Forest Blizzard APT - Process Creation Activity
Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.
Sigma rule (View on GitHub)
1title: Forest Blizzard APT - Process Creation Activity
2id: 07db928c-8632-488e-ac7d-3db847489175
3status: experimental
4description: |
5 Detects the execution of specific processes and command line combination.
6 These were seen being created by Forest Blizzard as described by MSFT.
7references:
8 - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024/04/23
11tags:
12 - attack.defense_evasion
13 - attack.execution
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_hashes:
19 Hashes|contains:
20 - '6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
21 - 'c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
22 selection_schtasks_create:
23 Image|endswith: '\schtasks.exe'
24 CommandLine|contains|all:
25 - 'Create'
26 - '/RU'
27 - 'SYSTEM'
28 - '\Microsoft\Windows\WinSrv'
29 CommandLine|contains:
30 - 'servtask.bat'
31 - 'execute.bat'
32 - 'doit.bat'
33 selection_schtasks_delete:
34 Image|endswith: '\schtasks.exe'
35 CommandLine|contains|all:
36 - 'Delete'
37 - '/F '
38 - '\Microsoft\Windows\WinSrv'
39 selection_powershell:
40 CommandLine|contains:
41 - 'Get-ChildItem'
42 - '.save'
43 - 'Compress-Archive -DestinationPath C:\ProgramData\'
44 condition: 1 of selection_*
45falsepositives:
46 - Unknown
47level: high
References
Related rules
- Invoke-Obfuscation Via Stdin
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- Invoke-Obfuscation STDIN+ Launcher