FIN7 - Post Compromise Execution

Introduction

In Part 2, we pivot from initial access to what happened next. Using Windows event logs and PowerShell Operational logs in Splunk, we reconstructed FIN7’s execution chain after persistence via a scheduled task, validated key artifacts, and built practical detections you can run.

What we investigated

  • Scheduled Task execution timing and payload
  • Process tree spawned by the persisted loader
  • PowerShell script executions including repeated stagers
  • Reconstruction of the staged PowerShell from events (4104) and file hashing for IOC tracking

Interpretation of the Decoded Script from Initial Access (Recap)

what we have got here is essentially a decoded RTF payload that was obfuscated using \chr encoding. Once decoded, it reveals a malicious VBScript designed to drop and persist a RAT (remote access trojan). Lets break down the key points :

  1. Initial Setup
Dim cntent1, contnt2
Dim oFSO, wshShel
Set wshShel = CreateObject("Wscript.Shell")
  • The script initializes objects for file system operations and Windows shell execution.
  • This is a common start for malware written in VBScript.
  1. Extracting Payload from Word Document
contnt1 = w.ActiveDocument.Shapes(4).TextFrame.TextRange.Text
content = w.ActiveDocument.Shapes(5).TextFrame.TextRange.Text
  • The malicious payload hides its real code inside Word document shapes.
  • The script reads text content from shape objects — a stealthy way to embed payload data inside a seemingly normal RTF/Word file.
  1. Dropping the RAT File
outFile = strLocalAppData + "sql-rat.js"
Set objFile = oFSO.CreateTextFile(outFile, True)
objFile.WriteLine content1
objFile.WriteLine content2
objFile.Close
  • The extracted payload (content1 + content2) is written to disk as sql-rat.js in the %LOCALAPPDATA% folder.
  • This is the actual JavaScript RAT backdoor.
  1. Copying & Masquerading as a System Binary
oFSO2.CopyFile "C:\Windows\System32\wscript.exe", strLocalAppData + "adb156.exe"
  • Copies the legitimate wscript.exe binary into the local appdata directory but under a new name (adb156.exe).
  • Likely used to bypass security controls or run the RAT with trusted binary masquerading.
  1. Persistence via Scheduled Task
Set service = CreateObject("Schedule.Service")
service.Connect()
Set rootFolder = service.GetFolder("\")
Set taskDefinition = service.NewTask(0)
...
Call rootFolder.RegisterTaskDefinition("Micriosoft Update Service", taskDefinition, 6, , 3)
  • Creates a scheduled task disguised as “Micriosoft Update Service”.
  • The task is set to run daily, starting a few minutes after infection, ensuring persistence.
  • The scheduled action runs the dropped adb156.exe with the sql-rat.js file as input.

SQL-Rat

SQL-Rat is a Microsoft SQL-based command and control (C2) remote access trojan (RAT). Due to its novel approach, it avoids leaving traditional host artifacts often associated with RATs. SQL-Rat is usually deployed as a result of a Visual Basic Script (VBScript) in a malicious document. The client is written in a mixture of JavaScript and VBScript, often executed via a scheduled task.

FIN7 was observed deploying this strain of malware as early as 2018 and continued to use it for a period of time.

Post-Compromise Findings from Event Log (Splunk)

This Splunk log ties the decoded payload to real host execution.

  • To Find the task creation and definition details we used the splunk query below:
index=wineventlog (EventCode=4698 OR process_command_line="*Schedule.Service*")
| table _time ComputerName TaskName Command Author Description
  • Command output
Task Information: 
Task Name: \Micriosoft Update Service 
Task Content: <?xml version="1.0" encoding="UTF-16"?> 
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> 
  <RegistrationInfo> 
    <Author>system</Author> 
    <Description>Micriosoft Update Service</Description> 
    <URI>\Micriosoft Update Service</URI>
  </RegistrationInfo> 
  <Triggers> 
    <CalendarTrigger id="DailyTriggerId"> 
      <StartBoundary>2021-07-13T17:23:35</StartBoundary> 
      <EndBoundary>2024-04-18T09:10:00</EndBoundary> 
      <Enabled>true</Enabled> 
      <ScheduleByDay> 
        <DaysInterval>1</DaysInterval> 
      </ScheduleByDay> 
    </CalendarTrigger>
  </Triggers>

