127. Detecting RMMs from Ransomware Affiliate's Toolkit: Supremo
Hello everyone!
Let's keep looking at RMMs observed in ransomware gangs' toolkit. This time we'll look at Supremo. It's a legitimate remote access tool observed to be used by Black Basta ransomware affiliates ITW.
Usually the adversary do not modify the binary, so it look absolutely legitimate. It means we can focus on metadata again and again. So here's the query:
event_type: "processcreatewin"
AND
proc_file_productname: "Supremo Remote Control"
The same can be said about file creation events in the tool-related folders:
event_type: "filecreate"
AND
file_path: "SupremoRemoteDesktop"
What other interesting RMMs used by ransomware affiliates you saw?
See you tomorrow!
Comments
Post a Comment