SigmaHQ/rules/apt/apt_bear_activity_gtr19.yml

title: Judgement Panda Exfil Activity
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
author: Florian Roth
date: 2019/02/21
tags:
    - attack.credential_access
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image: '*\xcopy.exe'
        CommandLine: '* /S /E /C /Q /H \\*'
    selection2:
        Image: '*\adexplorer.exe'
        CommandLine: '* -snapshot "" c:\users\\*'
    condition: selection1 or selection2
falsepositives:
    - unknown
level: critical
Merge cleanup 2019-02-27 21:05:27 +00:00			`title: Judgement Panda Exfil Activity`
			`description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`author: Florian Roth`
Merge cleanup 2019-02-27 21:05:27 +00:00			`date: 2019/02/21`
			`tags:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- attack.credential_access`
			`- attack.t1098`
Merge cleanup 2019-02-27 21:05:27 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection1:`
			`Image: '*\xcopy.exe'`
			`CommandLine: '* /S /E /C /Q /H \\*'`
			`selection2:`
			`Image: '*\adexplorer.exe'`
			`CommandLine: '* -snapshot "" c:\users\\*'`
			`condition: selection1 or selection2`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- unknown`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`level: critical`