Know Your Adversary

Hello everyone! Today we'll talk about how ransomware gangs abuse legitimate software for  File and Directory Discovery (T1083) . And our example for today's post - NightSpire . Anong other tools, the gang leveraged Everything - a legitimate tool that enables an adversary to index files and get a deeper understanding of data available on the compromised system. So, this tool, especially if it's not widely used internaly, may be a good target for hunting: event_type: "processcreatewin" AND proc_file_originalfilename: "everything.exe" See you tomorrow!

Hello everyone! It's not a secret that ransomware gangs often interact with Volume Shadow Copy Service to  Inhibit System Recovery (T1490) . In most cases it's not a good target for hunting as adversaries abuse it on the latest stages of attack lifecycle. At the same time, they may use scripting to manipulate it, and it may be you last chance to detect malicious activity. For example, Qilin executed the following commands: cmd /C net start vss cmd /C wmic service where name='vss' call ChangeStartMode Manual cmd /C vssadmin.exe Delete Shadows /all /quiet cmd /C net stop vss cmd /C wmic service where name='vss' call ChangeStartMode Disabled I'm sure you have detections for deletion, but what about manipulating the service? So, it may be a good idea to look for abusing wmic.exe for VSS manipulation: event_type: "processcreatewin" AND proc_file_path: "wmic.exe" AND cmdline: "vss" See you tomorrow!

Hello everyone! Adversaries may use Windows registry to solve various tasks. Some are very common, while others are not. Let's look at one of them! Today we'll look at  Valley RAT . According to this report , it uses the following registry key to store downloaded plugins: HKCU\Console\0\d33f351a4aeea5e608853d1a56661059 So, from threat hunting perspective, we can look for suspicious registry modification events related to  HKCU\Console\ : event_type: "registryvaluesetwin" AND reg_key_path: "hkey_current_user\\console" See you tomorrow!

Hello everyone! As you know, adversaries may delete malicious files and tools for defense evasion. But can we use it for threat hunting? Let's find out! We need an example, of course. Let's look at Amadey loader described in this report . The adversary leveraged multiple commands to delete existing malicious file and move a copy to a different location: cmd.exe /k "taskkill /f /im "Yfgfwb.exe" && timeout 1 && del "Yfgfwb.exe" && ren 07072f Yfgfwb.exe && C:\Users\UserName\Appdata\Local\Temp\067640a009\Yfgfwb.exe && Exit For example, we can look for sequences of suspicious commands, like taskkill and del : event_type: "processcreatewin" AND proc_file_path: "cmd.exe" AND cmdline: ("taskkill" AND "del") See you tomorrow!

Hello everyone! It's time to look at another interesting RMM abused by threat actors for redundant access, and check if your detections cover it. According to this report , the adversary dropped a renamed copy  GotoHTTP to the compromised system. It's interesting that the threat actors just need to install this RMM on the system they want to control, and to manipulate it they need just a web-browser! So, you can look for related network connections: event_type: "dnsreqwin" AND dns_rname: "gotohttp.com" And for binary itself, of course: event_type: "processcreatewin" AND proc_file_productname: "gotohttp" See you tomorrow!

Hello everyone! Today we'll look at an example provided by the colleagues from Zscaler in their recent research. And yes, it's legitimate services abuse one more time! So, according to the research , Zscaler Threat Hunting observed a localized spike in traffic to the URL shortener surl[.]li . This service was used by the adversary (SideWinder) to redirect the victim to a phishing page with a link to  gofile[.]io , which was used to host ZIP archives with a bunch of files, including malicious. So, here we have a real-world example of how defenders leveraged the knowledge of legitimate web-services abused by adversaries to for a hypothesis and find undetected malicious activity. You can do the same: event_type: "dnsreqwin" AND dns_rname: ("surl.li" OR "gofile.io") See you tomorrow!