Potential APT FIN7 Related PowerShell Script Created
Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
Sigma rule (View on GitHub)
1title: Potential APT FIN7 Related PowerShell Script Created
2id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
3status: test
4description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
5references:
6 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/04
9tags:
10 - attack.execution
11 - attack.g0046
12 - detection.emerging_threats
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 - TargetFilename|endswith: '_64refl.ps1'
19 - TargetFilename: 'host_ip.ps1'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
-
WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.
Read More
Related rules
- Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
- Potential APT FIN7 POWERHOLD Execution
- Potential POWERTRASH Script Execution
- MSMQ Corrupted Packet Encountered
- Potential CVE-2023-21554 QueueJumper Exploitation