Suspicious CrushFTP Child Process

Rule Info

Name
Suspicious CrushFTP Child Process
Author
Craig Sweeney, Matt Anderson, Jose Oregon, Tim Kasper, Faith Stratton, Samantha Shaw, Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-2825
Date
2025-04-10 00:00:00
Modified
None
Id
459628e3-1b00-4e9b-9e5b-7da8961aea35
Tags
attack.initial-access attack.execution attack.t1059.001 attack.t1059.003 attack.t1190 cve.2025-31161 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=459628e3-1b00-4e9b-9e5b-7da8961aea35

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5261 from @swachchhanda000 - Add `Suspicious CrushFTP Child Process`
2025-04-18
85fd5958b
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022