Skip to main content

 

Splunk Lantern

Detecting FIN7 attacks

 

FIN7 is a threat actor group which has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. FIN7 malware is commonly deployed through spear-phishing campaigns, using Windows 11 Word documents with Visual Basic macros to drop malicious payloads, including a JavaScript implant. The FIN7 group also uses REvil and Darkside ransomware payloads after gaining access to a compromised host.

You need to be able to detect and investigate unusual activities that might relate to FIN7 JS implant and its JSSLoader, including looking for image loading of LDAP and Windows Management Instrumentation (WMI) modules and other activities associated with FIN7's payload, data collection, and script execution.

How to use Splunk software for this use case

Searches using the endpoint data model

To run these searches, ensure that you should also ensure you are ingesting normalized endpoint data, populating the Endpoint data model in the Common Information Model (CIM).  For information on installing and using the CIM, see the Common Information Model documentation. In addition, if you are using Sysmon, you must have at least version 6.0.4.

► Check elevated CMD using whoami 

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints.

This search is designed to detect a suspicious whoami execution to check if command or shell instance processes are running with elevated privileges. This technique is used in FIN7 attacks as part of data collection on the infected machine.

This command is not commonly executed by a normal user or admin to check if a process is elevated. Tune and filter known instances where renamed rundll32.exe might be used.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process"="*whoami*" "Processes.process"="*/group*" "Processes.process"="* find *" "Processes.process"="*12288*") BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► Cmdline tool not executed in CMD shell

 

To complete this process, your deployment needs to ingest information on process that include the name of the process responsible for the changes. 

This search identifies a non-standard parent process (not matching CMD, PowerShell, or Explorer) spawning ipconfig.exe or systeminfo.exe. This behavior has been seen in FIN7's JSSLoader .NET payload. This is also typically seen when an adversary is injected into another process performing different discovery techniques.

This event is a threat signature since these tools are commonly executed with a shell application or Explorer parent, and not by another application.

This search might return false positives since automated tools used by a system administrator can also exhibit this behavior.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"="ipconfig.exe" OR "Processes.process_name"="systeminfo.exe") NOT "Processes.parent_process_name"="cmd.exe" NOT "Processes.parent_process_name"="powershell*" NOT "Processes.parent_process_name"="pwsh.exe" NOT "Processes.parent_process_name"="explorer.exe") BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.original_file_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
 
► JScript execution using CScript app

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. 

This search detects executions of JScript using a CScript process. Commonly, when a user runs a JScript file, it is executed by the wscript.exe application.

This technique is seen in FIN7 attacks, which execute malicious script using the CScript process. This behavior is uncommon in benign scenarios.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.parent_process_name"="cscript.exe" "Processes.parent_process"="*//e:jscript*") OR ("Processes.process_name"="cscript.exe" "Processes.process"="*//e:jscript*")) BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► MS Office application creating executable

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints.

This search detects a suspicious MS Office application that creates executables or scripts in the host. This behavior is commonly seen in spear phishing attacks using MS Office attachments, where malicious files or scripts are created to compromise the host.

False positives from this search might occur since a normal macro can drop scripts or tools as part of automation. However, this behavior is still suspicious as it is not commonly seen, so should it be investigated further.

| tstats summariesonly=false allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"="winword.exe" OR "Processes.process_name"="excel.exe" OR "Processes.process_name"="powerpnt.exe" OR "Processes.process_name"="mspub.exe" OR "Processes.process_name"="visio.exe" OR "Processes.process_name"="wordpad.exe" OR "Processes.process_name"="wordview.exe") BY _time span=1h, "Processes.process_id", "Processes.process_name", "Processes.process", "Processes.dest", "Processes.process_guid" 
| rename "Processes.*" AS "*" 
| rename process_guid AS proc_guid 
| join _time,proc_guid [ 
    | tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Filesystem WHERE ("Filesystem.file_name"="*.exe" OR "Filesystem.file_name"="*.dll" OR "Filesystem.file_name"="*.pif" OR "Filesystem.file_name"="*.scr" OR "Filesystem.file_name"="*.js" OR "Filesystem.file_name"="*.vbs" OR "Filesystem.file_name"="*.vbe" OR "Filesystem.file_name"="*.ps1") BY _time span=1h, "Filesystem.dest", "Filesystem.file_create_time", "Filesystem.file_name", "Filesystem.process_guid", "Filesystem.file_path" 
    | rename "Filesystem.*" AS "*" 
    | rename process_guid AS proc_guid 
    | fields + _time, dest, file_create_time, file_name, file_path, process_name, process_path, process, proc_guid] 
| dedup file_create_time 
| table dest, process_name, process, file_create_time, file_name, file_path, proc_guid 
| search
► Office product spawning wmic.exe

To complete this process, your deployment needs to ingest information on process that include the name of the process responsible for the changes from your endpoints. 

This search identifies Office suite applications used as a parent process spawning wmic.exe.

If you return potential positive results from this search, investigate further by reviewing all file modifications, as well as capture and analyze any artifacts on disk. If you find that the Office product or wmic.exe has reached out to a remote destination, capture and block the IPs or domain, and review additional parallel processes for further activity.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.parent_process_name"="winword.exe" OR "Processes.parent_process_name"="excel.exe" OR "Processes.parent_process_name"="powerpnt.exe" OR "Processes.parent_process_name"="mspub.exe" OR "Processes.parent_process_name"="visio.exe") ("Processes.process_name"=wmic.exe OR "Processes.original_file_name"=wmic.exe)) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.process_name", "Processes.original_file_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► VBScript execution using WScript app

To complete this process, your deployment needs to ingest information on process that include the name of the process responsible for the changes from your endpoints. 

