Peach Sandstorm APT Process Activity Indicators
Detects process creation activity related to Peach Sandstorm APT
Sigma rule (View on GitHub)
1title: Peach Sandstorm APT Process Activity Indicators
2id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614
3status: experimental
4description: Detects process creation activity related to Peach Sandstorm APT
5references:
6 - https://twitter.com/MsftSecIntel/status/1737895710169628824
7 - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
8author: X__Junior (Nextron Systems)
9date: 2024/01/15
10tags:
11 - attack.execution
12 - detection.emerging_threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains: 'QP''s\*(58vaP!tF4'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
Related rules
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
- Potential CVE-2022-29072 Exploitation Attempt
- Potential Raspberry Robin Dot Ending File
- Potential CVE-2022-26809 Exploitation Attempt
- Potential Exploitation Attempt From Office Application