Execution of Powershell Script in Public Folder

Aug 12, 2024 · attack.execution attack.t1059.001 ·

This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder

Sigma rule (View on GitHub)

 1title: Execution of Powershell Script in Public Folder
 2id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
 3status: test
 4description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
 5references:
 6    - https://www.mandiant.com/resources/evolution-of-fin7
 7author: Max Altgelt (Nextron Systems)
 8date: 2022-04-06
 9modified: 2022-07-14
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith:
19            - '\powershell.exe'
20            - '\pwsh.exe'
21        CommandLine|contains:
22            - '-f C:\Users\Public'
23            - '-f "C:\Users\Public'
24            - '-f %Public%'
25            - '-fi C:\Users\Public'
26            - '-fi "C:\Users\Public'
27            - '-fi %Public%'
28            - '-fil C:\Users\Public'
29            - '-fil "C:\Users\Public'
30            - '-fil %Public%'
31            - '-file C:\Users\Public'
32            - '-file "C:\Users\Public'
33            - '-file %Public%'
34    condition: selection
35fields:
36    - CommandLine
37falsepositives:
38    - Unlikely
39level: high

References

FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 | Mandiant | Google Cloud Blog

LOADOUT is an obfuscated VBScript-based downloader which harvests extensive information from the infected system. The harvested information is then sent to a command-and-control (C2) server. C2 ser...

Read More

Execution of Powershell Script in Public Folder

Sigma rule (View on GitHub)

References

FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 | Mandiant | Google Cloud Blog

Related rules