Know Your Adversary

Hello everyone! It's time to talk about defense evasion tools observed in ransomware attacks again! This time we'll look at Qilin's toolkit. The tool we are going to look at is YDArk . It's a powerful kernel manipulation tool that appeared in the Chinese underground forums back in 2020. Of course, it's used by the adversary to kill AV/EDR related processes. As always, we can the original file name for detection: event_type: "processcreatewin" AND proc_file_originalfilename: "YDArk.exe" Also, you can focus on the driver it uses: event_type: "driverloadwin" AND file_name: "YDArkDrv.sys " It also creates a service - you can also use it as a detection opportunity! See you tomorrow!

Hello everyone! I'm sure you know that various malware performs IP lookups to identify the compromised system's location. Usually the adversaries use legitimate services to solve this problem. What does it mean from threat hunting perspective? We can use it to build our hunting queries! I've collected some of commonly abused services for you, here you go: event_type: "dnsreq" AND dns_rname: ("wtfismyip.com" OR "ipify.org" OR "icanhazip.com" OR "ip-api.com" OR "checkip.dyndns.org" OR "reallyfreegeoip.org") You WILL get some false positives, but we are talkng about hunting, right? See you tomorrow!

Hello everyone! As you know, in most cases espionage-related activity clusters need to collect sensitive data before exfiltration. Of course, they can abuse PowerShell to solve this task! For example, Earth Kurma used the following PowerShell command to collect files of interest: C:\Windows\system32\cmd.exe /C powershell.exe "dir c:\users -File -Recurse -Include '*.pdf', '*.doc', '*.docx', '*.xls', '*.xlsx', '*.ppt' , '*.pptx'| where LastWriteTime -gt (Get-date).AddDays(-30) | foreach {cmd /c copy $_ /y c:\users\{username}\documents\tmp};echo Finish!" I think you've spotted many file extensions. We can use this to build our hunting query: event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: ("pdf" AND "doc" AND "xls" AND "ppt") If you want to share more interesting PowerShell abuse examples, you are always welcome! See you tomor...

Hello everyone! It's time to add a few new items to your (and mine) PowerShell procedure collection! I spotted a few in a recent report on SocGholish activity by eSentire. Let's start from reconnaissance. The adversary leveraged the following PowerShell command to enumerate Active Directory: powershell -c "$searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]\'\'); $searcher.Filter = \'(&(objectCategory=computer)(operatingSystem=*server*))\'; $searcher.PageSize = 1000; $searcher.PropertiesToLoad.Add(\'dnshostname\') > $null; $searcher.FindAll() | ForEach-Object { $_.Properties[\'dnshostname\'][0] } We can hunt for similar activity, for example, using the following query: event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: "DirectorySearcher" The threat actors also used PowerShell to collect browser-related login data: "cmd.exe" /C powershell -c ...

Hello everyone! Forensic tools help us during incident response engagements, but such tools also may help adversaries to solve various tasks! For example,  ToyMaker abused Magnet RAM Capture to obtain a memory dump of the compromised host, and used it to extract credentials: MRCv120.exe /accepteula /silent /go We can use both metadata and command line parameters for detection: event_type: "processcreatewin" AND proc_file_productname: "Magnet RAM Capture" AND cmdline: ("accepteula" AND "silent" AND "go") See you tomorrow!

Hello everyone! The threat actors keep abusing legitimate binaries for DLL Side Loading. This time the adversaries abused Trend Micro and Bitdefender. According to Symantec report , the Billbug espionage group used a Trend Micro binary named tmdbglog.exe to sideload a malicious DLL named tmdglog.dll , and a Bitdefender binary named bds.exe to sideload a malicious DLL named log.dll . We can hunt for suspicious executions of these binaries focusing on suspicious file names and locations: event_type: "processcreatewin" AND proc_file_originalfilename: ("PtWatchDog.exe" OR "BDSubWiz.exe") See you tomorrow!