← Back to SOC feed Coverage →

Bear Activity GTR 2019

kql MEDIUM Azure-Sentinel
DeviceProcessEvents
apthuntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-04-25T09:00:00Z · Confidence: medium

Hunt Hypothesis

Adversaries may be using custom PowerShell scripts to execute malicious payloads, leveraging the Bear Activity GTR 2019 tactic to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential APT activity and prevent lateral movement within the network.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d) 
| where (FileName =~ "xcopy.exe" and ProcessCommandLine has @" /S /E /C /Q /H \") 
     or (FileName =~ "adexplorer.exe" and ProcessCommandLine has @" -snapshot """" c:\users\")
| top 100 by Timestamp desc

Analytic Rule Definition

id: 376d30db-e3ab-49fb-852a-00d1ade65a54
name: Bear Activity GTR 2019
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_bear_activity_gtr19.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d) 
  | where (FileName =~ "xcopy.exe" and ProcessCommandLine has @" /S /E /C /Q /H \") 
       or (FileName =~ "adexplorer.exe" and ProcessCommandLine has @" -snapshot """" c:\users\")
  | top 100 by Timestamp desc

Required Data Sources

Sentinel TableNotes
DeviceProcessEventsEnsure this data connector is enabled

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Bear Activity GTR 2019.yaml