Execution of Powershell Script in Public Folder

Oct 17, 2023 · attack.execution attack.t1059.001 ·

This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder

Sigma rule (View on GitHub)

 1title: Execution of Powershell Script in Public Folder
 2id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
 3status: test
 4description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
 5references:
 6    - https://www.mandiant.com/resources/evolution-of-fin7
 7author: Max Altgelt (Nextron Systems)
 8date: 2022/04/06
 9modified: 2022/07/14
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith:
19            - '\powershell.exe'
20            - '\pwsh.exe'
21        CommandLine|contains:
22            - '-f C:\Users\Public'
23            - '-f "C:\Users\Public'
24            - '-f %Public%'
25            - '-fi C:\Users\Public'
26            - '-fi "C:\Users\Public'
27            - '-fi %Public%'
28            - '-fil C:\Users\Public'
29            - '-fil "C:\Users\Public'
30            - '-fil %Public%'
31            - '-file C:\Users\Public'
32            - '-file "C:\Users\Public'
33            - '-file %Public%'
34    condition: selection
35fields:
36    - CommandLine
37falsepositives:
38    - Unlikely
39level: high

References

FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 | Mandiant

Recent public research asserts threat groups sharing overlaps with FIN7 transitioned to targeted ransomware operations involving REVIL, DARKSIDE, BLACKMATTER, and ALPHV ransomware. With the purport...

Read More

Execution of Powershell Script in Public Folder

Sigma rule (View on GitHub)

References

FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 | Mandiant

Related rules