303. Hunting for Replication Through Removable Media
Hello everyone! It may be not very common, but some adversaries still use infected USB devices for malware distribution, so today we'll look at an example of Replication Through Removable Media (T1091) . The example is Tangerine Turkey . The adversary leverages infected USB devices to distribute cryptocurrency-mining malware. So, the infection starts from executing a malicious VBScript from a USB drive: C:\WINDOWS\System32\WScript.exe E:\rootdir\x817994.vbs It means we can hunt for suspicious scripts executed from external drives, for example, D:\, E:\ and F:\. Let's build the query: event_type: "processcreatewin" AND proc_file_path: "wscript.exe" AND cmdline: ("d\\\:" OR "e\\\:" OR "f\\\:") See you tomorrow!