gov
Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
Sigma rule (View on GitHub)
1title: Potential APT Mustang Panda Activity Against Australian Gov
2id: 7806bb49-f653-48d3-a915-5115c1a85234
3status: test
4description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
5references:
6 - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/15
9tags:
10 - attack.execution
11 - attack.g0129
12 - detection.emerging_threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_1:
18 CommandLine|contains|all:
19 - 'copy SolidPDFCreator.dll'
20 - 'C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll'
21 selection_2:
22 CommandLine|contains|all:
23 - 'reg '
24 - '\Windows\CurrentVersion\Run'
25 - 'SolidPDF'
26 - 'C:\Users\Public\Libraries\PhotoTvRHD\'
27 condition: 1 of selection_*
28falsepositives:
29 - Unlikely
30level: high
References
-
AUKUS (Australia-United Kingdom-United States) is a strategic military alliance between these territories that became a reality in 2021, whose main objective is to build nuclear-powered submarines ...
Read More
Related rules
- Goofy Guineapig Backdoor IOC
- Potential Goofy Guineapig Backdoor Activity
- Potential Qakbot Rundll32 Execution
- Qakbot Rundll32 Exports Execution
- Qakbot Rundll32 Fake DLL Extension Execution