From 3fb5392490badf7606958efcf734e14723535d47 Mon Sep 17 00:00:00 2001
From: Mohamed Ashraf <47338567+X-Junior@users.noreply.github.com>
Date: Mon, 15 Jan 2024 17:01:07 +0200
Subject: [PATCH] Merge PR #4675 from @X-Junior - New Emerging Threat Rules For
 Peach Sandstorm APT

new: Peach Sandstorm APT Process Activity Indicators
new: Potential Peach Sandstorm APT C2 Communication Activity

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 ...ion_win_apt_peach_sandstorm_indicators.yml | 22 +++++++++++++++++
 ...h_sandstorm_falsefont_backdoor_c2_coms.yml | 24 +++++++++++++++++++
 tests/sigma_cli_conf.yml                      |  1 +
 3 files changed, 47 insertions(+)
 create mode 100644 rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml
 create mode 100644 rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml

diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml
new file mode 100644
index 00000000000..b1b7387747f
--- /dev/null
+++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proc_creation_win_apt_peach_sandstorm_indicators.yml
@@ -0,0 +1,22 @@
+title: Peach Sandstorm APT Process Activity Indicators
+id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614
+status: experimental
+description: Detects process creation activity related to Peach Sandstorm APT
+references:
+    - https://twitter.com/MsftSecIntel/status/1737895710169628824
+    - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
+author: X__Junior (Nextron Systems)
+date: 2024/01/15
+tags:
+    - attack.execution
+    - detection.emerging_threats
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains: 'QP''s\*(58vaP!tF4'
+    condition: selection
+falsepositives:
+    - Unlikely
+level: high
diff --git a/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml
new file mode 100644
index 00000000000..8c1f71408a3
--- /dev/null
+++ b/rules-emerging-threats/2023/TA/Peach-Sandstorm/proxy_apt_peach_sandstorm_falsefont_backdoor_c2_coms.yml
@@ -0,0 +1,24 @@
+title: Potential Peach Sandstorm APT C2 Communication Activity
+id: b8225208-81d0-4715-a822-12bcdd583e0f
+status: experimental
+description: Detects potential C2 communication activity related to Peach Sandstorm APT
+references:
+    - https://twitter.com/MsftSecIntel/status/1737895710169628824
+    - https://www.virustotal.com/gui/file/364275326bbfc4a3b89233dabdaf3230a3d149ab774678342a40644ad9f8d614/details
+author: X__Junior (Nextron Systems)
+date: 2024/01/15
+tags:
+    - attack.command_and_control
+    - detection.emerging_threats
+logsource:
+    category: proxy
+detection:
+    selection:
+        cs-method: 'GET'
+        c-uri|endswith:
+            - '/api/Core/Command/Init'
+            - '/api/Core/Command/Restart'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml
index 9e2da6158cf..fc640d883dd 100644
--- a/tests/sigma_cli_conf.yml
+++ b/tests/sigma_cli_conf.yml
@@ -69,6 +69,7 @@ exclusions:
     f6de6525-4509-495a-8a82-1f8b0ed73a00: escaped_wildcard
     fb502828-2db0-438e-93e6-801c7548686d: escaped_wildcard
     59e938ff-0d6d-4dc3-b13f-36cc28734d4e: escaped_wildcard
+    2e7bbd54-2f26-476e-b4a1-ba5f1a012614: escaped_wildcard
     # number_as_string
     5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string
     85b88e05-dadc-430b-8a9e-53ff1cd30aae: number_as_string