Forest Blizzard APT - Process Creation Activity
Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.
Sigma rule (View on GitHub)
1title: Forest Blizzard APT - Process Creation Activity
2id: 07db928c-8632-488e-ac7d-3db847489175
3status: experimental
4description: |
5 Detects the execution of specific processes and command line combination.
6 These were seen being created by Forest Blizzard as described by MSFT.
7references:
8 - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024/04/23
11modified: 2024/05/11
12tags:
13 - attack.defense_evasion
14 - attack.execution
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_hashes:
20 Hashes|contains:
21 - '6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
22 - 'c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
23 selection_schtasks_create:
24 Image|endswith: '\schtasks.exe'
25 CommandLine|contains|all:
26 - 'Create'
27 - '/RU'
28 - 'SYSTEM'
29 - '\Microsoft\Windows\WinSrv'
30 CommandLine|contains:
31 - 'servtask.bat'
32 - 'execute.bat'
33 - 'doit.bat'
34 selection_schtasks_delete:
35 Image|endswith: '\schtasks.exe'
36 CommandLine|contains|all:
37 - 'Delete'
38 - '/F '
39 - '\Microsoft\Windows\WinSrv'
40 selection_powershell:
41 CommandLine|contains|all:
42 - 'Get-ChildItem'
43 - '.save'
44 - 'Compress-Archive -DestinationPath C:\ProgramData\'
45 condition: 1 of selection_*
46falsepositives:
47 - Unknown
48level: high
References
Related rules
- Potential Adplus.EXE Abuse
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Potential ShellDispatch.DLL Functionality Abuse
- Potentially Suspicious Child Process Of ClickOnce Application
- UNC4841 - Barracuda ESG Exploitation Indicators