Emerging Threatmediumtest
Potential APT FIN7 Exploitation Activity
Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_notepad_plus:
ParentImage|endswith: '\notepad++.exe'
Image|endswith: '\cmd.exe'
selection_rdpinit:
ParentImage|endswith: '\rdpinit.exe'
Image|endswith: '\notepad++.exe'
condition: 1 of selection_*False Positives
Notepad++ can legitimately spawn cmd (Open Containing Folder in CMD)
References
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.emerging-threats
Rule Metadata
Rule ID
6676896b-2cce-422d-82af-5a1abe65e241
Status
test
Level
medium
Type
Emerging Threat
Created
Mon Jul 29
Author
Path
rules-emerging-threats/2024/TA/FIN7/proc_creation_win_apt_fin7_exploitation_indicators.yml
Raw Tags
attack.executionattack.t1059.001attack.t1059.003detection.emerging-threats