130. Cactus Ransomware Gang Abuses Microsoft Quick Assist
Hello everyone!
Adversaries always want to blend with the compromised environment. We already talked a lot about various legitimate tools abused by threat actors, but in many cases they don't even need to bring such tools.
For example, according to Cisco Talos report, Cactus ransomware affiliates directed victims to initiate a Microsoft Quick Assist remote access session, and even helped them with installation of the program if not already presented on the user’s system.
With proper baseline, such tools are great targets for threat hunting. The query may be as easy as the following:
event_type: "processcreatewin"
AND
proc_file_name: "QuickAssist.exe"
Hope your threat hunting missions are going well!
See you tomorrow!
Comments
Post a Comment