Know Your Adversary

Hello everyone! As you know, adversaries may delete malicious files and tools for defense evasion. But can we use it for threat hunting? Let's find out! We need an example, of course. Let's look at Amadey loader described in this report . The adversary leveraged multiple commands to delete existing malicious file and move a copy to a different location: cmd.exe /k "taskkill /f /im "Yfgfwb.exe" && timeout 1 && del "Yfgfwb.exe" && ren 07072f Yfgfwb.exe && C:\Users\UserName\Appdata\Local\Temp\067640a009\Yfgfwb.exe && Exit For example, we can look for sequences of suspicious commands, like taskkill and del : event_type: "processcreatewin" AND proc_file_path: "cmd.exe" AND cmdline: ("taskkill" AND "del") See you tomorrow!

Hello everyone! It's time to look at another interesting RMM abused by threat actors for redundant access, and check if your detections cover it. According to this report , the adversary dropped a renamed copy  GotoHTTP to the compromised system. It's interesting that the threat actors just need to install this RMM on the system they want to control, and to manipulate it they need just a web-browser! So, you can look for related network connections: event_type: "dnsreqwin" AND dns_rname: "gotohttp.com" And for binary itself, of course: event_type: "processcreatewin" AND proc_file_productname: "gotohttp" See you tomorrow!

Hello everyone! Today we'll look at an example provided by the colleagues from Zscaler in their recent research. And yes, it's legitimate services abuse one more time! So, according to the research , Zscaler Threat Hunting observed a localized spike in traffic to the URL shortener surl[.]li . This service was used by the adversary (SideWinder) to redirect the victim to a phishing page with a link to  gofile[.]io , which was used to host ZIP archives with a bunch of files, including malicious. So, here we have a real-world example of how defenders leveraged the knowledge of legitimate web-services abused by adversaries to for a hypothesis and find undetected malicious activity. You can do the same: event_type: "dnsreqwin" AND dns_rname: ("surl.li" OR "gofile.io") See you tomorrow!

Hello everyone! You may be a bit tired of various legitimate web-services abused by adversaries, but such services are always good targets for hunting, so let's look at another example. This time adversaries leveraged  Archive[.]org to store a malicous PNG files, for example: hxxp://dn710107.ca.archive[.]org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64[.]png Such files contained a steganographically embedded base64-encoded .NET assembly hidden at the end of the file. Also, to download and execute it, the adversary used PowerShell. Knowing all of this, we can builad a hunting query: event_type: "dnsreqwin" AND dns_rname: "archive.org" AND proc_file_path: "powershell.exe" See you tomorrow!

Hello everyone! If we're talking about ransomware gangs, we're always talking about  Command and Scripting Interpreter: Hypervisor CLI (T1059.012) . Yes, ransomware gangs love it! Let's look at RansomHouse , and focus on MrAgent. To obtain the MAC address, it runs the following command: esxcli --formatter=csv network nic list It runs the following command to collect information on the IP-address: esxcli --formatter=csv network nic list It also abuses ESXCLI to disable the firewall: esxcli network firewall set --enabled false So, for example, we can hunt for suspicious commands related to managing of host networking: event_type: "processcreatenix" AND cmdline: ("esxcli" AND "network") See you tomorrow!

Hello everyone! We often see how adversares make console windows hidden. But they can also just make them to appear off-screen! Let's look at an example! This time we'll look at Cloud Atlas (or Cloud Werewolf as we track it). The adversary modified the following registry keys to hide console windows: "HKCU\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe"::"WindowPosition"::5122 "HKCU\UConsole\taskeng.exe"::"WindowPosition"::538126692 Quite interesting, right? And we can look for suspicious registry modification events: event_type: "registryvaluesetwin" AND reg_key_path: "windowposition" See you tomorrow!