valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b2952b9f78
SigmaHQ/rules/apt/apt_bear_activity_gtr19.yml
Thomas Patzke 7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
2019-03-02 00:14:20 +01:00

24 lines
685 B
YAML
Raw Blame History

title: Judgement Panda Exfil Activity
description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
references:
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/
author: Florian Roth
date: 2019/02/21
tags:
- attack.credential_access
- attack.t1098
logsource:
category: process_creation
product: windows
detection:
selection1:
Image: '*\xcopy.exe'
CommandLine: '* /S /E /C /Q /H \\*'
selection2:
Image: '*\adexplorer.exe'
CommandLine: '* -snapshot "" c:\users\\*'
condition: selection1 or selection2
falsepositives:
- unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink