FIN7 is dead… right? In this week’s Threat SnapShot we breakdown a SentinelOne report on the group FIN7. We focus on detection strategies for their latest tools, covering three main tools: Powertrash (an obfuscated PowerShell script for payload loading), a batch script for persistence, and AU Kill (an antivirus neutralizer). For each tool, we explain its function and offer specific detection methods.

✅ *Subscribe to SnapAttack for more in-depth analyses and real-world applications of cybersecurity defenses.*

📢 *Have questions or topics you’d like us to cover? Drop a comment below!*

👋 *Follow us:*
https://www.linkedin.com/company/snapattack/
https://twitter.com/snapattackhq
https://www.linkedin.com/in/ajkingio/
https://twitter.com/ajkingio

SnapAttack Resources:

• https://app.snapattack.com/collection/actor/FIN7 - Collection: FIN7
• https://app.snapattack.com/threat/c875b550-52f1-9afd-89c8-ff1bc368ed58 - Threat: PowerTrash
• https://app.snapattack.com/detection/7331faac-165b-4e09-944a-5f2cc28b8372 - Detection: Potential Process Injection via PowerShell
• https://app.snapattack.com/threat/54129e01-dbf2-55be-5cf4-11884eeda298 - Threat: FIN7 Persistence via Scheduled Tasks
• https://app.snapattack.com/detection/012e13df-e413-4274-8b97-97556ba319cb - Detection: Scheduled Task Created to Launch SSH as SYSTEM
• https://app.snapattack.com/threat/025bf547-0a6d-b08b-afe6-a6e19a310dd6 - Threat: AuKill - Kill EDR via Process Explorer Driver
• https://app.snapattack.com/detection/07e821d8-654d-4c01-83cc-8a9867947c3a - Detection: AuKill Indicators - Registry
• https://app.snapattack.com/detection/428ca00f-66d1-42d7-9a4d-409f754a06af - Detection: AuKill Service Creation

References:

• https://www.justice.gov/usao-wdwa/pr/team-western-washington-honored-investigation-and-prosecution-major-cybercrime-group
• https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attack