Potential APT FIN7 Related PowerShell Script Created
Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
Sigma rule (View on GitHub)
1title: Potential APT FIN7 Related PowerShell Script Created
2id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
3status: test
4description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
5references:
6 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-05-04
9tags:
10 - attack.execution
11 - attack.g0046
12 - detection.emerging-threats
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 - TargetFilename|endswith: '_64refl.ps1'
19 - TargetFilename: 'host_ip.ps1'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
Related rules
- Potential APT FIN7 POWERHOLD Execution
- Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
- Potential POWERTRASH Script Execution
- APT29 2018 Phishing Campaign CommandLine Indicators
- Adwind RAT / JRAT