058. Hunting for Ghostwriter

Hello everyone! Let's talk about threat hunting this time. What's the difference between threat detection and threat hunting? When you're writing detections, there must be very low false positive rate, when you're hunting, the query output should include lots of noise - it allows you to uncover threats, which we not detected.

One of my favourites for threat hunting missions - rundll32.exe abuse. It's EXTREMELY common. Let's look at a recent Ghostwriter campaign described in this report by SentinelLABS.

So, the adversary actively abused rundll32exe to execute malicious DLLs. Here are some procedure examples:

rundll32.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\bruhdll32.dll",FckUDud

rundll32.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\bruhdll32.dll",HelloWorld

rundll32.exe "C:\Users\<USER>\AppData\Roaming\Microsoft\bruhdll32.dll",FCKU

rundll32 "C:\Users\<USER>\AppData\Roaming\Microsoft\SystemCertificates\CertificateCenter.dll",#1

I think, you also noted very interesting function names - a very good indication of suspicious activity. Also, we can see that each path includes "Roaming\Microsoft", so we can use it for our hunting query:

event_type: "processcreate"

AND

proc_file_name: "rundll32.exe"

AND

cmdline: "Roaming\\Microsoft"

Always note paths used by threat actors use to store malicious DLLs - it's great fuel for your rundll32.exe abuse hunting missions!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!