Threat Hunting: FIN7 - Post Compromise Execution

Sun, 07 Sep 2025 13:59:10 -0400

Introduction

In Part 2, we pivot from initial access to what happened next. Using Windows event logs and PowerShell Operational logs in Splunk, we reconstructed FIN7’s execution chain after persistence via a scheduled task, validated key artifacts, and built practical detections you can run.

What we investigated

Scheduled Task execution timing and payload
Process tree spawned by the persisted loader
PowerShell script executions including repeated stagers
Reconstruction of the staged PowerShell from events (4104) and file hashing for IOC tracking

Interpretation of the Decoded Script from Initial Access (Recap)

what we have got here is essentially a decoded RTF payload that was obfuscated using \chr encoding. Once decoded, it reveals a malicious VBScript designed to drop and persist a RAT (remote access trojan). Lets break down the key points :

Threat Hunting: FIN7 - Initial Access

Thu, 14 Aug 2025 19:03:54 -0400

Introduction

Welcome to the first post in my Threat Hunting series. We are starting with FIN7’s initial access tradecraft: a phishing-delivered, weaponized RTF that abuses living-off-the-land binaries and scheduled tasks to get a foothold. This post distills the key artifacts and shows practical hunts you can run.

This is Part 1 of my Threat Hunting series. Each post focuses on one phase of an intrusion with practical hunts and response tips.

FIN7 on Fabrice's Blog

Threat Hunting: FIN7 - Post Compromise Execution

Introduction

What we investigated

Interpretation of the Decoded Script from Initial Access (Recap)

Threat Hunting: FIN7 - Initial Access

Introduction