Griffon Malware Attack Pattern

Aug 12, 2024 · attack.execution detection.emerging-threats ·

Detects process execution patterns related to Griffon malware as reported by Kaspersky

Sigma rule (View on GitHub)

 1title: Griffon Malware Attack Pattern
 2id: bcc6f179-11cd-4111-a9a6-0fab68515cf7
 3status: test
 4description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
 5references:
 6    - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-03-09
 9tags:
10    - attack.execution
11    - detection.emerging-threats
12logsource:
13    category: process_creation
14    product: windows
15detection:
16    selection:
17        CommandLine|contains|all:
18            - '\local\temp\'
19            - '//b /e:jscript'
20            - '.txt'
21    condition: selection
22falsepositives:
23    - Unlikely
24level: critical

References

FIN7.5: the infamous cybercrime rig “FIN7” continues its activities

In 2018-2019, researchers of GReAT analyzed various campaigns that used the same TTPs as the historic FIN7, leading the researchers to believe that this threat actor had remained active despite the 2018 arrests.

Read More

Griffon Malware Attack Pattern

Sigma rule (View on GitHub)

References

FIN7.5: the infamous cybercrime rig &#8220;FIN7&#8221; continues its activities

Related rules

FIN7.5: the infamous cybercrime rig “FIN7” continues its activities