Adversaries may exfiltrate data using custom PowerShell scripts to establish covert communication channels, leveraging Azure Blob Storage for data exfiltration. SOC teams should proactively hunt for this behavior to identify and mitigate potential data loss from advanced persistent threats in their Azure Sentinel environment.
KQL Query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has @"\ldifde.exe -f -n "
or ProcessCommandLine has @"\7za.exe a 1.7z "
or ProcessCommandLine endswith @" eprod.ldf"
or ProcessCommandLine has @"\aaaa\procdump64.exe"
or ProcessCommandLine has @"\aaaa\netsess.exe"
or ProcessCommandLine has @"\aaaa\7za.exe"
or ProcessCommandLine has @"copy .\1.7z \"
or ProcessCommandLine has @"copy \client\c$\aaaa\"
or FolderPath == @"C:\Users\Public\7za.exe"
| top 100 by Timestamp desc
id: ae8a5c5d-4cfb-4a59-9adb-eb6c6c219620
name: Judgement Panda exfil activity
description: |
Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/apt/apt_judgement_panda_gtr19.yml.
Questions via Twitter: @janvonkirchheim.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
query: |
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has @"\ldifde.exe -f -n "
or ProcessCommandLine has @"\7za.exe a 1.7z "
or ProcessCommandLine endswith @" eprod.ldf"
or ProcessCommandLine has @"\aaaa\procdump64.exe"
or ProcessCommandLine has @"\aaaa\netsess.exe"
or ProcessCommandLine has @"\aaaa\7za.exe"
or ProcessCommandLine has @"copy .\1.7z \"
or ProcessCommandLine has @"copy \client\c$\aaaa\"
or FolderPath == @"C:\Users\Public\7za.exe"
| top 100 by Timestamp desc
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using Veeam Backup & Replication
Description: A legitimate backup process using Veeam Backup & Replication may trigger the rule due to file transfer activity.
Filter/Exclusion: process.name != "vbm" or process.name != "vagent" or check for process.parent.name == "veeambackup.exe"
Scenario: Admin Task – PowerShell Script for Log File Archiving
Description: An administrator may run a PowerShell script to archive log files, which could be flagged as exfiltration due to file transfer.
Filter/Exclusion: process.name != "powershell.exe" or process.args not contains "archive" or process.args not contains "log"
Scenario: User-Initiated File Transfer via FileZilla
Description: A user may use FileZilla to transfer files between internal servers for collaboration or data management.
Filter/Exclusion: process.name != "filezilla.exe" or check for process.parent.name == "explorer.exe" and process.args contains "local"
Scenario: Automated Job – SQL Server Backup Using T-SQL
Description: A SQL Server backup job using T-SQL scripts may trigger the rule due to file system access or transfer.
Filter/Exclusion: process.name != "sqlservr.exe" or check for process.parent.name == "sqlservr.exe" and process.args contains "backup"
Scenario: Software Update via Windows Server Update Services (WSUS)
Description: A Windows update process using WSUS may involve file transfer that could be flagged by the rule.
Filter/Exclusion: process.name != "wuauserv.exe" or check for process.parent.name == "svchost.exe" and process.args contains "update"