Peach Sandstorm APT Process Activity Indicators

 1title: Peach Sandstorm APT Process Activity Indicators
 2id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614
 3status: experimental
 4description: Detects process creation activity related to Peach Sandstorm APT
 5references:
 6    - https://twitter.com/MsftSecIntel/status/1737895710169628824
 7    - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
 8author: X__Junior (Nextron Systems)
 9date: 2024/01/15
10tags:
11    - attack.execution
12    - detection.emerging_threats
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        CommandLine|contains: 'QP''s\*(58vaP!tF4'
19    condition: selection
20falsepositives:
21    - Unlikely
22level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
• Potential CVE-2022-29072 Exploitation Attempt
• Potential Raspberry Robin Dot Ending File
• Potential CVE-2022-26809 Exploitation Attempt
• Potential Exploitation Attempt From Office Application