194. Can Darknet Forums Help Us with Threat Hunting?

Hello everyone!

I'm sure many of you consumer or even produce intelligence related to the Darknet. Initial access brokers, sold databases, stealer logs for sale... But what about threat hunting? Can we get valuable intelligence and transform it to a hypothesis for threat hunting?

Yes, we can! Let's look at an example. Recently a threat actor with moniker "tainted_l0ve" advertised a new ClickFix delivery method:

My attention caught the follwing part: "on delivery, command is automatically deleted from user "Run" history". If you ever did digital forensics, you must know that RunMRU (Most Recently Used) is a Windows registry key that stores a list of the last 26 commands entered in the Run dialog (Win + R).

And it means the tool most likely clear this key, so we can use it for hunting:

event_type: "registryobjdelete"

AND

reg_key_path: "runmru"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge