071. Squid Werewolf (APT37): Detection Opportunities
Hello everyone! I hope you checked this report on APT37 (we track this activity cluster as Squid Werewolf) already. As always, let's look at detection opporrunities!
The adversary leveraged a malicious LNK file to execute PowerShell with "-nop" argument, of course, we can use it for detection\hunting:
proc_p_file_path: "explorer.exe"
AND
proc_file_name: "powershell.exe"
AND
cmdline: "nop"
Also, the threat actors abuse dfsvc.exe, and use renamed executable to run the malicious code. For example, we can search for renamed files:
event_type: "processcreatewin"
AND
proc_file_originalfilename: "dfsvc.exe"
AND NOT
proc_file_name: "dfsvc.exe"
One more opportunity - abusing timeapi[.]io to check Internet connection:
event_type: "dnsreq"
AND
dns_rname: "timeapi.io"
Which detection and hunting opportunities have you spotted?
See you tomorrow!
Comments
Post a Comment