FIN7 is Dead, Long Live FIN7 | Threat SnapShot
FIN7 is dead… right? In this week’s Threat SnapShot we breakdown a SentinelOne report on the group FIN7. We focus on detection strategies for their latest tools, covering three main tools: Powertrash (an obfuscated PowerShell script for payload loading), a batch script for persistence, and AU Kill (an antivirus neutralizer). For each tool, we explain its function and offer specific detection methods.
✅ *Subscribe to SnapAttack for more in-depth analyses and real-world applications of cybersecurity defenses.*
📢 *Have questions or topics you’d like us to cover? Drop a comment below!*
👋 *Follow us:*
https://www.linkedin.com/company/snapattack/
https://twitter.com/snapattackhq
https://www.linkedin.com/in/ajkingio/
https://twitter.com/ajkingio
SnapAttack Resources:
- https://app.snapattack.com/collection/actor/FIN7 - Collection: FIN7
- https://app.snapattack.com/threat/c875b550-52f1-9afd-89c8-ff1bc368ed58 - Threat: PowerTrash
- https://app.snapattack.com/detection/7331faac-165b-4e09-944a-5f2cc28b8372 - Detection: Potential Process Injection via PowerShell
- https://app.snapattack.com/threat/54129e01-dbf2-55be-5cf4-11884eeda298 - Threat: FIN7 Persistence via Scheduled Tasks
- https://app.snapattack.com/detection/012e13df-e413-4274-8b97-97556ba319cb - Detection: Scheduled Task Created to Launch SSH as SYSTEM
- https://app.snapattack.com/threat/025bf547-0a6d-b08b-afe6-a6e19a310dd6 - Threat: AuKill - Kill EDR via Process Explorer Driver
- https://app.snapattack.com/detection/07e821d8-654d-4c01-83cc-8a9867947c3a - Detection: AuKill Indicators - Registry
- https://app.snapattack.com/detection/428ca00f-66d1-42d7-9a4d-409f754a06af - Detection: AuKill Service Creation
References: