#huntoftheday — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #huntoftheday, aggregated by home.social.
-
To aid you in your Threat Hunting journey, check out this Threat Profile based on behaviors associated with Amadey! There are two Community Hunt Packages that can get you started! Now get hunting!
Amadey
https://hunter.cyborgsecurity.io/research/threat-profile/eb857bc3-9908-4356-95e8-4cbba7c64134 -
And of course, another great resource that you can use for your Intel-Driven threat hunting efforts from MITRE ATT&CK. There is enough intel here to create a bunch of different hypotheses and hunt queries!
Salt Typhoon
https://attack.mitre.org/groups/G1045/ -
First, we have created a Hunt Package Collection based on hashtag#SaltTyphoon behaviors which you can find here! There is a Community Edition hunt package in there that can get your hunting started!
Salt Tyhpoon Hunt Package Collection
https://hunter.cyborgsecurity.io/research/search?state=(compatible:!f,filters:(actors:!(%27Salt%20Typhoon%27)),library:!(cyborg_collections),page:0,size:10,sort:relevance,term:!(),touched:!t) -
Not to beat a dead horse, but deleting shadow copies is a very common behavior that many ransomware strains use. So if you are on the hunt, let us help you with this Community Hunt Package!
Shadow Copies Deletion Using Operating Systems Utilities
https://hunter.cyborgsecurity.io/research/hunt-package/2e3e9910-70c1-4822-804a-ee9919b0c419 -
If this article got you thinking about LOLBINs, take this great information and make it actionable with this Community Hunt Package! It covers the execution of common LOLBINs directly related to discovery activity! Now Get Hunting!
Excessive Windows Discovery and Execution Processes - Potential Malware Installation
https://hunter.cyborgsecurity.io/research/hunt-package/6d1c9f13-e43e-4b52-a443-5799465d573b -
Apologies for the delay, didn't mean to leave all your threat hunters hanging! According to the researchers, #Anubis #ransomware runs the following command to inhibit system recovery (T1490) " vssadmin delete shadows /for=norealvolume /all /quiet". This is a common behavior from ransomware strains but you can use this Community Hunt Package to help discover that activity in your environment! Go find evil and get hunting!
Shadow Copies Deletion Using Operating Systems Utilities
https://hunter.cyborgsecurity.io/research/hunt-package/2e3e9910-70c1-4822-804a-ee9919b0c419
-
If RMM tool abuse is something you are concerned about check out this community hunt package! This hunt package is designed to identify when a service is created to run AnyDesk, which was a tactic the adversary used in this report! Hope you enjoy and Happy Hunting!
AnyDesk Service Installation - Potentially Malicious RMM Tool Installation
https://hunter.cyborgsecurity.io/research/hunt-package/4103B086-F093-4084-9125-15B9A6C872B8 -
I know I was away for a while but I'll make it up to you! Check out our Hunt Package Collection that focuses on Volt Typhoon! We have multiple community edition hunt packages that can get you started! Now, the next steps are up to you! Happy Hunting!
-
AND A HUNT OF THE DAY!?! You know it! Looking at where the malware created their scheduled task you can tell it is a little phishy, but there are more locations that adversaries like to use/abuse! See what you can find in your environment with this! Yes, it is community and I hope it gets you off on your journey if you haven't started OR it adds another tool to your existing toolbox! Happy Hunting!
Scheduled Task Executing from Abnormal Location
https://hunter.cyborgsecurity.io/research/hunt-package/09a380b3-45e5-408c-b14c-3787fa48d783 -
To compliment the work of the authors, why not take this Community Hunt Package with you to identify when a Powershell encoded command is executed in your environment:
Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88db -
I had this all ready but forgot to send yesterday! For your #huntoftheday I would recommend conducting an unstructured hunt on processes making network detections that could lead to C2 activity! Enjoy and Happy Hunting!
-
And, if you are taking this wonderful intel and using it to threat hunt, why not let us help you! Check out this Community Hunt Package that helps identify when AnyDesk is executed from an abnormal folder. Yes it wasn't mentioned in the article, but there are PLENTY of examples of this abuse in many other articles! Enjoy and Happy Hunting!