<Actions Context="Author"> 
  <Exec> 
    <Command>C:\Users\jessie\AppData\Local\adb156.exe</Command> 
    <Arguments>/b /e:jscript C:\Users\jessie\AppData\Local\sql-rat.js</Arguments> 
  </Exec> 
</Actions>

From the Windows Security Event 4698 (scheduled task creation), we can extract the following details:

  1. Scheduled Task Name
\Micriosoft Update Service
  • The typo in “Micriosoft” a classic masquerading technique used to blend in with legitimate Microsoft services.
  1. Scheduled Task Run Time
<StartBoundary>2021-07-13T17:23:35</StartBoundary>
<DaysInterval>1</DaysInterval>
  • The task was set to first execute at 17:23:35 (5:23 PM) on July 13, 2021, and then repeat daily.
  • This aligns with the decoded script’s persistence logic (delayed by ~5 minutes from infection time).
  1. Executable Run by the Scheduled Task
C:\Users\jessie\AppData\Local\adb156.exe
Arguments: /b /e:jscript C:\Users\jessie\AppData\Local\sql-rat.js
  • The scheduled task runs a renamed copy of wscript.exe (adb156.exe), pointing it to the dropped JavaScript RAT payload sql-rat.js.
  • This confirms persistence + RAT execution on the compromised endpoint.

Post-Compromise Process Execution Analysis (Splunk)

Here we are correlating the persistence (scheduled task creation) with actual process execution. Let’s break this Event ID 4688 (process creation) down into actionable intelligence.

  • Splunk query used:
index=wineventlog (EventCode=4688 OR EventCode=1) "adb156.exe" 
New_Process_Name="C:\\Users\\jessie\\AppData\\Local\\adb156.exe"
  • Output result
Process Information:
	New Process ID:		0x1318
	New Process Name:	C:\Users\jessie\AppData\Local\adb156.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0x704
	Creator Process Name:	C:\Windows\System32\svchost.exe
	Process Command Line:	C:\Users\jessie\AppData\Local\adb156.exe /b /e:jscript C:\Users\jessie\AppData\Local\sql-rat.js

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
  1. Process Created
New Process Name: C:\Users\jessie\AppData\Local\adb156.exe
Process Command Line: C:\Users\jessie\AppData\Local\adb156.exe /b /e:jscript C:\Users\jessie\AppData\Local\sql-rat.js
  • Confirms execution of the renamed wscript.exe (adb156.exe).
  • Arguments show it is running the JavaScript RAT (sql-rat.js) payload.
  • This matches perfectly with the decoded script and scheduled task configuration.
  1. Execution Context
Creator Process Name: C:\Windows\System32\svchost.exe
Creator Process ID: 0x704
  • The process was launched by svchost.exe, which is consistent with execution via a scheduled task service.
  • Indicates the malware was not manually run by the user, but automatically executed through Windows Task Scheduler.
  1. Security Context
Mandatory Label: S-1-16-12288 (High Mandatory Level)
Token Elevation Type: %%1936
  • High Mandatory Level (12288) suggests it was executed with elevated privileges.
  • Token elevation type points to Type 2: elevated token (process running with admin rights due to UAC elevation or service execution).
  • This gave the RAT higher privileges on the host, increasing its ability to persist and evade.

PowerShell Child Process Activity (Splunk)

Now we’re getting into the post-exploitation stage, where the attacker is trying to expand control. The Event ID 4688 (process creation) shows how the dropped RAT (adb156.exe) attempts to execute PowerShell payloads.

  • Splunk query used:
index=wineventlog EventCode=4688 Creator_Process_ID="0x1318"
( New_Process_Name="*\\powershell.exe" OR New_Process_Name="*\\pwsh.exe"
  OR Process_Command_Line="*powershell*" OR Process_Command_Line="*.ps1" )
| stats dc(New_Process_ID) AS PowerShellAttempts

This query pivoted on the Creator_Process_ID 0x1318, which we previously identified as adb156.exe (the renamed wscript.exe RAT). It shows the RAT spawned child processes that invoked PowerShell, an indicator of scripted post-exploitation activity.

