Date: 01/03/2025
Severity: Medium
Summary
Peach Sandstorm APT Process Activity Indicators refer to the detection of suspicious process creation activity linked to the Peach Sandstorm Advanced Persistent Threat (APT) group. This group is known for its targeted cyberattacks, and the indicators help identify malicious behavior associated with their operations. By monitoring process creation activity, security teams can detect the presence of Peach Sandstorm’s tools or tactics, enabling early identification of potential intrusions or ongoing attacks.
Indicators of Compromise (IOC) List
Commandline | ‘QP''s\*(58vaP!tF4’ |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename in ("Windows Security") AND eventtype = "4688") AND commandline like "QP''s\*(58vaP!tF4" |
Detection Query 2 | (technologygroup = "EDR") AND commandline like "QP''s\*(58vaP!tF4" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml