Forest Blizzard APT - JavaScript Constrained File Creation

    Thursday, March 6, 2025 In: Threat Research Print

    Date: 03/06/2025

    Severity: Medium

    Summary

    Monitors the creation of JavaScript files within the DriverStore directory. Forest Blizzard exploited the CVE-2022-38028 vulnerability in the Windows Print Spooler service by altering a JavaScript constraints file and executing it with SYSTEM-level privileges.

    Indicators of Compromise (IOC) List

    TargetFilename

    'C:\Windows\System32\DriverStore\FileRepository\'

    '\.js'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourcename in ("Windows Security") AND eventtype = "4663" AND objectname like "C:\Windows\System32\DriverStore\FileRepository\" AND objectname like "\.js"

    Detection Query 2

    technologygroup = "EDR" AND objectname like "C:\Windows\System32\DriverStore\FileRepository\" AND objectname like "\.js"

    Detection Query 3

    resourcename in ("Sysmon") AND eventtype = "11" AND targetfilename like "C:\Windows\System32\DriverStore\FileRepository\" AND targetfilename like "\.js"

    Detection Query 4

    technologygroup = "EDR" AND targetfilename like "C:\Windows\System32\DriverStore\FileRepository\" AND targetfilename like "\.js"

    Reference:
    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml                       


    Tags

    SigmaCVE-2022APTExploitForest Blizzard

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.