Potential APT Mustang Panda Activity Against Australian Gov

Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52

Sigma rule (View on GitHub)

 1title: Potential APT Mustang Panda Activity Against Australian Gov
 2id: 7806bb49-f653-48d3-a915-5115c1a85234
 3status: experimental
 4description: Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52
 5references:
 6    - https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/15
 9tags:
10    - attack.execution
11    - attack.g0129
12    - detection.emerging_threats
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_1:
18        CommandLine|contains|all:
19            - 'copy SolidPDFCreator.dll'
20            - 'C:\Users\Public\Libraries\PhotoTvRHD\SolidPDFCreator.dll'
21    selection_2:
22        CommandLine|contains|all:
23            - 'reg '
24            - '\Windows\CurrentVersion\Run'
25            - 'SolidPDF'
26            - 'C:\Users\Public\Libraries\PhotoTvRHD\'
27    condition: 1 of selection_*
28falsepositives:
29    - Unlikely
30level: high

References

Related rules

to-top