183. Using Staging Folders For Threat Hunting

Hello everyone!

Adversaries often use multiple stages to deliver final payload or, for example, some tools. In some cases they use very special folders, and we can use such paths in our threat hunting missions.

Want an example? Sure! Let's look at this DCRAT campaign. According to the report, the adversary downloaded the final payload to C:\Users\Public\Downloads. Quite interesting folder, isn't it?

Yes, we can build a hunting query using this information:

event_type: "processcreatewin"

AND

proc_file_path: "Public\\Downloads"

Do you know any interesting staging folders?

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge