title: Judgement Panda Credential Access Activity
id: b83f5166-9237-4b5e-9cd4-7b5d52f4d8ee
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
    - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
author: Florian Roth
date: 2019/02/21
modified: 2020/08/26
tags:
    - attack.credential_access
    - attack.t1081 # an old one
    - attack.t1003 # an old one
    - attack.t1552.001
    - attack.t1003.003
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|endswith: '\xcopy.exe'
        CommandLine|contains|all: 
            - '/S'
            - '/E' 
            - '/C' 
            - '/Q' 
            - '/H' 
            - '\\'
    selection2:
        Image|endswith: '\adexplorer.exe'
        CommandLine|contains|all: 
            - '-snapshot' 
            - '""' 
            - 'c:\users\'
    condition: selection1 or selection2
falsepositives:
    - unknown
level: critical