Detecting FIN7 attacks

Searches using the endpoint data model

► Check elevated CMD using whoami 

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints.

This search is designed to detect a suspicious whoami execution to check if command or shell instance processes are running with elevated privileges. This technique is used in FIN7 attacks as part of data collection on the infected machine.

This command is not commonly executed by a normal user or admin to check if a process is elevated. Tune and filter known instances where renamed rundll32.exe might be used.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process"="*whoami*" "Processes.process"="*/group*" "Processes.process"="* find *" "Processes.process"="*12288*") BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► Cmdline tool not executed in CMD shell

 

To complete this process, your deployment needs to ingest information on process that include the name of the process responsible for the changes. 

This search identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning ipconfig.exe or systeminfo.exe. This behavior has been seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques.

This event is a threat signature since these tools are commonly executed with a shell application or Explorer parent, and not by another application.

This search might return false positives since automated tools used by a system administrator can also exhibit this behavior.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"="ipconfig.exe" OR "Processes.process_name"="systeminfo.exe") NOT "Processes.parent_process_name"="cmd.exe" NOT "Processes.parent_process_name"="powershell*" NOT "Processes.parent_process_name"="pwsh.exe" NOT "Processes.parent_process_name"="explorer.exe") BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.original_file_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

 

► JScript execution using CScript app

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. 

This search detects executions of JScript using a CScript process. Commonly, when a user runs a JScript file, it is executed by the wscript.exe application.

This technique is seen in FIN7 attacks, which execute malicious script using the CScript process. This behavior is uncommon in benign scenarios.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.parent_process_name"="cscript.exe" "Processes.parent_process"="*//e:jscript*") OR ("Processes.process_name"="cscript.exe" "Processes.process"="*//e:jscript*")) BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► MS Office application creating executable

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints.

This search detects a suspicious MS Office application that creates executables or scripts in the host. This behavior is commonly seen in spear phishing attacks using MS Office attachments, where malicious files or scripts are created to compromise the host.

False positives from this search might occur since a normal macro can drop scripts or tools as part of automation. However, this behavior is still suspicious as it is not commonly seen, so should it be investigated further.

| tstats summariesonly=false allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"="winword.exe" OR "Processes.process_name"="excel.exe" OR "Processes.process_name"="powerpnt.exe" OR "Processes.process_name"="mspub.exe" OR "Processes.process_name"="visio.exe" OR "Processes.process_name"="wordpad.exe" OR "Processes.process_name"="wordview.exe") BY _time span=1h, "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.process_guid" 
| rename "Processes.*" AS "*" 
| rename process_guid AS proc_guid 
| join _time,proc_guid [ 
    | tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Filesystem WHERE ("Filesystem.file_name"="*.exe" OR "Filesystem.file_name"="*.dll" OR "Filesystem.file_name"="*.pif" OR "Filesystem.file_name"="*.scr" OR "Filesystem.file_name"="*.js" OR "Filesystem.file_name"="*.vbs" OR "Filesystem.file_name"="*.vbe" OR "Filesystem.file_name"="*.ps1") BY _time span=1h, "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path" 
    | rename "Filesystem.*" AS "*" 
    | rename process_guid AS proc_guid 
    | fields + _time, dest, file_create_time, file_name, file_path, process_name, process_path, process, proc_guid] 
| dedup file_create_time 
| table dest, process_name, process, file_create_time, file_name, file_path, proc_guid 
| search

► Office product spawning wmic.exe

To complete this process, your deployment needs to ingest information on process that include the name of the process responsible for the changes from your endpoints. 

This search identifies Office suite applications used as a parent process spawning wmic.exe.

If you return potential positive results from this search, investigate further by reviewing all file modifications, as well as capture and analyze any artifacts on disk. If you find that the Office product or wmic.exe has reached out to a remote destination, capture and block the IPs or domain, and review additional parallel processes for further activity.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.parent_process_name"="winword.exe" OR "Processes.parent_process_name"="excel.exe" OR "Processes.parent_process_name"="powerpnt.exe" OR "Processes.parent_process_name"="mspub.exe" OR "Processes.parent_process_name"="visio.exe") ("Processes.process_name"=wmic.exe OR "Processes.original_file_name"=wmic.exe)) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.original_file_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► VBScript execution using WScript app

To complete this process, your deployment needs to ingest information on process that include the name of the process responsible for the changes from your endpoints. 

