Potential Exploitation of GoAnywhere MFT Vulnerability

Rule Info

Name
Potential Exploitation of GoAnywhere MFT Vulnerability
Author
MSFT (idea), Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious command execution by child processes of the GoAnywhere Managed File Transfer (MFT) application, which may indicate exploitation such as CVE-2025-10035. This behavior is indicative of post-exploitation activity related to CVE-2025-10035, as observed in campaigns by the threat actor Storm-1175.
Reference
https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
Date
2025-10-07 00:00:00
Modified
None
Id
6c76b3d0-afe4-4870-9443-ffe6773c5fef
Tags
attack.initial-access attack.t1190 attack.execution attack.t1059.001 attack.persistence attack.t1133 detection.emerging-threats cve.2025-10035
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=6c76b3d0-afe4-4870-9443-ffe6773c5fef

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5680 from @swachchhanda000 - feat: add detection for CVE-2025-10035 exploit in GoAnywhere MFT
2025-10-20
0e82a90eb
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022