047. Qilin Ransomware Gang Abuses RSAT to Enable Discovery
Hello everyone! Let's talk about one of my favorite topics - ransomware. And yes, one more time - about PowerShell abuse!
Just before ransomware deployment (but in some cases much earlier), adversaries usually need to collect information about remote systems. If you ever responded to a modern ransomware attack, you should have seen this PowerShell commands as seen in Picus report:
"powershell" -Command "Import-Module ActiveDirectory ; Get-ADComputer -Filter * | Select-Object -ExpandProperty DNSHostName"
But what if there is no ActiveDirectory module? Of course, the threat actors try to install it, and it's a great detection opportunity:
"powershell" -Command "ServerManagerCmd.exe -i RSAT-AD-PowerShell ; Install-WindowsFeature RSAT-AD-PowerShell ; Add-WindowsCapability -Online -Name 'RSAT.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0'"
I think it's obvious how to detect such behaviour - just focus on the module name, that's it.
See you tomorrow!
Comments
Post a Comment