213. That's How Secret Blizzard Reduces the Difficulty of Lateral Movement
Hello everyone!
Lateral movement - another common tactic we see daily. Of course, in some cases the threat actors can start it almost immediately after gaining the initial access, while in others they need at least some preparations.
For example, Secret Blizzard. The adversary modified registry to reduce the difficulty of lateral movement on the network. The following registry key:
SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles
The threat actors modify the value Category by setting it to 0 to sets the profile of the network to Private after the host has been rebooted.
Of course, we can hunt for such modifications:
event_type: "registryvaluesetwin"
AND
reg_key_path: "NetworkList\\Profiles"
AND
reg_value_data: "0x00000000"
See you tomorrow!
Comments
Post a Comment