Potential APT FIN7 Related PowerShell Script Created
Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
Sigma rule (View on GitHub)
1title: Potential APT FIN7 Related PowerShell Script Created
2id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
3status: test
4description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
5references:
6 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/04
9tags:
10 - attack.execution
11 - attack.g0046
12 - detection.emerging_threats
13logsource:
14 category: file_event
15 product: windows
16detection:
17 selection:
18 - TargetFilename|endswith: '_64refl.ps1'
19 - TargetFilename: 'host_ip.ps1'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
Related rules
- Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
- Potential APT FIN7 POWERHOLD Execution
- Potential POWERTRASH Script Execution
- MSMQ Corrupted Packet Encountered
- Potential CVE-2023-21554 QueueJumper Exploitation