Forest Blizzard APT - File Creation Activity
Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.
Sigma rule (View on GitHub)
1title: Forest Blizzard APT - File Creation Activity
2id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389
3status: experimental
4description: |
5 Detects the creation of specific files inside of ProgramData directory.
6 These files were seen being created by Forest Blizzard as described by MSFT.
7references:
8 - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024/04/23
11modified: 2024/07/11
12tags:
13 - attack.defense_evasion
14 - attack.t1562.002
15logsource:
16 category: file_event
17 product: windows
18detection:
19 selection_programdata_driver_store:
20 TargetFilename|startswith:
21 - 'C:\ProgramData\Microsoft\v'
22 - 'C:\ProgramData\Adobe\v'
23 - 'C:\ProgramData\Comms\v'
24 - 'C:\ProgramData\Intel\v'
25 - 'C:\ProgramData\Kaspersky Lab\v'
26 - 'C:\ProgramData\Bitdefender\v'
27 - 'C:\ProgramData\ESET\v'
28 - 'C:\ProgramData\NVIDIA\v'
29 - 'C:\ProgramData\UbiSoft\v'
30 - 'C:\ProgramData\Steam\v'
31 TargetFilename|contains:
32 - '\prnms003.inf_'
33 - '\prnms009.inf_'
34 selection_programdata_main:
35 TargetFilename|startswith: 'C:\ProgramData\'
36 selection_programdata_files_1:
37 TargetFilename|endswith:
38 - '.save'
39 - '\doit.bat'
40 - '\execute.bat'
41 - '\servtask.bat'
42 # Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
43 selection_programdata_files_2:
44 TargetFilename|contains: '\wayzgoose'
45 TargetFilename|endswith: '.dll'
46 condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)
47falsepositives:
48 - Unlikely
49level: high
References
Related rules
- Suspicious Eventlog Clearing or Configuration Change Activity
- Potential EventLog File Location Tampering
- Filter Driver Unloaded Via Fltmc.EXE
- Forest Blizzard APT - JavaScript Constrained File Creation
- EVTX Created In Uncommon Location