Potential APT FIN7 Exploitation Activity

Aug 12, 2024 · attack.execution attack.t1059.001 attack.t1059.003 ·

Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.

Sigma rule (View on GitHub)

 1title: Potential APT FIN7 Exploitation Activity
 2id: 6676896b-2cce-422d-82af-5a1abe65e241
 3status: experimental
 4description: |
 5    Detects potential APT FIN7 exploitation activity as reported by Google.
 6    In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.    
 7references:
 8    - https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
 9author: Alex Walston (@4ayymm)
10date: 2024-07-29
11tags:
12    - attack.execution
13    - attack.t1059.001
14    - attack.t1059.003
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_notepad_plus:
20        ParentImage|endswith: '\notepad++.exe'
21        Image|endswith: '\cmd.exe'
22    selection_rdpinit:
23        ParentImage|endswith: '\rdpinit.exe'
24        Image|endswith: '\notepad++.exe'
25    condition: 1 of selection_*
26falsepositives:
27    - Unknown
28level: medium

References

FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 | Mandiant | Google Cloud Blog

LOADOUT is an obfuscated VBScript-based downloader which harvests extensive information from the infected system. The harvested information is then sent to a command-and-control (C2) server. C2 ser...

Read More

Potential APT FIN7 Exploitation Activity

Sigma rule (View on GitHub)

References

FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 | Mandiant | Google Cloud Blog

Related rules