Peach Sandstorm APT Process Activity Indicators
Detects process creation activity related to Peach Sandstorm APT
Sigma rule (View on GitHub)
1title: Peach Sandstorm APT Process Activity Indicators
2id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614
3status: test
4description: Detects process creation activity related to Peach Sandstorm APT
5references:
6 - https://twitter.com/MsftSecIntel/status/1737895710169628824
7 - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
8author: X__Junior (Nextron Systems)
9date: 2024-01-15
10tags:
11 - attack.execution
12 - detection.emerging-threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains: 'QP''s\*(58vaP!tF4'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Related rules
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- Potential Compromised 3CXDesktopApp Execution
- Lace Tempest Cobalt Strike Download
- Lace Tempest File Indicators
- Lace Tempest Malware Loader Execution