171. Detecting BlueNoroff's Indicator Removal Techniques

Hello everyone!

Huntress has shared the results of analysis of a recent BlueNoroff attack involving a macOS device, a fake Zoom extension and even deepfakes! So, let's look at some detection opportunities!

Let's look at indicator removal techniques. The adversary abused environment variable HISTFILE:

unset HISTFILE

We can definitely use it for detection:

event_type: "processcreatemac"

AND

cmdline: "unset histfile"

Next behavior - removing shell history:

history -p > /dev/null

This can also be used for detection:

event_type: "processcreatemac"

AND

proc_file_name: "history"

AND

cmdline: "dev//null"

Finally, the threat actors remove shell history files:

rm -rf ~/.zsh_history

rm -rf ~/.bash_history

rm -rf ~/.zsh_sessions

And yes, this is another detection opportunity:

event_type: "processcreatemac"

AND

proc_file_name: "rm"

AND

cmdline: ("zsh_history" OR "bash_history" OR "zsh_sessions")

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access