071. Squid Werewolf (APT37): Detection Opportunities

Hello everyone! I hope you checked this report on APT37 (we track this activity cluster as Squid Werewolf) already. As always, let's look at detection opporrunities!


The adversary leveraged a malicious LNK file to execute PowerShell with "-nop" argument, of course, we can use it for detection\hunting:

proc_p_file_path: "explorer.exe" 

AND 

proc_file_name: "powershell.exe" 

AND 

cmdline: "nop" 

Also, the threat actors abuse dfsvc.exe, and use renamed executable to run the malicious code. For example, we can search for renamed files:

event_type: "processcreatewin" 

AND 

proc_file_originalfilename: "dfsvc.exe" 

AND NOT 

proc_file_name: "dfsvc.exe"

One more opportunity - abusing timeapi[.]io to check Internet connection:

event_type: "dnsreq" 

AND 

dns_rname: "timeapi.io"

Which detection and hunting opportunities have you spotted?

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!