  • Output result:
Process Information:
	New Process ID:		0x11ec
	New Process Name:	C:\Windows\System32\cmd.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		S-1-16-12288
	Creator Process ID:	0x1318
	Creator Process Name:	C:\Users\jessie\AppData\Local\adb156.exe
	Process Command Line:	"C:\Windows\system32\cmd.exe" /C powershell.exe -ExecutionPolicy Bypass -NoExit -File  c:\Users\Jessie\AppData\Local\stager.ps1 > C:\Users\jessie\AppData\Local\Temp\rad3CFC9.tmp 2>&1

Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy.

Type 1 is a full token with no privileges removed or groups disabled.  A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account.

Type 2 is an elevated token with no privileges removed or groups disabled.  An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator.  An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.

Type 3 is a limited token with administrative privileges removed and administrative groups disabled.  The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
  1. Parent Process
Creator Process ID: 0x1318
Creator Process Name: C:\Users\jessie\AppData\Local\adb156.exe
  • Confirms that the PowerShell activity originated from the RAT process.
  • Shows a direct lineage from the malicious scheduled task to PowerShell execution.
  1. Child Process
New Process Name: C:\Windows\System32\cmd.exe
Process Command Line: "C:\Windows\system32\cmd.exe" /C powershell.exe -ExecutionPolicy Bypass -NoExit -File c:\Users\Jessie\AppData\Local\stager.ps1 > C:\Users\jessie\AppData\Local\Temp\rad3CFC9.tmp 2>&1
  • The RAT used cmd.exe as an intermediary launcher to execute PowerShell.
  • PowerShell ran with:
    • -ExecutionPolicy Bypass → disables script execution restrictions.
    • -File c:\Users\jessie\AppData\Local\stager.ps1 → runs a local stager script.
    • Output redirected to Temp\rad3CFC9.tmp for logging/error suppression. This indicates the RAT was likely retrieving or staging additional payloads via PowerShell.
  1. Execution Context
Token Elevation Type: %%1936
Mandatory Label: S-1-16-12288 (High Mandatory Level)
  • Runs at a high integrity level with elevated privileges.
  • Confirms the RAT has administrative-level execution on the system.

Rebuilding the PowerShell Stager Script (Splunk)

We pivoted to PowerShell Operational logs (EventCode 4104) to capture script block logging events. These logs revealed that the malicious PowerShell stager executed on the host was split across three separate script block entries.

  • Splunk query used:
index=wineventlog source="WinEventLog:Microsoft-Windows-PowerShell/Operational" EventCode=4104

This query pulled all script block logging events for review.

  • Output result script block 1:
7/14/21
8:41:53.000 AM	
07/14/2021 01:41:53 AM
LogName=Microsoft-Windows-PowerShell/Operational
EventCode=4104
EventType=3
User=NOT_TRANSLATED
Sid=S-1-5-21-1598541164-267006594-3813999592-1154
SidType=0
SourceName=Microsoft-Windows-PowerShell
Type=Warning
RecordNumber=8534
Keywords=None
TaskCategory=Execute a Remote Command
OpCode=On create calls
Message=Creating Scriptblock text (1 of 3):
$EncodedCompressedFile = @'

7b1pk+LKcjD83RH3P5y4cT/Y0ddusfXAfcMRT5U2JJCgBBJIDn8AAQIklmmgBfz6N7<SNIP>

ScriptBlock ID: 21582107-1a53-41ba-9a55-a11cf70fce1b
Path: C:\Users\Jessie\AppData\Local\stager.ps1
  • Output result script block 2:
7/14/21
8:41:53.000 AM	
07/14/2021 01:41:53 AM
LogName=Microsoft-Windows-PowerShell/Operational
EventCode=4104
EventType=3
User=NOT_TRANSLATED
Sid=S-1-5-21-1598541164-267006594-3813999592-1154
SidType=0
SourceName=Microsoft-Windows-PowerShell
Type=Warning
RecordNumber=8535
Keywords=None
TaskCategory=Execute a Remote Command
OpCode=On create calls
Message=Creating Scriptblock text (2 of 3):
KQELvDrDDYa+rKtDAcC9Kd+s8/xqFgexNgm9MsuphHRTlaDZv1rx5hBmtifFuOac5qU11<SNIP>

