SigmaHQ/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml

38 lines
1.0 KiB
YAML
Raw Normal View History

title: Judgement Panda Credential Access Activity
2019-11-12 22:12:27 +00:00
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
2019-02-27 21:05:27 +00:00
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
author: Florian Roth
2019-02-27 21:05:27 +00:00
date: 2019/02/21
modified: 2020/08/26
2019-02-27 21:05:27 +00:00
tags:
- attack.credential_access
- attack.t1081 # an old one
- attack.t1003 # an old one
2020-06-16 20:46:08 +00:00
- attack.t1552.001
- attack.t1003.003
2019-02-27 21:05:27 +00:00
logsource:
category: process_creation
product: windows
detection:
selection1:
2020-10-15 20:24:56 +00:00
Image|endswith: '\xcopy.exe'
2020-10-28 02:26:34 +00:00
CommandLine|contains|all:
- '/S'
- '/E'
- '/C'
- '/Q'
- '/H'
- '\\'
selection2:
2020-10-15 20:24:56 +00:00
Image|endswith: '\adexplorer.exe'
2020-10-28 02:26:34 +00:00
CommandLine|contains|all:
- '-snapshot'
- '""'
2020-11-27 01:59:35 +00:00
- 'c:\users\'
condition: selection1 or selection2
falsepositives:
- unknown
level: critical