Actor

FIN7

3 briefs RSS

Also known as: Carbon Spider Sangria Tempest

Cobalt Strike Command and Control Beacon Detected

This brief documents the detection of Cobalt Strike command and control activity through identifying specific domain naming conventions used by its implant beacons, indicative of network attack and exploitation campaigns.

packetbeat +2 FIN7 +2 command-and-control cobalt-strike domain-generation-algorithm

2r 2t Jan 9, 2024

high threat

Non-Chrome Process Accessing Chrome Default Directory

2 rules 1 TTP

Detection of non-Chrome processes accessing the Chrome user data directory, potentially indicating credential theft or data exfiltration attempts by malware such as RATs or APT groups.

Splunk Enterprise +2 FIN7 +2 credential-access threat-type windows

2r 1t Jan 3, 2024

high threat

FIN7 DGA Command and Control Behavior Detection

3 rules 2 TTPs

This rule detects command and control activity associated with the FIN7 threat group, which is known to use domain generation algorithms (DGA) to maintain persistence in their target's network by identifying network traffic using TLS or HTTP protocols to domains with a specific pattern.

FIN7 +2 command-and-control dga network_traffic

3r 2t Jan 2, 2024