AnyDesk Execution from Abnormal Folder - Potential Malicious Use of RMM Tool
https://hunter.cyborgsecurity.io/research/hunt-package/93F71607-F35D-4AA6-AEC9-C2F8A62CBD8A -
Don't think I was going to leave you hanging! If you haven't got this hunt package yet, what are you waiting for? This is probably the top community hunt package I post because the technique is SO common! Let us help you hunt for persistence through the modification of the Windows Run Registry key and other locations. I promise, the NanoCore RAT is not the only malware to use it, so you got multiple threats covers. Enjoy and Happy Hunting!
Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c -
And more good news! I am going to leave you with a community hunt package from our Ransomware Collection for you to stay diligent in your threat hunting efforts! So go get hunting!
Windows sc Used to Disable Multiple Services in Brief Period - Potential Ransomware
https://hunter.cyborgsecurity.io/research/hunt-package/5387a0d8-7890-4338-b1d5-8611dbfdcfee -
And as a gift for you on Friday, here are TWO community hunt packages you can use to hunt for similar suspicious activity! Happy Hunting!
Scheduled Task Executing from Abnormal Location
https://hunter.cyborgsecurity.io/research/hunt-package/09a380b3-45e5-408c-b14c-3787fa48d783
This hunt package is designed to capture activity associated with a scheduled task which includes abnormal locations in its details for execution. This is often a mark of persistence or malicious tasks created by malware or attackers. details.
Potential Maldoc Execution Chain Observed
https://hunter.cyborgsecurity.io/research/hunt-package/b194088b-c846-4c72-a4b7-933627878db4
Detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). A detection indicates an Office document was opened from an email or download/link, spawned a suspicious execution, and attempted to execute code via common Windows binaries (i.e. powershell, cmd, rundll32, etc).
-
Good day everyone!
Sophos has released their second "Active Adversary Report" of 2024 where they look specifically at patterns and developments they noted during the first half of the year. They provided 3 key takeaways which were:
- Abuse of built-in Microsoft services (LOLbins) is up - way up
- RDP (Remote Desktop Protocol) abuse continues rampant, with a twist
- The ransomware scene: Banyans vs poplars.LOLBIN abuse:
The Sophos researchers organized all their data and found that RPD, cmd.exe, and powershell were the top hitters for most prevalent LOLBIN being abused and they share the trend of LOLBIN abuse of which applications are being seen more or less from 2023 compared to the first part of 2024. Notable increases were seen in cmd.exe, net.exe, notepad.exe and ipconfig.exe. Notable decreases were PsExec, Task Scheduler, and a slight decrease in RDP, even though it remains at the top.Now the question is, how does this help you and what are you going to do about it? Well, there is always the question as to whether to run a structured or unstructured hunt. For unstructured, I would prioritize that list from first to last and look for anomalies in the data. For structured hunts, I would try to better understand the behavior and the reason the adversaries are using them. Then you can focus on these behaviors, improve your query using different options/flags/parameters (whatever you want to call them) and dig deeper. Use the knowledge you have of how they have been used maliciously in the past to help guide you! Enjoy and Happy Hunting!
The Bite from Inside: The Sophos Active Adversary Report
https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
-
Happy Monday everyone!
Kaspersky researchers discovered the #RedLineStealer being spread through a well-known HPDxLIB activator when adversaries published links directing unknown victims to malicious version of the software. The malicious software involved a malicious DLL getting loaded by "1cv8.exe" which would load another malicious library which would launch the stealer.
Looking at a report that was published earlier this year, McAfee researchers detailed some of the behaviors that are attributed to the RedLine Stealer. There was a creation of a "readme.txt" file in a C:\Program Files\ directory (most likely the directory of the malicious version of the legitimate software that was downloaded), there was a scheduled task created that referenced the "readme.txt", and a .cmd file that was created in the C:\Windows\Setup\Scripts\ directory that started a randomly named executable that once again, referenced the readme.txt file.
If I were hunting for this, I would start with scheduled tasks being created in my environment that may not match the naming convention established by my business. Enjoy the read and go get hunting! Happy Hunting!
RedLine info-stealer campaign targets Russian businesses through pirated corporate software
https://securityaffairs.com/171771/cyber-crime/redline-info-stealer-campaign-targets-russian-businesses.html(You can find the original report in the link provided by this Security Affairs article.)
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
-
Happy Monday everyone, it is hard to believe it is December already!
