211. That's How Stealers Defeat System Recovery

Hello everyone!

What's the first thing you think about hearing about defeating system recovery? Ransomware? Sure, but it's not the only case. And you can transform it into a detection opportunity!

Elastic Security Labs presented a report on NOVABLIGHT - a NodeJS infostealer. It has a lot of features, but we're going to look at those related to defeating system recovery.

For example, the stealer disables the Windows Recovery Environment (reagentc /disable) and deletes all Volume Shadow Copies (vssadmin delete shadows /all).

And here we have two detection opportunities, disabling WRE:

event_type: "processcreatewin"

AND

proc_file_path: "reagentc.exe"

AND

cmdline: "disable"

And deleting WSC:

event_type: "processcreatewin"

AND

proc_file_path: "vssadmin.exe"

AND

cmdline: ("delete" AND "shadows")

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge