Peach Sandstorm APT Process Activity Indicators
Detects process creation activity related to Peach Sandstorm APT
Sigma rule (View on GitHub)
1title: Peach Sandstorm APT Process Activity Indicators
2id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614
3status: experimental
4description: Detects process creation activity related to Peach Sandstorm APT
5references:
6 - https://twitter.com/MsftSecIntel/status/1737895710169628824
7 - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
8author: X__Junior (Nextron Systems)
9date: 2024-01-15
10tags:
11 - attack.execution
12 - detection.emerging-threats
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains: 'QP''s\*(58vaP!tF4'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
Related rules
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT
- Blue Mockingbird
- CVE-2021-1675 Print Spooler Exploitation
- CVE-2021-1675 Print Spooler Exploitation IPC Access