Detection rules › Sigma

Potential APT FIN7 Related PowerShell Script Created

Status
test
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts

Event coverage

ProviderEventTitle
SysmonEvent ID 11FileCreate

Rule body yaml

title: Potential APT FIN7 Related PowerShell Script Created
id: a88d9f45-ec8a-4b0e-85ee-c9f6a65e9128
status: test
description: Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
references:
    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-04
tags:
    - attack.execution
    - attack.g0046
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection:
        - TargetFilename|endswith: '_64refl.ps1'
        - TargetFilename: 'host_ip.ps1'
    condition: selection
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    - TargetFilename|endswith: '_64refl.ps1'
    - TargetFilename: 'host_ip.ps1'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenameends_with
  • _64refl.ps1
TargetFilenameeq
  • host_ip.ps1