Potential POWERTRASH Script Execution

calendar Aug 12, 2024 · attack.execution attack.t1059.001 attack.g0046 detection.emerging-threats  ·
Share on: linkedin copy

Detects potential execution of the PowerShell script POWERTRASH

Sigma rule (View on GitHub)

 1title: Potential POWERTRASH Script Execution
 2id: 4e19528a-f081-40dd-be09-90c39352bd64
 3status: test
 4description: Detects potential execution of the PowerShell script POWERTRASH
 5references:
 6    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-05-04
 9tags:
10    - attack.execution
11    - attack.t1059.001
12    - attack.g0046
13    - detection.emerging-threats
14logsource:
15    product: windows
16    category: ps_script
17    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
18detection:
19    selection:
20        ScriptBlockText|contains|all:
21            - 'IO.Compression.DeflateStream'
22            - 'IO.MemoryStream'
23            - '::FromBase64String'
24            - 'GetDelegateForFunctionPointer'
25            - '.Invoke()'
26            - 'GlobalAssemblyCache'
27    condition: selection
28falsepositives:
29    - Unknown
30level: high

References

  • FIN7 tradecraft seen in attacks against Veeam backup servers

    WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.


    Read More

Related rules

to-top