'@

$Decoded = [System.Convert]::FromBase64String($EncodedCompressedFile)
$MemStream = New-Object System.IO.MemoryStream
$MemStream.Write($Decoded, 0, $Decoded.Length)
$MemStream.Seek(0,0) | Out-Null
$CompressedStream = New-Object System.IO.Compression.DeflateStream($MemStream, [System.IO.Compression.CompressionMode]::Decompress)
$StreamReader = New-Object System.IO.StreamReader($CompressedStream)
$Output = $StreamRead

ScriptBlock ID: 21582107-1a53-41ba-9a55-a11cf70fce1b
Path: C:\Users\Jessie\AppData\Local\stager.ps1
  • Output result script block 3:
7/14/21
8:41:53.000 AM	
07/14/2021 01:41:53 AM
LogName=Microsoft-Windows-PowerShell/Operational
EventCode=4104
EventType=3
User=NOT_TRANSLATED
Sid=S-1-5-21-1598541164-267006594-3813999592-1154
SidType=0
SourceName=Microsoft-Windows-PowerShell
Type=Warning
RecordNumber=8536
Keywords=None
TaskCategory=Execute a Remote Command
OpCode=On create calls
Message=Creating Scriptblock text (3 of 3):
er.readtoend()
$Output | IEX

ScriptBlock ID: 21582107-1a53-41ba-9a55-a11cf70fce1b
Path: C:\Users\Jessie\AppData\Local\stager.ps1

Script Reconstruction Process

  1. Identified log entries with messages such as:
Message=Creating Scriptblock text (1 of 3):
Message=Creating Scriptblock text (2 of 3):
Message=Creating Scriptblock text (3 of 3):
  1. Extracted each script block part.
  2. Reassembled the three fragments into a single PowerShell script (stager.ps1).
  3. Generated a file hash to serve as an Indicator of Compromise (IoC).

Result

  • Reconstructed File: stager.ps1
$EncodedCompressedFile = @'

7b1pk+LKcjD83RH3P5y4cT/Y0ddusfXAfcMRT5U2JJCgBBJIDn8AAQIklmmgBfz6N7O00sCcnuu<SNIP>

'@

$Decoded = [System.Convert]::FromBase64String($EncodedCompressedFile)
$MemStream = New-Object System.IO.MemoryStream
$MemStream.Write($Decoded, 0, $Decoded.Length)
$MemStream.Seek(0,0) | Out-Null
$CompressedStream = New-Object System.IO.Compression.DeflateStream($MemStream, [System.IO.Compression.CompressionMode]::Decompress)
$StreamReader = New-Object System.IO.StreamReader($CompressedStream)
$Output = $StreamReader.readtoend()
$Output | IEX
  • MD5 Hash:
kali@kali:~/Desktop$ nano stager.ps1
kali@kali:~/Desktop$ file stager.ps1 
stager.ps1: ASCII text, with very long lines (25988)
kali@kali:~/Desktop$ md5sum stager.ps1 
d12fdacbf70273e848219facc444ddbc  stager.ps1

This confirmed that the RAT attempted to stage and execute additional malicious payloads through PowerShell. Logging and reassembling the script allowed us to both analyze attacker intent and derive strong IoCs for detection and hunting.

Quick Checklist recap

  1. Scheduled Task run time: 17:23:35
  2. Executable run by the Task: adb156.exe
  3. Process ID of the Task’s executable: 0x1318
  4. Child processes attempting to run PowerShell: 3
  5. PowerShell script run: stager.ps1
  6. MD5 of rebuilt stager.ps1: d12fdacbf70273e848219facc444ddbc

Conclusion

Post‑compromise activity confirmed a user‑profile loader executing a staged PowerShell that was invoked multiple times. ScriptBlock 4104 logs, when enabled, provide decisive visibility to reconstruct payloads and produce durable IOCs. In Part 3, we’ll follow command‑and‑control behaviors and data access that followed this execution stage.