183. Using Staging Folders For Threat Hunting
Hello everyone!
Adversaries often use multiple stages to deliver final payload or, for example, some tools. In some cases they use very special folders, and we can use such paths in our threat hunting missions.
Want an example? Sure! Let's look at this DCRAT campaign. According to the report, the adversary downloaded the final payload to C:\Users\Public\Downloads. Quite interesting folder, isn't it?
Yes, we can build a hunting query using this information:
event_type: "processcreatewin"
AND
proc_file_path: "Public\\Downloads"
Do you know any interesting staging folders?
See you tomorrow!
Comments
Post a Comment