Researchers at ANY.RUN - Interactive Malware Analysis Service found an interesting technique used by adversaries to trick their victims into compromising themselves using corrupted Word documents. The attackers send corrupted Word documents that bypass security software due to their damaged state but are still recoverable by the applications. Once the target recovers it, they are presented with a QR code to scan that is paired with the logo of a legitimate organization to make it look more legitimate. The target or potential victim is then taken to a phishing site that masquerades as a Microsoft login page in order to steal the legitimate credentials.
Looking at potential hunting opportunities it may be a little harder to find than most "macro enabled document" situations because the goal appears to have the user use a different device scan the QR code and enter their credentials. In that case, if there is any reports of corrupted documents finding their way to users emails, I would begin a hunt for abnormal login attempts! Enjoy and Happy Hunting!
Any.Run Twitter source:
https://x.com/anyrun_app/status/1861024527779541304Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting CyborgSecInc
-
Happy Wednesday everyone!
While researching the #BlackBasta ransomware, I came across a couple great articles (not that all of them aren't great, I just haven't read ALL of them).
The first is from RedSense, a threat intelligence org that takes a deep dive into "The Evolution of BlackBasta Malware Dissemination" where they look at BlackBasta activity from 2022 up to today. They provide historic examples of what led up to this point but also provide wonderful technical details on malware and behaviors. In 2024 they were seen exploiting Microsoft Teams vulnerabilities and how they tricked victims to download RMM tools like AnyDesk to gain access to their machine and network.
One behavior that may indicate that you are a victim of ANY ransomware, but one attributed to BlackBasta, is suspicious BCDEdit.exe activity. BCDEdit is a command-line tool for managing Boot Configuration Data, or BCD, and the ransomware modifies the configuration to prevent recovery.
This is a great article and I hope you get as much out of it as I did! Happy Hunting!
The Evolution of BlackBasta Malware Dissemination
https://redsense.com/publications/evolution-of-blackbasta-malware-dissemination/Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
-
Good day everyone!
A Chinese APT group, hashtag#EarthEstries, makes headlines today in an article from Trend Micro researchers. Earth Estries has been targeting critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa 2023, so they have a significant global footprint. They like to target public-facing server vulnerabilities for initial access, abuse living-off-the-land binaries (LOLBINs) for lateral movement, deploy backdoors such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, and use advanced techniques.
In this report, you can see the commands that were issued for lateral movement through WMIC.exe, discovery activity using ping.exe to output to a file (most likely for ready by the adversary later), more discovery activity using wevtutil.exe looking at event code 4624 (Process Create) and then the PSEXEC.exe activity that first accepted the end user license agreement ("accepteula"), and finally the execution of a bat file.
You are probably thinking, well, where do I start hunting for this activity? A quick win that I can share with you is looking for that first execution of a Sysinternals tool, which modifies a registry key when the "acceptula" parameter is issued.
Now enjoy the rest of the article that I omitted and go get hunting! Happy Hunting!
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
https://www.trendmicro.com/en_us/research/24/k/earth-estries.htmlIntel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security
-
Happy Friday everyone!
A Joint Advisory from the National Security Agency, Federal Bureau of Investigation (FBI), Cyber National Mission Force, and the National Cyber Security Centre provides updates on the Russian Federation's Foreign Intelligence Service, or #SVR.
According to the advisory, #APT29 (a.k.a Midnight Blizzard, Cozy Bear, and the Dukes) has targeted the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations. They aim to exploit software vulnerabilities for initial access and escalate privileges. They also utilize spearphishing campaigns, password spraying, abuse of supply chain and trusted relationships. They also utilize custom malware and living-off-the-land (LOLBINs) techniques for multiple techniques.
The report includes a list of #CVEs that APT29 has been observed exploiting and attach the vendor and product that are effected with details that describe the vulnerability along with a section of mitigations that your organization can take to increase your security posture.
If you are looking for behaviors that are attributed to APT29, look no further than the MITRE ATT&CK Matrix! This resource has collected historic #TTPs and behaviors and referenced them as well. So while you are working on hardening your environment you can also hunt for their activity as well! Enjoy and Happy Hunting!
Article Source:
Update on SVR Cyber Operations and Vulnerability Exploitation
https://www.ic3.gov/Media/News/2024/241010.pdfMitre source:
https://attack.mitre.org/groups/G0016/Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
-
Thank you all for awaiting patiently for your Threat Hunt Tip of the Day! And here you go!
