SigmaHQ/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml

title: Judgement Panda Credential Access Activity
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
author: Florian Roth
date: 2019/02/21
tags:
    - attack.credential_access
    - attack.t1081
    - attack.t1003
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image: '*\xcopy.exe'
        CommandLine: '* /S /E /C /Q /H \\*'
    selection2:
        Image: '*\adexplorer.exe'
        CommandLine: '* -snapshot "" c:\users\\*'
    condition: selection1 or selection2
falsepositives:
    - unknown
level: critical
Eliminate title collision Fixing the problem described in HELK here: https://github.com/Cyb3rWard0g/HELK/issues/442 where when running sigmac to generate elastalert rules, this rule has a title collision with another rule in the same directory and causes elastalert to fail to start. 2020-03-26 14:13:52 +00:00			`title: Judgement Panda Credential Access Activity`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee`
Merge cleanup 2019-02-27 21:05:27 +00:00			`description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`author: Florian Roth`
Merge cleanup 2019-02-27 21:05:27 +00:00			`date: 2019/02/21`
			`tags:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- attack.credential_access`
fix and add tags to apt bear activity gtr19 rule 2019-03-13 09:40:28 +00:00			`- attack.t1081`
			`- attack.t1003`
Merge cleanup 2019-02-27 21:05:27 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection1:`
			`Image: '*\xcopy.exe'`
			`CommandLine: '* /S /E /C /Q /H \\*'`
			`selection2:`
			`Image: '*\adexplorer.exe'`
			`CommandLine: '* -snapshot "" c:\users\\*'`
			`condition: selection1 or selection2`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- unknown`
BEAR activity - CrowdStrike GTR 2019 https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ 2019-02-21 08:54:01 +00:00			`level: critical`