Potential Peach Sandstorm APT C2 Communication Activity

 1title: Potential Peach Sandstorm APT C2 Communication Activity
 2id: b8225208-81d0-4715-a822-12bcdd583e0f
 3status: experimental
 4description: Detects potential C2 communication activity related to Peach Sandstorm APT
 5references:
 6    - https://twitter.com/MsftSecIntel/status/1737895710169628824
 7    - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
 8author: X__Junior (Nextron Systems)
 9date: 2024/01/15
10tags:
11    - attack.command_and_control
12    - detection.emerging_threats
13logsource:
14    category: proxy
15detection:
16    selection:
17        cs-method: 'GET'
18        c-uri|endswith:
19            - '/api/Core/Command/Init'
20            - '/api/Core/Command/Restart'
21    condition: selection
22falsepositives:
23    - Unknown
24level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• Potential SocGholish Second Stage C2 DNS Query
• Diamond Sleet APT DNS Communication Indicators
• DarkGate - Autoit3.EXE File Creation By Uncommon Process
• GALLIUM Artefacts - Builtin
• Potential CVE-2023-36884 Exploitation - File Downloads