Griffon Malware Attack Pattern
Detects process execution patterns related to Griffon malware as reported by Kaspersky
Sigma rule (View on GitHub)
1title: Griffon Malware Attack Pattern
2id: bcc6f179-11cd-4111-a9a6-0fab68515cf7
3status: test
4description: Detects process execution patterns related to Griffon malware as reported by Kaspersky
5references:
6 - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/03/09
9tags:
10 - attack.execution
11 - detection.emerging_threats
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 CommandLine|contains|all:
18 - '\local\temp\'
19 - '//b /e:jscript'
20 - '.txt'
21 condition: selection
22falsepositives:
23 - Unlikely
24level: critical
References
-
In 2018-2019, researchers of GReAT analyzed various campaigns that used the same TTPs as the historic FIN7, leading the researchers to believe that this threat actor had remained active despite the 2018 arrests.
Read More
Related rules
- Potential Compromised 3CXDesktopApp Execution
- Potential Compromised 3CXDesktopApp Update Activity
- Potential Suspicious Child Process Of 3CXDesktopApp
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process