354. Adversaries Modify Registry to Make the Console Window Appear Off-Screen

Hello everyone!

We often see how adversares make console windows hidden. But they can also just make them to appear off-screen! Let's look at an example!

This time we'll look at Cloud Atlas (or Cloud Werewolf as we track it). The adversary modified the following registry keys to hide console windows:

"HKCU\Console\%SystemRoot%_System32_WindowsPowerShell_v1.0_powershell.exe"::"WindowPosition"::5122

"HKCU\UConsole\taskeng.exe"::"WindowPosition"::538126692

Quite interesting, right? And we can look for suspicious registry modification events:

event_type: "registryvaluesetwin"

AND

reg_key_path: "windowposition"

See you tomorrow!


Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access