Potential APT FIN7 Related PowerShell Script Created

Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts

Sigma rule (View on GitHub)

 1title: Potential APT FIN7 Related PowerShell Script Created
 2id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
 3status: experimental
 4description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
 5references:
 6    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/04
 9tags:
10    - attack.execution
11    - attack.g0046
12    - detection.emerging_threats
13logsource:
14    category: file_event
15    product: windows
16detection:
17    selection:
18        - TargetFilename|endswith: '_64refl.ps1'
19        - TargetFilename: 'host_ip.ps1'
20    condition: selection
21falsepositives:
22    - Unknown
23level: high

References

Related rules

to-top