Posts

388. Ransomware Gang Abuses FTK Imager for Defense Evasion

Image
Hello everyone! Today we’ll talk about another forensic tool that attackers used in the context of the Impair Defenses technique: Disable or Modify Tools (T1562.001) . Once again, the topic is ransomware. This time, we’re looking at the STAC4713 cluster, which distributes the PayoutsKing ransomware. To add exclusions to Windows Defender, the attackers used FTK Imager - a forensic tool designed for creating disk images. The key point is that during installation, this tool allows a selected path to be added to exclusions, which is exactly what the attackers exploited. The following command is executed: powershell -command $ExclusionType;$ExclusionFile = '"ExterroExclusions.txt"';if(Test-Path -path $ExclusionFile ){ $Exclusions = Get-Content $ExclusionFile; foreach ($Item in $Exclusions ) { $ItemTrimmed = $Item.trim(); if($Item.length -gt 0){ if($ItemTrimmed.StartsWith('-')) { $ExclusionType = $ItemTrimmed; Write-Host $ExclusionType; } elseif ( !($ItemTrimmed.St...
Post a Comment
Read more

387. Adversaries Found a Creative Way to Abuse MSBuild

Image
Hello everyone! Today we’ll take a look at a creative implementation of a very popular technique - Spearphishing Link (T1566.002) . According to this research , in February 2026 the TA416 cluster was distributing phishing emails containing links that led to Google Drive or compromised SharePoint instances. These links hosted archives that contained a renamed MSBuild executable (for example, Invitation_Letter_No.02_2026 ) along with a CSPROJ project file, which is what actually got executed after launch - MSBuild by default looks for the corresponding project file in the current directory. A successful execution resulted in the download of three files, which were later used to implement the DLL sideloading technique. Despite the attackers’ creative approach, detecting this kind of MSBuild abuse is fairly straightforward. For example: event_type: "processcreatewin" AND proc_file_originalfilename: "msbuild.exe" AND NOT proc_file_path: "msbuild.exe" See you s...
Post a Comment
Read more

386. Ransomware Affiliates Abuse Bandizip for Data Collection

Image
Hello everyone! Today we’re going to talk about collecting data from compromised systems, and we’ll look at an example of the technique Archive Collected Data: Archive via Utility (T1560.001) . The example comes from a Microsoft Threat Intelligence report on the activity of the Storm-1175 cluster, which is associated with the distribution of the Medusa ransomware. Despite the attackers using zero-day vulnerabilities to gain initial access, most of their tactics, techniques, and procedures were fairly trivial. Nevertheless, one of the tools caught my attention. To collect data for later publication on DLS, the attackers used Bandizip — a legitimate file archiving tool. This tool is not encountered very often and is quite suitable for proactive hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "bandzip" See you soon!
Post a Comment
Read more

385. Threat Actors Abuse iSCSI Initiator Control Panel to Bypass UAC

Image
Hello everyone! Today we will once again talk about the User Account Control (UAC) Bypass technique (T1548.002) and look at an interesting way to implement it. To help us with this, we’ll refer to the report on the "TrueChaos" operation. At one stage of the attack lifecycle, the threat actors modified the current user’s PATH variable: reg add "hkcu\environment" /v path /t REG_SZ /d "C:\users\<redacted>\appdata\local\temp" /f After that, the attackers launched a legitimate Microsoft tool - iSCSI Initiator Control Panel ( iscsicpl.exe ), which was used to bypass User Account Control and perform DLL hijacking. The malicious iscsiexe.dll was placed by the attackers in the same location that had been written to the registry in the previous step. In this case, for example, we can hunt for suspicious values being added to the corresponding registry key: event_type: "registryvaluesetwin" AND reg_key_path: "environment\\path" AND reg_v...
Post a Comment
Read more

384. Adversaries Abuse Spotify and Chess.com

Image
Hello everyone! Another day, another Dead Drop Resolver (T1102.001). And this time, the exploited web services are even more interesting than usual. According to Solar’s research on MaskGram Stealer , in addition to the already popular platforms among attackers - Steam and Telegram - threat actors also used Spotify and Chess.com. As before, it’s important to pay attention to communications with legitimate web services that attackers leverage as part of this technique, and to identify unusual processes: event_type: "dnsreqwin" AND dns_rname: ("spotify.com" OR "chess.com") AND NOT proc_file_path: ("your_exclusion_list") See you soon!
Post a Comment
Read more

383. Hunting for Warlock's Tactics, Techniques and Procedures

Image
Hello everyone! Today we’ll go over several techniques from the Warlock ransomware attack report that caught my attention. So, the first technique is Windows Credential Manager (T1555.004) . The attackers used the following command to access saved passwords: C:\Windows\System32\rundll32.exe keymgr.dll,KRShowKeyMgr This kind of behavioral indicator isn’t very common, so it works well for threat hunting: event_type: "processcreatewin" AND proc_file_path: "rundll32.exe" AND cmdline: ("keymgr.dll" AND "KRShowKeyMgr") The next technique is PowerShell (T1059.001) . This time, the attackers abused it to enable PowerShell Remoting: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe "Enable-PSRemoting -Force -SkipNetworkProfileCheck" Although this behavior can be legitimate, it’s still a good target for threat hunting: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: "Enable-PSRemo...
Post a Comment
Read more

382. Handala Hack Abuses NetBird

Image
Hello everyone! Today we'll look at another interesting example of the following technique:  Remote Access Tools (T1219) . Scrolling the report on Handala Hack modus operandi, I've spotted an interesting tool abused by the threat actors. I'm talking about NetBird .  The attackers leveraged it to reach hosts that were not directly accessible from outside the network. The tool has no detections on VirusTotal, and may be a good target for hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "netbird" See you soon!
Post a Comment
Read more