067. Detecting Ransomware Deployment Tools: PDQ Inventory and Deploy
Hello everyone! I think everybody who is reading this blog already knows that usually the attack lifecycle has a number of stages. Of course, you should detect most attacks on early stages, but it's not always possible.
Today we'll talk about ransomware deployment tools. In most cases it's the last frontier. If you failed to detect the adversary at this stage - most likely you had to deal with encrypted system in your enterprise.
Let's look into a report on MedusaLocker:
"The attacker used PDQ Inventory to get an inventory of the endpoints on the network. PDQ Deploy then used this information to deploy the AVKiller binary and driver under the Windows directory to all the endpoints and execute it.
The attacker then used PDQ Deploy to transfer the ransomware binary and execute it."
As you can see, the adversary first used PDQ Inventory for discovery, then PDQ Deploy to evade defenses and deploy ransomware. Let's use metadata to search for such activity:
event_type: "processcreatewin"
AND
proc_file_originalfilename: ("PDQInventory.exe" OR "PDQDeploySetup.exe" OR "PDQRunner.exe")
OR
proc_file_productname: "PDQ.com"
If the tool is used in your environment, you need exclusions, of course!
See you tomorrow!
Comments
Post a Comment