Forest Blizzard APT - Process Creation Activity

 1title: Forest Blizzard APT - Process Creation Activity
 2id: 07db928c-8632-488e-ac7d-3db847489175
 3status: experimental
 4description: |
 5    Detects the execution of specific processes and command line combination.
 6    These were seen being created by Forest Blizzard as described by MSFT.    
 7references:
 8    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024/04/23
11tags:
12    - attack.defense_evasion
13    - attack.execution
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_hashes:
19        Hashes|contains:
20            - '6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
21            - 'c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
22    selection_schtasks_create:
23        Image|endswith: '\schtasks.exe'
24        CommandLine|contains|all:
25            - 'Create'
26            - '/RU'
27            - 'SYSTEM'
28            - '\Microsoft\Windows\WinSrv'
29        CommandLine|contains:
30            - 'servtask.bat'
31            - 'execute.bat'
32            - 'doit.bat'
33    selection_schtasks_delete:
34        Image|endswith: '\schtasks.exe'
35        CommandLine|contains|all:
36            - 'Delete'
37            - '/F '
38            - '\Microsoft\Windows\WinSrv'
39    selection_powershell:
40        CommandLine|contains:
41            - 'Get-ChildItem'
42            - '.save'
43            - 'Compress-Archive -DestinationPath C:\ProgramData\'
44    condition: 1 of selection_*
45falsepositives:
46    - Unknown
47level: high