187. Scattered Spider Started to Abuse Teleport
Hello everyone!
If you checked the report I shared yesterday, you should have noticed another interesting legitimate tool abused by Scattered Spider - Teleport.
The adversary installed it to on compromised servers to establish a persistent remote command-and-control (C2) channel.
We can start from hunting for downloading Teleport binaries, for example:
event_type: "processcreatenix"
AND
proc_file_name: "curl"
AND
cmdline: "teleport.dev"
Also, you may look for Teleport configuration file modification events:
event_type: "filewrite"
AND
file_path: "teleport.yaml"
See you tomorrow!
Comments
Post a Comment