203. These are Staging Folders Used by APT41
Hello everyone!
We already talked about staging folders and how to use such information for threat hunting. Let's look at another example! This time - APT41 (we track this cluster as Wanted Werewolf).
According to this report by Kaspersky, the adversary leveraged the following folders to store the toolset:
c:\windows\tasks\
c:\programdata\
c:\programdata\usoshared\
c:\users\public\downloads\
c:\users\public\
c:\windows\help\help\
c:\users\public\videos\
Some are quite common, while others are great targets for your threat hunting mission, for example:
event_type: "processcreatewin"
AND
proc_file_path: ("windows\\tasks" OR "programdata\\usoshared" OR "windows\\help\\help" OR "users\\public\\videos")
See you tomorrow!
Comments
Post a Comment