Know Your Adversary

Hello everyone! Let's talk about stealers again. This time about PXA stealer. It's a Python-based stealer emerged in in late 2024. Let's look at a few behavior markers covered in a joint report by SentinelOne and Beazley Security. The first one - misusing certutil.exe to to decode a masquaraded file into a new encrypted archive: certutil -decode Document.pdf Invoice.pdf It's not common for this utility to decode PDF files, so we can use it to build our logic: event_type: "processcreatewin" AND proc_file_path: "certutil.exe" AND cmdline: ("decode" AND *pdf) The next behavior - abusing renamed WinRAR executable to unpack the archive: images.png x -ibck -y -poX3ff7b6Bfi76keXy3xmSWnX0uqsFYur Invoice.pdf C:\\Users\\Public Of course, here we can hunt for renamed executables: event_type: "processcreatewin" AND proc_file_originalfilename: "WinRAR.exe" AND NOT proc_file_path: *winrar* Make sure to check the report - you can fin...

Hello everyone! Do you remember I mentioned that rundll32.exe is my favourite threat hunting target? Let's look at another example! We'll look inside the report by eSentire on Interlock. The adversary abused rundll32.exe and Windows Shell Common Dll to run a malcious LNK file: rundll32 shell32.dll,ShellExec_RunDLL “<8_CHARS>.lnk” So, based on this, we can form a simple hypothesis: an adversary may use rundll32.exe and Windows Shell Common Dll to run a malcious LNK file: event_type: "processcreatewin" AND proc_file_path: "rundll32.exe" AND cmdline: ("shell32.dll" AND *lnk) There's another interesting rundll32.exe abuse example in the report. Can you find it? See you tomorrow!

Hello everyone! Scattered Spider keeps being very-very active, so it's important to track changes in their tactics, techniques and procedures. The threat actors often use RMMs, which are not used by other adversaries very often. For example, Pulseway. The group leverages this tool to obtain redundant access to a compromised network. To detect it, we, for example, can search for executables with "pulseway" in metadata: event_type: "processcreatewin" AND proc_file_productname: "pulseway" Also we can search for DNS queries related to its website: event_type: "dnsreqwin" AND dns_rname: "pulseway.com" See you tomorrow!

Hello everyone! Adversaries often delete logs. But in some cases we can see more sophisticated approach. For example, they can sanitize the logs. Let's look at the report on  CL-STA-0969 . They used utmpdump to dump the contents of the wtmp log file: utmpdump /var/log/wtmp >/var/log/wtmp.file Then they used sed to remove lines containing their IP address: sed -i '/<IP Address>/d' /var/log/wtmp.file And finally  utmpdump again: utmpdump -r /var/log/wtmp.file > /var/log/wtmp So, for example, we can search for suspicious utmpdump executions: event_type: "processcreatenix" AND proc_file_path: "utmpdump" AND cmdline: "wtmp" See you tomorrow!

Hello everyone! Lateral movement - another common tactic we see daily. Of course, in some cases the threat actors can start it almost immediately after gaining the initial access, while in others they need at least some preparations. For example, Secret Blizzard . The adversary modified registry to reduce the difficulty of lateral movement on the network. The following registry key: SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles The threat actors modify the value Category  by setting it to 0 to sets the profile of the network to Private after the host has been rebooted. Of course, we can hunt for such modifications: event_type: "registryvaluesetwin" AND reg_key_path: "NetworkList\\Profiles" AND reg_value_data: "0x00000000" See you tomorrow!