This search detects a suspicious WScript command used to execute VBScript. This is a technique used by malware to execute malicious VBS files using the WScript application, intended to evade process parent child detections or AV script emulation systems.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.parent_process_name"="wscript.exe" "Processes.parent_process"="*//e:vbscript*") OR ("Processes.process_name"="wscript.exe" "Processes.process"="*//e:vbscript*")) BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► WScript or CScript suspicious child process

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. 

This search identifies a suspicious spawned process by WScript or CScript. This technique is a commonly used by malware to execute different LOLBin, other scripts like PowerShell, or to spawn a suspended process to inject its code as a defense evasion.

False positives from this search might occur since the search can detect some normal script that uses several application tools that are in the list of the child process it detects. Administrators might also create VBScript or JS script that uses several tools as part of its execution. Filter as needed.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.original_file_name"=rclone.exe "Processes.process_name"!=rclone.exe) BY "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id", "Processes.original_file_name" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
► XSL script execution with WMIC

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. 

This search detects a suspicious wmic.exe process or renamed WMIC process to execute a malicious XSL file. This technique is used by FIN7 malware to execute its malicious JScript using an .xsl file as the loader with the help of the wmic.exe process.

| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=wmic.exe OR "Processes.original_file_name"=wmic.exe) "Processes.process"="*os get*" "Processes.process"="*/format:*" "Processes.process"="*.xsl*") BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process_id", "Processes.process", "Processes.dest", "Processes.user" 
| rename "Processes.*" AS "*" 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Additional searches

Some commands, parameters, and field names in the searches below might need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

 
► MS scripting process loading LDAP module

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4.

This search detects a suspicious MS scripting process, such as wscript.exe or cscript.exe, that loads a LDAP module to process a LDAP query.

This technique is seen in FIN7 attacks where it uses Javascript to execute a LDAP query to parse host information that will send to its C2 server.

False positives from this search might occur since automation scripting language can used by a network operator to perform a LDAP query. Tune and filter known instances where a renamed rundll32.exe might be used.

| search (EventCode=7 (Image="*\\cscript.exe" OR Image="*\\wscript.exe") (ImageLoaded="*\\Wldap32.dll" OR ImageLoaded="*\\adsldp.dll" OR ImageLoaded="*\\adsldpc.dll") (source=Syslog:Linux-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational)) 
| stats min(_time) AS firstTime max(_time) AS lastTime count BY Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
 
► MS scripting process loading WMI module

To complete this process, your deployment needs to ingest logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4.

This search detects a suspicious MS scripting process, such as wscript.exe or cscript.exe, that loads a WMI module to process a WMI query.

This technique is seen in FIN7 attacks where it uses Javascript to execute a WMI query to parse host information that will send to its C2 server.

False positives from this search might occur since automation scripting language can used by a network operator to perform a WMI query. Tune and filter known instances where a renamed rundll32.exe might be used.

| search (EventCode=7 (Image="*\\cscript.exe" OR Image="*\\wscript.exe") (source=Syslog:Linux-Sysmon/Operational OR source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) (ImageLoaded="*\\fastprox.dll" OR ImageLoaded="*\\wbemcomn.dll" OR ImageLoaded="*\\wbemdisp.dll" OR ImageLoaded="*\\wbemprox.dll" OR ImageLoaded="*\\wbemsvc.dll" OR ImageLoaded="*\\wmiutils.dll")) 
| stats min(_time) AS firstTime max(_time) AS lastTime count BY Image EventCode process_name ProcessId ProcessGuid Computer ImageLoaded 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
 
► Non-Chrome process accessing Chrome default directory

To complete this process, your deployment needs to ingest Windows Security Event logs and should also track event code 4663. To enable code 4663, enable "Audit Object Access" in your Group Policy, then check the two boxes listed for both "Success" and "Failure."

This search detects a non-Chrome process accessing the files in the Chrome user default folder. This folder contains the SQLite database of the Chrome browser related to a user's login, history, cookies, and other user data. This process is performed by the FIN7 JSSLoader to collect information on the compromised host.

| search (EventCode=4663 Object_Name="*\\Google\\Chrome\\User Data\\Default*" eventtype=wineventlog_security NOT process_name="*\\chrome.exe" NOT process_name="*\\explorer.exe" NOT process_name="*sql*") 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
 
► Non-Firefox process accessing Firefox profile directory

To complete this process, your deployment needs to ingest Windows Security Event logs and should also track event code 4663. To enable code 4663, enable "Audit Object Access" in your Group Policy, then check the two boxes listed for both "Success" and "Failure."

This search detects a non-Firefox process accessing the files in the Firefox profile folder. This folder contains the SQLite database of the Firefox browser related to a user's login, history, cookies and other user data. This process is performed by the FIN7 JSSLoader to collect information on the compromised host.

| search (EventCode=4663 Object_Name="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*" eventtype=wineventlog_security NOT process_name="*\\explorer.exe" NOT process_name="*\\firefox.exe" NOT process_name="*sql*") 
| stats count min(_time) AS firstTime max(_time) AS lastTime BY Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Next steps

The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.

In addition, these Splunk resources might help you understand and implement this use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.