Forest Blizzard APT - Process Creation Activity
Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.
Sigma rule (View on GitHub)
1title: Forest Blizzard APT - Process Creation Activity
2id: 07db928c-8632-488e-ac7d-3db847489175
3status: experimental
4description: |
5 Detects the execution of specific processes and command line combination.
6 These were seen being created by Forest Blizzard as described by MSFT.
7references:
8 - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2024-04-23
11modified: 2025-01-22
12tags:
13 - attack.defense-evasion
14 - attack.execution
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_hashes:
20 Hashes|contains:
21 - 'SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
22 - 'SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
23 selection_schtasks_create:
24 Image|endswith: '\schtasks.exe'
25 CommandLine|contains|all:
26 - 'Create'
27 - '/RU'
28 - 'SYSTEM'
29 - '\Microsoft\Windows\WinSrv'
30 CommandLine|contains:
31 - 'servtask.bat'
32 - 'execute.bat'
33 - 'doit.bat'
34 selection_schtasks_delete:
35 Image|endswith: '\schtasks.exe'
36 CommandLine|contains|all:
37 - 'Delete'
38 - '/F '
39 - '\Microsoft\Windows\WinSrv'
40 selection_powershell:
41 CommandLine|contains|all:
42 - 'Get-ChildItem'
43 - '.save'
44 - 'Compress-Archive -DestinationPath C:\ProgramData\'
45 condition: 1 of selection_*
46falsepositives:
47 - Unknown
48level: high
References
Related rules
- Potential Raspberry Robin CPL Execution Activity
- Qakbot Regsvr32 Calc Pattern
- CMSTP UAC Bypass via COM Object Access
- UAC Bypass Using IDiagnostic Profile
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE