055. Detecting Sticky Werewolf's Forced Authentication Abuse

Hello everyone! Today we'll talk about another interesting technique - Forced Authentication (T1187). It also doesn't have many procedure examples in MITRE ATT&CK.


One of the activity clusters we track, Sticky Werewolf, abuses this technique quite often. The adversary distributes phishing emails with malicious documents, which contain a resource that is automatically loaded when it is opened. Using this trick the threat actors obtain authentication material!

Many documents have a very low detection rate, for example, this one. So, how can we detect or hunt for such malicious activity? We can seacrh for outbound network connections with destination port 445 (you may also add 137 and 139) originated from winword.exe or excel.exe (you can add PowerPoint):

event_type: "networkconnection" 

AND 

net_conn_direction: "outbound" 

AND 

net_dst_port: "445" 

AND 

proc_file_path: ("winword.exe" OR "excel.exe")

Of course, you may face a few false positives, but it's not a very common case.

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!