Know Your Adversary

Hello everyone! No, no more detection and hunting tips today! And yes, it's the last post for the Zeltser challenge! It was a definitely a hard one, but still it was fun! Thank you Dave for motivating me to start it! Thanks everyone who reacted to the posts and wrote kind words - it helped me a lot to finish it! It doesn't mean I stop posting! But I won't do it every day! Still, if I see something interesting - I share it with you! Thank you for reading the blog and see you next year!

Hello everyone! Today we'll look at another example of a very common technique - Remote Access Tools: Remote Desktop Software (T1219.002) . Ransomware gangs have lots of such tools in their arsenal. For example, Power Admin -  legitimate tool that provides functionality to monitor servers and applications, as well as file access auditing.  Of course, it may be a good target for detection and hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "pa server monitor" See you tomorrow!

Hello everyone! We often talk (and see, of course) LOLBAS. So, let's look at another one, which became really popular among adversaries this year. So, our today's example - Arcane Werewolf . The adversary leverages conhost.exe to run the dropper: conhost.exe C:\Users\<USER>\AppData\Local\Temp\icon2.png One more example - running Loki 2.0 loader: conhost.exe %TEMP%\chrome_proxy.pdf As you can see, the threat actors quite suspicious file exensions, so we can use it to build a query: event_type: "processcreatewin" AND proc_file_path: "conhost.exe" AND cmdline: (*png OR *pdf) See you tomorrow!

Hello everyone! Today we'll talk about how ransomware gangs abuse legitimate software for  File and Directory Discovery (T1083) . And our example for today's post - NightSpire . Anong other tools, the gang leveraged Everything - a legitimate tool that enables an adversary to index files and get a deeper understanding of data available on the compromised system. So, this tool, especially if it's not widely used internaly, may be a good target for hunting: event_type: "processcreatewin" AND proc_file_originalfilename: "everything.exe" See you tomorrow!

Hello everyone! It's not a secret that ransomware gangs often interact with Volume Shadow Copy Service to  Inhibit System Recovery (T1490) . In most cases it's not a good target for hunting as adversaries abuse it on the latest stages of attack lifecycle. At the same time, they may use scripting to manipulate it, and it may be you last chance to detect malicious activity. For example, Qilin executed the following commands: cmd /C net start vss cmd /C wmic service where name='vss' call ChangeStartMode Manual cmd /C vssadmin.exe Delete Shadows /all /quiet cmd /C net stop vss cmd /C wmic service where name='vss' call ChangeStartMode Disabled I'm sure you have detections for deletion, but what about manipulating the service? So, it may be a good idea to look for abusing wmic.exe for VSS manipulation: event_type: "processcreatewin" AND proc_file_path: "wmic.exe" AND cmdline: "vss" See you tomorrow!

Hello everyone! Adversaries may use Windows registry to solve various tasks. Some are very common, while others are not. Let's look at one of them! Today we'll look at  Valley RAT . According to this report , it uses the following registry key to store downloaded plugins: HKCU\Console\0\d33f351a4aeea5e608853d1a56661059 So, from threat hunting perspective, we can look for suspicious registry modification events related to  HKCU\Console\ : event_type: "registryvaluesetwin" AND reg_key_path: "hkey_current_user\\console" See you tomorrow!