Potential APT FIN7 POWERHOLD Execution

About the rule

Rule Type

Standard

Rule Description

POWERHOLD is a PowerShell tool used by theAPT group FIN7 to execute malicious scripts that launch shellcode, which in turn deploys a payload. By executing these scripts, attackers exploit vulnerable systems, escalate privileges, and exfiltrate data. This rule detects malicious POWERHOLD script executions that indicate potential payload deployment.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → Command and Scripting Interpreter → PowerShell script execution → Exfiltration → Impact

Impact

• System compromise
• Malware execution
• Privilege escalation
• Data exfiltration

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

(((( SCRIPTEXECUTED CONTAINS ""$env:appdata"" ) AND( SCRIPTEXECUTED CONTAINS ""function mainpayload"" ) AND( SCRIPTEXECUTED CONTAINS ""::writeallbytes"" ) AND( SCRIPTEXECUTED CONTAINS ""wscript.exe"" ) )))

This rule is triggered when the executed script contains the following suspicious elements:

• $env:appdata: Refers to the user's Application Data directory, a less-monitored location often used by malware to hide payloads.
• function mainpayload: A function that contains the core malware code.
• writeallbytes: A command used to write malicious binary code to a file or a disk.
• wscript.exe: The Windows Script Host executable often leveraged to run malicious scripts.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you are notified of suspicious execution of the POWERHOLD script. This allows you to monitor runtime environments like PowerShell, identify POWERHOLD script activity, and detect suspicious shellcode executions and the launch of malicious payloads.

Author

Nasreddine Bencherchali (Nextron Systems)

Future actions

Known False Positives

This rule might be triggered when admins execute legitimate PowerShell scripts that execute a shellcode for system management or software deployment.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell activities: Continuously monitor PowerShell executions, restrict script execution privileges to administrators only, and disable PowerShell on devices where it is not required.

Mitigation