212. A Curious Case of Masquerading
Hello everyone!
Masquerading (T1036) - a very common technique we see daily. Sometimes it's boring, sometimes it's not. But let's look at a curious case.
Kaspersky released a report on how adversaries abuse GitHub and social media to deliver Cobalt Strike Beacons. The threat actors distributed RAR archives with multiple files inside. The victim should run an LNK file to start the infection process. The following command is executed:
%cd% /c echo F | xcopy /h /y %cd%\Требования\Требования %public%\Downloads\
& start %cd%\Требования
& ren %public%\Downloads\Company.pdf nau.exe
& ren %public%\Downloads\Requirements.pdf BugSplatRc64.dll
& %public%\Downloads\nau.exe
And here we have a few detection opportunities. The first one - abusing xcopy to copy files to %PUBLIC%:
event_type: "processcreatewin"
AND
proc_file_path: "xcopy.exe"
AND
cmdline: "public"
The second - using ren to rename a PDF file into an EXE:
event_type: "processcreatewin"
AND
proc_file_path: "ren.exe"
AND
cmdline: (*pdf* AND *exe*)
See you tomorrow!
Comments
Post a Comment