187. Scattered Spider Started to Abuse Teleport

Hello everyone!

If you checked the report I shared yesterday, you should have noticed another interesting legitimate tool abused by Scattered Spider - Teleport.

The adversary installed it to on compromised servers to establish a persistent remote command-and-control (C2) channel.

We can start from hunting for downloading Teleport binaries, for example:

event_type: "processcreatenix"

AND

proc_file_name: "curl"

AND

cmdline: "teleport.dev"

Also, you may look for Teleport configuration file modification events:

event_type: "filewrite"

AND

file_path: "teleport.yaml"

See you tomorrow!


Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge