Potential Peach Sandstorm APT C2 Communication Activity
Detects potential C2 communication activity related to Peach Sandstorm APT
Sigma rule (View on GitHub)
1title: Potential Peach Sandstorm APT C2 Communication Activity
2id: b8225208-81d0-4715-a822-12bcdd583e0f
3status: test
4description: Detects potential C2 communication activity related to Peach Sandstorm APT
5references:
6 - https://twitter.com/MsftSecIntel/status/1737895710169628824
7 - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
8author: X__Junior (Nextron Systems)
9date: 2024-01-15
10tags:
11 - attack.command-and-control
12 - detection.emerging-threats
13logsource:
14 category: proxy
15detection:
16 selection:
17 cs-method: 'GET'
18 c-uri|endswith:
19 - '/api/Core/Command/Init'
20 - '/api/Core/Command/Restart'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- Potential Pikabot C2 Activity
- GALLIUM IOCs
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- Diamond Sleet APT DNS Communication Indicators
- Devil Bait Potential C2 Communication Traffic