This search detects a suspicious WScript command used to execute VBScript. This is a technique used by malware to execute malicious VBS files using the WScript application, intended to evade process parent child detections or AV script emulation systems.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.parent_process_name"="wscript.exe" "Processes.parent_process"="*//e:vbscript*") OR ("Processes.process_name"="wscript.exe" "Processes.process"="*//e:vbscript*")) BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► WScript or CScript suspicious child process

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. 

This search identifies a suspicious spawned process by WScript or CScript. This technique is a commonly used by malware to execute different LOLBin, other scripts like PowerShell, or to spawn a suspended process to inject its code as a defense evasion.

False positives from this search might occur since the search can detect some normal script that uses several application tools that are in the list of the child process it detects. Administrators might also create VBScript or JS script that uses several tools as part of its execution. Filter as needed.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.original_file_name"=rclone.exe "Processes.process_name"!=rclone.exe) BY "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

► XSL script execution with WMIC

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. 

This search detects a suspicious wmic.exe process or renamed WMIC process to execute a malicious XSL file. This technique is used by FIN7 malware to execute its malicious JScript using an .xsl file as the loader with the help of the wmic.exe process.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=wmic.exe OR "Processes.original_file_name"=wmic.exe) "Processes.process"="*os get*" "Processes.process"="*/format:*" "Processes.process"="*.xsl*") BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Additional searches

 

► MS scripting process loading LDAP module

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4.

This search detects a suspicious MS scripting process, such as wscript.exe or cscript.exe, that loads a LDAP module to process a LDAP query.

This technique is seen in FIN7 attacks where it uses Javascript to execute a LDAP query to parse host information that will send to its C2 server.

False positives from this search might occur since automation scripting language can used by a network operator to perform a LDAP query. Tune and filter known instances where a renamed rundll32.exe might be used.

| search (EventCode=7 (Image="*\\cscript.exe" OR Image="*\\wscript.exe") (ImageLoaded="*\\Wldap32.dll" OR ImageLoaded="*\\adsldp.dll" OR ImageLoaded="*\\adsldpc.dll") (source=Syslog:Linux-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational)) 
| stats min(_time) AS firstTime max(_time) AS lastTime count BY Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

 

► MS scripting process loading WMI module

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4.

This search detects a suspicious MS scripting process, such as wscript.exe or cscript.exe, that loads a WMI module to process a WMI query.

This technique is seen in FIN7 attacks where it uses Javascript to execute a WMI query to parse host information that will send to its C2 server.

False positives from this search might occur since automation scripting language can used by a network operator to perform a WMI query. Tune and filter known instances where a renamed rundll32.exe might be used.

| search (EventCode=7 (Image="*\\cscript.exe" OR Image="*\\wscript.exe") (source=Syslog:Linux-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (ImageLoaded="*\\fastprox.dll" OR ImageLoaded="*\\wbemcomn.dll" OR ImageLoaded="*\\wbemdisp.dll" OR ImageLoaded="*\\wbemprox.dll" OR ImageLoaded="*\\wbemsvc.dll" OR ImageLoaded="*\\wmiutils.dll")) 
| stats min(_time) AS firstTime max(_time) AS lastTime count BY Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

 

► Non-Chrome process accessing Chrome default directory

To complete this process, your deployment needs to ingest Windows Security Event logs and should also track event code 4663. To enable code 4663, enable "Audit Object Access" in your Group Policy, then check the two boxes listed for both "Success" and "Failure."

This search detects a non-Chrome process accessing the files in the Chrome user default folder. This folder contains the SQLite database of the Chrome browser related to a user's login, history, cookies, and other user data. This process is performed by the FIN7 JSSLoader to collect information on the compromised host.

| search (EventCode=4663 Object_Name="*\\Google\\Chrome\\User Data\\Default*" eventtype=wineventlog_security NOT process_name="*\\chrome.exe" NOT process_name="*\\explorer.exe" NOT process_name="*sql*") 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

 

► Non-Firefox process accessing Firefox profile directory

To complete this process, your deployment needs to ingest Windows Security Event logs and should also track event code 4663. To enable code 4663, enable "Audit Object Access" in your Group Policy, then check the two boxes listed for both "Success" and "Failure."

This search detects a non-Firefox process accessing the files in the Firefox profile folder. This folder contains the SQLite database of the Firefox browser related to a user's login, history, cookies and other user data. This process is performed by the FIN7 JSSLoader to collect information on the compromised host.

| search (EventCode=4663 Object_Name="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*" eventtype=wineventlog_security NOT process_name="*\\explorer.exe" NOT process_name="*\\firefox.exe" NOT process_name="*sql*") 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)