121. Detecting Earth Kasha's ROAMINGMOUSE

Hello everyone!

Reading Trend Micro's report on Earth Kasha, I spotted a curious behavior marker of ROAMINGMOUSE: it abuses WMI to execute JSLNTOOL.EXE via explorer.exeJSLNTOOL.EXE is a legitimate application used by the adversary to sideload JSFC.dll - a malicious loader.

It means we can hunt for suspicious executions of explorer.exe via wmiprvse.exe:

event_type: "processcreatewin"

AND

proc_file_path: "explorer.exe"

AND

proc_p_file_path: "wmiprvse.exe"

As for JSLNTOOL.EXE, you can also hunt for related execution events, focusing on uncommon locations:

event_type: "processcreatewin"

AND

proc_file_originalfilename: "jslntool.exe"

AND NOT

proc_file_path: "justsystems"

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access