047. Qilin Ransomware Gang Abuses RSAT to Enable Discovery

Hello everyone! Let's talk about one of my favorite topics - ransomware. And yes, one more time - about PowerShell abuse!


Just before ransomware deployment (but in some cases much earlier), adversaries usually need to collect information about remote systems. If you ever responded to a modern ransomware attack, you should have seen this PowerShell commands as seen in Picus report:

"powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"

But what if there is no ActiveDirectory module? Of course, the threat actors try to install it, and it's a great detection opportunity:

"powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'"

I think it's obvious how to detect such behaviour - just focus on the module name, that's it.

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!