The detection identifies potential credential dumping activity associated with the Deep Panda group, leveraging the lot1.tmp-pwdump artifact to exfiltrate sensitive credentials. SOC teams should proactively hunt for this behavior to identify and mitigate early-stage adversary access in their Azure Sentinel environment.
YARA Rule
rule Anthem_DeepPanda_lot1
{
meta:
description = "Anthem Hack Deep Panda - lot1.tmp-pwdump"
author = "Florian Roth"
date = "2015/02/08"
hash = "5d201a0fb0f4a96cefc5f73effb61acff9c818e1"
strings:
$s0 = "Unable to open target process: %d, pid %d" fullword ascii
$s1 = "Couldn't delete target executable from remote machine: %d" fullword ascii
$s2 = "Target: Failed to load SAM functions." fullword ascii
$s5 = "Error writing the test file %s, skipping this share" fullword ascii
$s6 = "Failed to create service (%s/%s), error %d" fullword ascii
$s8 = "Service start failed: %d (%s/%s)" fullword ascii
$s12 = "PwDump.exe" fullword ascii
$s13 = "GetAvailableWriteableShare returned an error of %ld" fullword ascii
$s14 = ":\\\\.\\pipe\\%s" fullword ascii
$s15 = "Couldn't copy %s to destination %s. (Error %d)" fullword ascii
$s16 = "dump logon session" fullword ascii
$s17 = "Timed out waiting to get our pipe back" fullword ascii
$s19 = "SetNamedPipeHandleState failed, error %d" fullword ascii
$s20 = "%s\\%s.exe" fullword ascii
condition:
10 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 14 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as a scheduled disk cleanup or log rotation, may generate a file named lot1.tmp in temporary directories.
Filter/Exclusion: Exclude files created by known system maintenance tools (e.g., cleanmgr.exe, schtasks.exe) or within system directories like C:\Windows\Temp.
Scenario: Password Dump from a Security Audit Tool
Description: A security tool like Mimikatz or PowerView may generate a temporary password dump file named lot1.tmp during a legitimate security audit or penetration test.
Filter/Exclusion: Exclude files generated by known security tools or during authorized security testing sessions, using process or user context filters (e.g., ProcessName = mimikatz.exe).
Scenario: Backup Job Generating Temporary Files
Description: A backup job using tools like Veeam, Acronis, or rsync may create temporary files named lot1.tmp during the backup process.
Filter/Exclusion: Exclude files created during backup operations by checking for parent processes related to backup tools or within backup directories.
Scenario: Admin Task for User Management
Description: An administrator may use tools like net user or PowerShell to manage user accounts, which could result in temporary password files being created.
Filter/Exclusion: Exclude files created by administrative tasks using user context filters (e.g., User = Administrator) or by known admin tools.
Scenario: Legitimate Password Export from a Password Manager
Description: A password manager like Bitwarden or 1Password may export passwords to a temporary file named lot1.tmp during a backup or sync operation.
Filter/Exclusion: