Forest Blizzard APT - Process Creation Activity

 1title: Forest Blizzard APT - Process Creation Activity
 2id: 07db928c-8632-488e-ac7d-3db847489175
 3status: experimental
 4description: |
 5    Detects the execution of specific processes and command line combination.
 6    These were seen being created by Forest Blizzard as described by MSFT.    
 7references:
 8    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-04-23
11modified: 2025-01-22
12tags:
13    - attack.defense-evasion
14    - attack.execution
15    - detection.emerging-threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_hashes:
21        Hashes|contains:
22            - 'SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
23            - 'SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
24    selection_schtasks_create:
25        Image|endswith: '\schtasks.exe'
26        CommandLine|contains|all:
27            - 'Create'
28            - '/RU'
29            - 'SYSTEM'
30            - '\Microsoft\Windows\WinSrv'
31        CommandLine|contains:
32            - 'servtask.bat'
33            - 'execute.bat'
34            - 'doit.bat'
35    selection_schtasks_delete:
36        Image|endswith: '\schtasks.exe'
37        CommandLine|contains|all:
38            - 'Delete'
39            - '/F '
40            - '\Microsoft\Windows\WinSrv'
41    selection_powershell:
42        CommandLine|contains|all:
43            - 'Get-ChildItem'
44            - '.save'
45            - 'Compress-Archive -DestinationPath C:\ProgramData\'
46    condition: 1 of selection_*
47falsepositives:
48    - Unknown
49level: high