Potential POWERTRASH Script Execution
Detects potential execution of the PowerShell script POWERTRASH
Sigma rule (View on GitHub)
1title: Potential POWERTRASH Script Execution
2id: 4e19528a-f081-40dd-be09-90c39352bd64
3status: test
4description: Detects potential execution of the PowerShell script POWERTRASH
5references:
6 - https://labs.withsecure.com/publications/fin7-target-veeam-servers
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/05/04
9tags:
10 - attack.execution
11 - attack.t1059.001
12 - attack.g0046
13 - detection.emerging_threats
14logsource:
15 product: windows
16 category: ps_script
17 definition: bade5735-5ab0-4aa7-a642-a11be0e40872
18detection:
19 selection:
20 ScriptBlockText|contains|all:
21 - 'IO.Compression.DeflateStream'
22 - 'IO.MemoryStream'
23 - '::FromBase64String'
24 - 'GetDelegateForFunctionPointer'
25 - '.Invoke()'
26 - 'GlobalAssemblyCache'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
WithSecure Intelligence identified attacks which occurred in late March 2023 against internet-facing servers running Veeam Backup & Replication software. Our research indicates that the intrusion set used in these attacks has overlaps with those attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532.
Read More
Related rules
- Potential APT FIN7 POWERHOLD Execution
- Lace Tempest PowerShell Evidence Eraser
- Lace Tempest PowerShell Launcher
- Potential Baby Shark Malware Activity
- UNC2452 Process Creation Patterns