Know Your Adversary

Hello everyone! Today we will once again talk about the User Account Control (UAC) Bypass technique (T1548.002) and look at an interesting way to implement it. To help us with this, we’ll refer to the report on the "TrueChaos" operation. At one stage of the attack lifecycle, the threat actors modified the current user’s PATH variable: reg add "hkcu\environment" /v path /t REG_SZ /d "C:\users\<redacted>\appdata\local\temp" /f After that, the attackers launched a legitimate Microsoft tool - iSCSI Initiator Control Panel ( iscsicpl.exe ), which was used to bypass User Account Control and perform DLL hijacking. The malicious iscsiexe.dll was placed by the attackers in the same location that had been written to the registry in the previous step. In this case, for example, we can hunt for suspicious values being added to the corresponding registry key: event_type: "registryvaluesetwin" AND reg_key_path: "environment\\path" AND reg_v...

Hello everyone! Another day, another Dead Drop Resolver (T1102.001). And this time, the exploited web services are even more interesting than usual. According to Solar’s research on MaskGram Stealer , in addition to the already popular platforms among attackers - Steam and Telegram - threat actors also used Spotify and Chess.com. As before, it’s important to pay attention to communications with legitimate web services that attackers leverage as part of this technique, and to identify unusual processes: event_type: "dnsreqwin" AND dns_rname: ("spotify.com" OR "chess.com") AND NOT proc_file_path: ("your_exclusion_list") See you soon!

Hello everyone! Today we’ll go over several techniques from the Warlock ransomware attack report that caught my attention. So, the first technique is Windows Credential Manager (T1555.004) . The attackers used the following command to access saved passwords: C:\Windows\System32\rundll32.exe keymgr.dll,KRShowKeyMgr This kind of behavioral indicator isn’t very common, so it works well for threat hunting: event_type: "processcreatewin" AND proc_file_path: "rundll32.exe" AND cmdline: ("keymgr.dll" AND "KRShowKeyMgr") The next technique is PowerShell (T1059.001) . This time, the attackers abused it to enable PowerShell Remoting: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe "Enable-PSRemoting -Force -SkipNetworkProfileCheck" Although this behavior can be legitimate, it’s still a good target for threat hunting: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: "Enable-PSRemo...

Hello everyone! Today we'll look at another interesting example of the following technique:  Remote Access Tools (T1219) . Scrolling the report on Handala Hack modus operandi, I've spotted an interesting tool abused by the threat actors. I'm talking about NetBird .  The attackers leveraged it to reach hosts that were not directly accessible from outside the network. The tool has no detections on VirusTotal, and may be a good target for hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "netbird" See you soon!

Hello everyone! Today we’ll once again talk about the Windows Registry and look at an example of the Unsecured Credentials: Credentials in Registry (T1552.002) technique. While reading an investigation report on the CL-UNK-1068  attacks in South, Southeast, and East Asia, I once again noticed that attackers actively abused reg.exe . In particular, they frequently used the export parameter, for example: reg export "HKEY_USERS\[%SID%]\SOFTWARE\TightVNC\Server" reg export HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\TightVNC\Server reg export HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server In this case, the attacker exports the TightVNC configuration from the registry in order to obtain credentials. For detection, we can either use specific registry keys that contain sensitive data or proactively search for suspicious export events: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: "export" See you soon!

Hello everyone! Sometimes, even if a victim runs a malicious file, the system may still avoid compromise. One reason for this is the use of the System Location Discovery: System Language Discovery (T1614.001) technique. The point is that in some cases attackers do not want their malware to run on systems located in certain countries. Today we’ll look at an example of how attackers restrict the download of a stealer for systems that may be located in CIS countries. So, the loader for the SHub stealer targeting macOS used the following command to obtain information about the language of the compromised system: defaults read ~/Library/Preferences/com.apple.HIToolbox.plist AppleEnabledInputSources 2>/dev/null | grep -qi russian The AppleEnabledInputSources key in the com.apple.HIToolbox.plist file contains information about keyboard layouts. Its contents are checked for the presence of the Russian language, which is typical for CIS systems. A good detection opportunity is suspicious...