211. That's How Stealers Defeat System Recovery
Hello everyone!
What's the first thing you think about hearing about defeating system recovery? Ransomware? Sure, but it's not the only case. And you can transform it into a detection opportunity!
Elastic Security Labs presented a report on NOVABLIGHT - a NodeJS infostealer. It has a lot of features, but we're going to look at those related to defeating system recovery.
For example, the stealer disables the Windows Recovery Environment (reagentc /disable) and deletes all Volume Shadow Copies (vssadmin delete shadows /all).
And here we have two detection opportunities, disabling WRE:
event_type: "processcreatewin"
AND
proc_file_path: "reagentc.exe"
AND
cmdline: "disable"
And deleting WSC:
event_type: "processcreatewin"
AND
proc_file_path: "vssadmin.exe"
AND
cmdline: ("delete" AND "shadows")
See you tomorrow!
Comments
Post a Comment