077. Detecting Windows Sandbox Abuse

Hello everyone! We often use sandboxes for malware triage, but what about adversaries? Can they abuse sandboxes to execute malicious code? And the answer is - yes!

ESET presented a report on MirrorFace attack against a Central European diplomatic institute. Among other malware, the threat actors used a heavily customised variant of AsyncRAT. And they run it... inside Windows Sandbox!

The adversary created a scheduled task to run Windows Sandbox with a WSB file as argument. So, we can hunt for such activity using the following query:

event_type: "processcreatewin"

AND

proc_file_name: ("WindowsSandbox.exe" OR "wsb.exe")

AND

cmdline: "wsb"

Make sure you checked the report - it's full of interesting detection opportunities!

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

082. Huniting for Malicious Browser Extensions