Query Details

TTP Detection Rule: PowerShell Launching Scripts From WindowsApps Directory (FIN7)

Ttp T1059 001 Powershell Windowsappsdir Fin7

Query

DeviceProcessEvents
| where InitiatingProcessFolderPath contains "windowsapps" and FileName =~ "powershell.exe" and ProcessCommandLine has_all ("windowsapps","-file",".ps1")

About this query

Explanation

This query is designed to detect potentially malicious activity involving the execution of PowerShell scripts from the "windowsapps" directory on a Windows system. Here's a simple breakdown of what the query does:

  1. Context: The query is part of a detection rule aimed at identifying suspicious behavior associated with the FIN7 cybercriminal group, which is known for using PowerShell scripts in their attacks. Specifically, it looks for scripts launched from the "windowsapps" directory, which is unusual and could indicate malicious activity.

  2. Technique: The query is related to the MITRE ATT&CK technique T1059.001, which involves using PowerShell as a command and scripting interpreter.

  3. Query Details:

    • The query searches for events where a process is initiated from the "windowsapps" directory.
    • It specifically looks for instances where "powershell.exe" is executed.
    • It further filters these events to find command lines that include references to "windowsapps", "-file", and ".ps1", indicating the execution of a PowerShell script file.
  4. Purpose: The goal is to identify and flag instances where PowerShell scripts are being executed from the "windowsapps" directory, as this could be indicative of FIN7's tactics, potentially leading to ransomware deployment or other malicious actions.

  5. Risk: The behavior has been associated with FIN7, a group known for sophisticated attacks, including the deployment of remote access tools like NetSupport Manager RAT. Detecting such activity early can help prevent further malicious actions.

Overall, this query helps security analysts identify and investigate potentially harmful PowerShell script executions that could be part of a larger attack strategy.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsPowerShellScriptsWindowsAppsDirectory

Operators

contains=~has_all

MITRE Techniques

Actions

GitHub