048. Detecting Kimsuky Dropbox Abuse
Hello everyone! Securonix presented a fresh report on recent Kimsuky activity (as you remember, we track this cluster as Monolithic Werewolf). The adversary keeps distributing malicious LNK files and abusing PowerShell, and this time leverages Dropbox.
Despite the fact the attack chain is very sophisticated and has multiple stages, there's a quick win from detection perspective.
So, the thing I want to note is abusing PowerShell to download the next stage from Dropbox. This activity includes quering the following domain name: "dl.dropboxusercontent.com". Of course, we can use this knowledge for detection:
event_type: "dnsreq"
AND
proc_cmdline:/.*powershell.*/
AND
dns_rname: "dl.dropboxusercontent.com"
And yes, this simple detection logic allows us to catch an advanced threat actor! That's it!
See you tomorrow!
Comments
Post a Comment