277. Adversaries Abuse a Free Request Logging Service as C2

Hello everyone!

Today we'll talk about another interesting example of a legitimate web service, which is misused by threat actors as a C2 channel. This time it's a free request logging service.

According to Proofpoint report, TA415 leveraged requestrepo[.]com in order to exfiltrate collected system information as well as the VS Code Remote Tunnel verification code. 

The threat actors used WhirlCoil - a Python loader, which was executed via via pythonw.exe. We can use both facts to build a hunting query:

event_type: "dnsreqwin"

AND

dns_rname: "requestrepo.com"

AND

proc_file_path: "pythonw.exe"

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access