Potential APT FIN7 Exploitation Activity

Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.

Sigma rule (View on GitHub)

 1title: Potential APT FIN7 Exploitation Activity
 2id: 6676896b-2cce-422d-82af-5a1abe65e241
 3status: experimental
 4description: |
 5    Detects potential APT FIN7 exploitation activity as reported by Google.
 6    In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.    
 7references:
 8    - https://cloud.google.com/blog/topics/threat-intelligence/evolution-of-fin7/
 9author: Alex Walston (@4ayymm)
10date: 2024-07-29
11tags:
12    - attack.execution
13    - attack.t1059.001
14    - attack.t1059.003
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_notepad_plus:
20        ParentImage|endswith: '\notepad++.exe'
21        Image|endswith: '\cmd.exe'
22    selection_rdpinit:
23        ParentImage|endswith: '\rdpinit.exe'
24        Image|endswith: '\notepad++.exe'
25    condition: 1 of selection_*
26falsepositives:
27    - Unknown
28level: medium

References

Related rules

to-top