055. Detecting Sticky Werewolf's Forced Authentication Abuse
Hello everyone! Today we'll talk about another interesting technique - Forced Authentication (T1187). It also doesn't have many procedure examples in MITRE ATT&CK.
One of the activity clusters we track, Sticky Werewolf, abuses this technique quite often. The adversary distributes phishing emails with malicious documents, which contain a resource that is automatically loaded when it is opened. Using this trick the threat actors obtain authentication material!
Many documents have a very low detection rate, for example, this one. So, how can we detect or hunt for such malicious activity? We can seacrh for outbound network connections with destination port 445 (you may also add 137 and 139) originated from winword.exe or excel.exe (you can add PowerPoint):
event_type: "networkconnection"
AND
net_conn_direction: "outbound"
AND
net_dst_port: "445"
AND
proc_file_path: ("winword.exe" OR "excel.exe")
Of course, you may face a few false positives, but it's not a very common case.
See you tomorrow!
Comments
Post a Comment