Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Risk
  • Last Updated: 2021-09-14
  • Author: Teoderick Contreras, Splunk
  • ID: df2b00d3-06ba-49f1-b253-b19cef19b569

Narrative

FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.

Detections

Name Technique Type
Check Elevated CMD using whoami System Owner/User Discovery TTP
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Jscript Execution Using Cscript App Command and Scripting Interpreter, JavaScript TTP
MS Scripting Process Loading Ldap Module Command and Scripting Interpreter, JavaScript Anomaly
MS Scripting Process Loading WMI Module Command and Scripting Interpreter, JavaScript Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Office Application Drop Executable Phishing, Spearphishing Attachment TTP
Office Product Spawning Wmic Phishing, Spearphishing Attachment TTP
Vbscript Execution Using Wscript App Visual Basic, Command and Scripting Interpreter TTP
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Correlation
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP
XSL Script Execution With WMIC XSL Script Processing TTP

Reference

source | version: 1