058. Hunting for Ghostwriter
Hello everyone! Let's talk about threat hunting this time. What's the difference between threat detection and threat hunting? When you're writing detections, there must be very low false positive rate, when you're hunting, the query output should include lots of noise - it allows you to uncover threats, which we not detected.
One of my favourites for threat hunting missions - rundll32.exe abuse. It's EXTREMELY common. Let's look at a recent Ghostwriter campaign described in this report by SentinelLABS.
So, the adversary actively abused rundll32exe to execute malicious DLLs. Here are some procedure examples:
rundll32.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\bruhdll32.dll",FckUDud
rundll32.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\bruhdll32.dll",HelloWorld
rundll32.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\bruhdll32.dll",FCKU
rundll32 "C:\Users\<USER>\AppData\Roaming\Microsoft\SystemCertificates\CertificateCenter.dll",#1
I think, you also noted very interesting function names - a very good indication of suspicious activity. Also, we can see that each path includes "Roaming\Microsoft", so we can use it for our hunting query:
event_type: "processcreate"
AND
proc_file_name: "rundll32.exe"
AND
cmdline: "Roaming\\Microsoft"
Always note paths used by threat actors use to store malicious DLLs - it's great fuel for your rundll32.exe abuse hunting missions!
See you tomorrow!
Comments
Post a Comment