---
action: global
title: Judgement Panda Exfil Activity 
description: 'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike' 
references:
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
logsource:
    product: windows
author: Florian Roth
date: 2019/02/21 
tags: 
    - attack.lateral_movement
    - attack.g0010
    - attack.credential_access
    - attack.t1098
    - attack.exfiltration
    - attack.t1002
detection:
    condition: selection1 or selection2
falsepositives:
    - unknown
level: critical
---
logsource:
    product: windows
    service: sysmon
detection:
    selection1:
        EventID: 1
        CommandLine: 
            - '*\ldifde.exe -f -n *'
            - '*\7za.exe a 1.7z *'
            - '* eprod.ldf'
            - '*\aaaa\procdump64.exe*'
            - '*\aaaa\netsess.exe*'
            - '*\aaaa\7za.exe*'
            - '*copy .\1.7z \\*'
            - '*copy \\client\c$\aaaa\*'
    selection2:
        EventID: 1
        Image: 'C:\Users\Public\7za.exe'
---
logsource:
    product: windows
    service: security
    description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection1:
        EventID: 4688
        ProcessCommandLine:
            - '*\ldifde.exe -f -n *'
            - '*\7za.exe a 1.7z *'
            - '* eprod.ldf'
            - '*\aaaa\procdump64.exe*'
            - '*\aaaa\netsess.exe*'
            - '*\aaaa\7za.exe*'
            - '*copy .\1.7z \\*'
            - '*copy \\client\c$\aaaa\*'
    selection2:
        EventID: 4688
        NewProcessName: 'C:\Users\Public\7za.exe'