Sigma Rules
7 rules found for "MSFT"
Peach Sandstorm APT Process Activity Indicators
Detects process creation activity related to Peach Sandstorm APT
Potential Peach Sandstorm APT C2 Communication Activity
Detects potential C2 communication activity related to Peach Sandstorm APT
Forest Blizzard APT - File Creation Activity
Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.
Forest Blizzard APT - Process Creation Activity
Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.
Forest Blizzard APT - Custom Protocol Handler Creation
Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.
Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.
Potential Exploitation of GoAnywhere MFT Vulnerability
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.