Detection rules › Sigma

Forest Blizzard APT - Process Creation Activity

Status
experimental
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Forest Blizzard APT - Process Creation Activity
id: 07db928c-8632-488e-ac7d-3db847489175
status: experimental
description: |
    Detects the execution of specific processes and command line combination.
    These were seen being created by Forest Blizzard as described by MSFT.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
modified: 2025-01-22
tags:
    - attack.execution
    - detection.emerging-threats
    - attack.stealth
logsource:
    category: process_creation
    product: windows
detection:
    selection_hashes:
        Hashes|contains:
            - 'SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
            - 'SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'
    selection_schtasks_create:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - 'Create'
            - '/RU'
            - 'SYSTEM'
            - '\Microsoft\Windows\WinSrv'
        CommandLine|contains:
            - 'servtask.bat'
            - 'execute.bat'
            - 'doit.bat'
    selection_schtasks_delete:
        Image|endswith: '\schtasks.exe'
        CommandLine|contains|all:
            - 'Delete'
            - '/F '
            - '\Microsoft\Windows\WinSrv'
    selection_powershell:
        CommandLine|contains|all:
            - 'Get-ChildItem'
            - '.save'
            - 'Compress-Archive -DestinationPath C:\ProgramData\'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

1 of selection_*

Stage 1: selection_hashes

selection_hashes:
    Hashes|contains:
        - 'SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f'
        - 'SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5'

Stage 2: selection_schtasks_create

selection_schtasks_create:
    Image|endswith: '\schtasks.exe'
    CommandLine|contains|all:
        - 'Create'
        - '/RU'
        - 'SYSTEM'
        - '\Microsoft\Windows\WinSrv'
    CommandLine|contains:
        - 'servtask.bat'
        - 'execute.bat'
        - 'doit.bat'

Stage 3: selection_schtasks_delete

selection_schtasks_delete:
    Image|endswith: '\schtasks.exe'
    CommandLine|contains|all:
        - 'Delete'
        - '/F '
        - '\Microsoft\Windows\WinSrv'

Stage 4: selection_powershell

selection_powershell:
    CommandLine|contains|all:
        - 'Get-ChildItem'
        - '.save'
        - 'Compress-Archive -DestinationPath C:\ProgramData\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • .save
  • /F corpus 3 (sigma 3)
  • /RU corpus 3 (sigma 3)
  • Compress-Archive -DestinationPath C:\ProgramData\
  • Create corpus 23 (sigma 16, splunk 7)
  • Delete corpus 22 (sigma 15, splunk 6, kusto 1)
  • Get-ChildItem
  • SYSTEM corpus 2 (sigma 1, splunk 1)
  • \Microsoft\Windows\WinSrv
  • doit.bat
  • execute.bat
  • servtask.bat
Hashesmatch
  • SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f
  • SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5
Imageends_with
  • \schtasks.exe corpus 57 (sigma 57)