Forest Blizzard APT - File Creation Activity

calendar Jan 30, 2025 · attack.defense-evasion attack.t1562.002 detection.emerging-threats  ·
Share on: linkedin copy

Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.

Sigma rule (View on GitHub)

 1title: Forest Blizzard APT - File Creation Activity
 2id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389
 3status: experimental
 4description: |
 5    Detects the creation of specific files inside of ProgramData directory.
 6    These files were seen being created by Forest Blizzard as described by MSFT.    
 7references:
 8    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-04-23
11modified: 2024-07-11
12tags:
13    - attack.defense-evasion
14    - attack.t1562.002
15    - detection.emerging-threats
16logsource:
17    category: file_event
18    product: windows
19detection:
20    selection_programdata_driver_store:
21        TargetFilename|startswith:
22            - 'C:\ProgramData\Microsoft\v'
23            - 'C:\ProgramData\Adobe\v'
24            - 'C:\ProgramData\Comms\v'
25            - 'C:\ProgramData\Intel\v'
26            - 'C:\ProgramData\Kaspersky Lab\v'
27            - 'C:\ProgramData\Bitdefender\v'
28            - 'C:\ProgramData\ESET\v'
29            - 'C:\ProgramData\NVIDIA\v'
30            - 'C:\ProgramData\UbiSoft\v'
31            - 'C:\ProgramData\Steam\v'
32        TargetFilename|contains:
33            - '\prnms003.inf_'
34            - '\prnms009.inf_'
35    selection_programdata_main:
36        TargetFilename|startswith: 'C:\ProgramData\'
37    selection_programdata_files_1:
38        TargetFilename|endswith:
39            - '.save'
40            - '\doit.bat'
41            - '\execute.bat'
42            - '\servtask.bat'
43        # Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
44    selection_programdata_files_2:
45        TargetFilename|contains: '\wayzgoose'
46        TargetFilename|endswith: '.dll'
47    condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)
48falsepositives:
49    - Unlikely
50level: high

References

Related rules

to-top