Know Your Adversary

Hello everyone! How often do you use proxy logs for threat hunting? I hope often enough as C2 communications may involve accessing quite interesting URLs. Let's look at a few examples! The first one is related to an activity cluster we track as Watch Wolf . If you look at the example, you can see that the malware accesses the following URL: hxxps://4ad74aab[.]cfd/index.php Of course, even the domain itself is quite suspicious, including the TLD, but the URL also contains " index.php ", so we can use both to create a hunting query. Another example - Rhadamanthys . And another suspicious URL, of course: hxxps://193.84.71[.]81/gateway/wcm6paht.htbq1 Here we also have an interesting part for building a hunting query - " gateway ".  See you tomorrow!

Hello everyone! I hope you've already checked Unit42's report on  Phantom Taurus . And today we'll look at how this cluster abused Exchange Management Shell for email collection. According to the first report on Phantom Taurus, the adversary leveraged Exchange Management Shell ( exshell.psc1 ) to collect selected emails and save them to CSV: powershell.exe -psconsolefile "C:\Program files\microsoft\exchange server\v15\bin\exshell.psc1" -command "get-mailbox -Filter \"UserPrincipalName -Like \"*foreign*\"\" -ResultSize Unlimited | get-mailboxstatistics | sort-object TotalItemSize -Descending | Select-Object DisplayName,Alias,TotalItemSize -First 30 | export-csv c:\users\public\<redacted>\<redacted>.csv" powershell.exe -psconsolefile "C:\Program files\microsoft\exchange server\v15\bin\exshell.psc1" -command "Get-MessageTrackingLog -ResultSize Unlimited | Where-Object {$_.Recipients -like \"*@<redacte...