213. That's How Secret Blizzard Reduces the Difficulty of Lateral Movement

Hello everyone!

Lateral movement - another common tactic we see daily. Of course, in some cases the threat actors can start it almost immediately after gaining the initial access, while in others they need at least some preparations.

For example, Secret Blizzard. The adversary modified registry to reduce the difficulty of lateral movement on the network. The following registry key:

SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles

The threat actors modify the value Category by setting it to 0 to sets the profile of the network to Private after the host has been rebooted.

Of course, we can hunt for such modifications:

event_type: "registryvaluesetwin"

AND

reg_key_path: "NetworkList\\Profiles"

AND

reg_value_data: "0x00000000"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge