Potential APT FIN7 Exploitation Activity
Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
Sigma rule (View on GitHub)
1title: Potential APT FIN7 Exploitation Activity
2id: 6676896b-2cce-422d-82af-5a1abe65e241
3status: experimental
4description: |
5 Detects potential APT FIN7 exploitation activity as reported by Google.
6 In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
7references:
8 - https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
9author: Alex Walston (@4ayymm)
10date: 2024-07-29
11tags:
12 - attack.execution
13 - attack.t1059.001
14 - attack.t1059.003
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_notepad_plus:
21 ParentImage|endswith: '\notepad++.exe'
22 Image|endswith: '\cmd.exe'
23 selection_rdpinit:
24 ParentImage|endswith: '\rdpinit.exe'
25 Image|endswith: '\notepad++.exe'
26 condition: 1 of selection_*
27falsepositives:
28 - Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD)
29level: medium
yaml
References
-
LOADOUT is an obfuscated VBScript-based downloader which harvests extensive information from the infected system. The harvested information is then sent to a command-and-control (C2) server. C2 ser...
Read More
Related rules
- Exploited CVE-2020-10189 Zoho ManageEngine
- Potential Baby Shark Malware Activity
- Rorschach Ransomware Execution Activity
- Potential BlackByte Ransomware Activity
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE