Hurricane Panda activity

Hunt Hypothesis

Adversaries may use Hurricane Panda tactics to exfiltrate data through encrypted channels, leveraging compromised credentials to maintain persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage APT activity and prevent data loss.

KQL Query

DeviceProcessEvents 
| where Timestamp > ago(7d)
| where ProcessCommandLine endswith " localgroup administrators admin /add"
     or ProcessCommandLine has @"\Win64.exe"
| top 100 by Timestamp desc

Analytic Rule Definition

id: c8a459ae-cb3e-46c0-82b1-670649dd3e7a
name: Hurricane Panda activity
description: |
  Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_hurricane_panda.yml.
  Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents 
  | where Timestamp > ago(7d)
  | where ProcessCommandLine endswith " localgroup administrators admin /add"
       or ProcessCommandLine has @"\Win64.exe"
  | top 100 by Timestamp desc

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Hurricane Panda activity.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task using schtasks.exe is running a maintenance script that includes PowerShell or CMD commands similar to those used by Hurricane Panda.
Filter/Exclusion: process.parent_process_name == "schtasks.exe" AND process.command_line LIKE "%\\System32\\schtasks.exe%"
Scenario: Admin Performing Disk Cleanup or System Imaging
Description: An administrator is using DISM.exe or dism to perform a system image backup or disk cleanup, which may involve command-line operations that resemble malicious activity.
Filter/Exclusion: process.name == "dism.exe" AND process.parent_process_name == "explorer.exe" OR process.parent_process_name == "cmd.exe"
Scenario: Legitimate Use of PowerShell for Script Execution
Description: A system administrator is using PowerShell to run a script that includes Invoke-Command or Start-Process, which could be mistaken for command and control (C2) activity.
Filter/Exclusion: process.name == "powershell.exe" AND process.parent_process_name == "task scheduler" OR process.parent_process_name == "explorer.exe"
Scenario: Antivirus or Endpoint Protection Scan
Description: A security tool like Windows Defender or Malwarebytes is performing a full system scan, which may include processes that match the behavior of Hurricane Panda.
Filter/Exclusion: process.name == "MsMpEng.exe" OR process.name == "mbam.exe" OR process.name == "mwbam.exe"
Scenario: Database Backup or Restore Job
Description: A database administrator is using tools like sqlcmd.exe or mysqldump to perform a backup or restore operation, which may involve command-line arguments that trigger