Potential APT FIN7 POWERHOLD Execution

calendar Nov 28, 2023 · attack.execution attack.t1059.001 attack.g0046 detection.emerging_threats  ·
Share on: linkedin copy

Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs

Sigma rule (View on GitHub)

 1title: Potential APT FIN7 POWERHOLD Execution
 2id: 71c432c4-e4da-4eab-ba49-e60ea9a81bca
 3status: test
 4description: Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
 5references:
 6    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/05/04
 9tags:
10    - attack.execution
11    - attack.t1059.001
12    - attack.g0046
13    - detection.emerging_threats
14logsource:
15    product: windows
16    category: ps_script
17    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
18detection:
19    selection:
20        ScriptBlockText|contains|all:
21            - '$env:APPDATA'
22            - 'function MainPayload'
23            - '::WriteAllBytes'
24            - 'wscript.exe'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

  • FIN7 tradecraft seen in attacks against Veeam backup servers

    WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.


    Read More

Related rules

to-top