FIN7
FIN7 is tracked here as a threat actor, intrusion set, or campaign with 5 Sigma detections spanning 2024, 2023. Coverage centers on windows / process_creation, windows / ps_script, windows / file_event.
Potential APT FIN7 Exploitation Activity
Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
Potential APT FIN7 POWERHOLD Execution
Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs
Potential APT FIN7 Reconnaissance/POWERTRASH Related Activity
Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution
Potential APT FIN7 Related PowerShell Script Created
Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts
Potential POWERTRASH Script Execution
Detects potential execution of the PowerShell script POWERTRASH