Detection rules › Sigma
Forest Blizzard APT - File Creation Activity
Detects the creation of specific files inside of ProgramData directory. These files were seen being created by Forest Blizzard as described by MSFT.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Impairment | T1685.001 Disable or Modify Tools: Disable or Modify Windows Event Log |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 11 | FileCreate |
Rule body yaml
title: Forest Blizzard APT - File Creation Activity
id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389
status: test
description: |
Detects the creation of specific files inside of ProgramData directory.
These files were seen being created by Forest Blizzard as described by MSFT.
references:
- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
modified: 2024-07-11
tags:
- attack.defense-impairment
- attack.t1685.001
- detection.emerging-threats
logsource:
category: file_event
product: windows
detection:
selection_programdata_driver_store:
TargetFilename|startswith:
- 'C:\ProgramData\Microsoft\v'
- 'C:\ProgramData\Adobe\v'
- 'C:\ProgramData\Comms\v'
- 'C:\ProgramData\Intel\v'
- 'C:\ProgramData\Kaspersky Lab\v'
- 'C:\ProgramData\Bitdefender\v'
- 'C:\ProgramData\ESET\v'
- 'C:\ProgramData\NVIDIA\v'
- 'C:\ProgramData\UbiSoft\v'
- 'C:\ProgramData\Steam\v'
TargetFilename|contains:
- '\prnms003.inf_'
- '\prnms009.inf_'
selection_programdata_main:
TargetFilename|startswith: 'C:\ProgramData\'
selection_programdata_files_1:
TargetFilename|endswith:
- '.save'
- '\doit.bat'
- '\execute.bat'
- '\servtask.bat'
# Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
selection_programdata_files_2:
TargetFilename|contains: '\wayzgoose'
TargetFilename|endswith: '.dll'
condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)
falsepositives:
- Unlikely
level: high
Stages and Predicates
Stage 0: condition
selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)Stage 1: selection_programdata_driver_store
selection_programdata_driver_store:
TargetFilename|startswith:
- 'C:\ProgramData\Microsoft\v'
- 'C:\ProgramData\Adobe\v'
- 'C:\ProgramData\Comms\v'
- 'C:\ProgramData\Intel\v'
- 'C:\ProgramData\Kaspersky Lab\v'
- 'C:\ProgramData\Bitdefender\v'
- 'C:\ProgramData\ESET\v'
- 'C:\ProgramData\NVIDIA\v'
- 'C:\ProgramData\UbiSoft\v'
- 'C:\ProgramData\Steam\v'
TargetFilename|contains:
- '\prnms003.inf_'
- '\prnms009.inf_'
Stage 2: selection_programdata_main
selection_programdata_main:
TargetFilename|startswith: 'C:\ProgramData\'
Stage 3: selection_programdata_files_1
selection_programdata_files_1:
TargetFilename|endswith:
- '.save'
- '\doit.bat'
- '\execute.bat'
- '\servtask.bat'
Stage 4: selection_programdata_files_2
selection_programdata_files_2:
TargetFilename|contains: '\wayzgoose'
TargetFilename|endswith: '.dll'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFilename | ends_with |
|
TargetFilename | match |
|
TargetFilename | starts_with |
|