I am not going to touch on the Windows Registry Run key that was mentioned, I lost track of how many times I shared that hunt package, even though it still proves to be useful, but what I will talk about are RMM tools. This list consists of tools like AnyDesk (seen in the Microsoft article), TeamViewer, AteraAgent, and many more!
How do you approach this? Hopefully you have an inventory and hopefully you have an application allow-list. If you have both of these, its a great start, but if you are like some organizations and living in the wild-west, it might be tougher. I would simply create a list of all the RMMs out there that have been abused by threat actors and search for them in your environment. Compare that to the software inventory if you have it and compare that to the application allow-list (if you have that as well) and then see what your data is telling you. This could be a quick win, especially if you see AnyDesk floating around your environment but no one approved it! Well, what are you waiting for? Go get those items and get hunting! Happy Hunting!
Nice little resource for RMMs from Red Canary!
https://redcanary.com/threat-detection-report/trends/rmm-tools/Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting #huntoftheday
-
For your Threat Hunting Tip of the Day:
Masquerading is a common technique used by attackers and by using legitimate names for their malicious programs it makes the victims more likely to click the application. But, as a hunter, what can you do? Easy: Look at the process chain!
Part of Threat Hunting is learning your environment and by identifying process chains that are legitimate in your environment, you can start to look for process chains that may not make sense. So when you are looking at "legit" sounding apps that are executing, make sure you look at the parent process!
Good luck and Happy Hunting!
Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting!
-
For your threat hunting tip of the day:
Once the malware was downloaded it started reaching out to some non-standard ports. Not only did the ports stick out as odd but the executables or programs doing it seemed strange as well. One example is the MSBuild.exe (an executable masquerading as a legitimate process) connected to an IP over port 6000.
Using speedguide.net as a reference to see what legitimate programs use port 6000, I see Medal of Honor Rising Sun, Madden NFL 2005, Army of Two for the PlayStation 3, and other games. BUT, if we look at the first part of the table we see that it has been used by different trojans. So the question you should ask yourself is this: Is someone playing PlayStation in my corporate environment, and an old one at that, or is this strange port something I should look into?
So, look for non-standard ports that aren't tied to business or legitimate processes and do some research to see what they possibly could be! I hope this helps! Enjoy and Happy Hunting!
@cyborg Security @Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
-
Here is your Threat Hunting Tip of the Day:
In the The DFIR Report the attackers abused #PowerShell to execute encoded commands to hide their true activity from the defenders or the victims. Normally, PowerShell needs a parameter that tells it that the following command will be encoded, which is any valid variation of the "-encodedcommand" parameter. Now, this ranges from -e to -EnCoDeDcOmMaNd and everything in between to INCLUDE escape characters! So what are defenders to do?
You could leverage this Intel 471 Free Community Hunt Package that looks for these variations using regular expression! Now, this will help you identify the encoded commands that are run in your organization and possibly by attackers, but be warned! False-positives are a thing and once you start removing them you should have a better idea of what is abnormal. You can also use open source tools like CyberChef to decode the commands so you can make them human readable!
I hope this gets you started on your Threat Hunting journey, good luck and Happy Hunting!
Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88dbCyborg Security #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
-
For your Threat Hunting Tip of the Day:
I have covered this one many times, but I will continue to beat this horse as long as it exists. Adversaries WILL abuse the Run Registry Key for persistence, old malware will and new malware will and even future malware will. Why? Because of the function: Execute on logon.
So, if you are hunting for this, first make sure you have visibility into that registry key, emulate the traffic if you need to. Then make sure your tools have the visibility, that means you can hunt for it. Then, you can take this Intel 471 Free Community Hunt Package and drop it in your tool to begin the hunt! Enjoy and Happy Hunting!
Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135cCyborg Security #CyberSecurity #ITSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
-
For your (belated) Threat Hunting Tip of the Day:
If you are hunting for the #Phobos ransomware, possibly being used by 8Base, you can look for a common behavior that abuses a living-off-the-land binary BCDEdit! The Boot Configuration Data (BCD) LOLBIN can modify the boot configuration to prevent recovery, something a ransomware group would benefit from!
As always, a Free Community Hunt Package can help you save some time at the beginning of your hunt! Check it out and Happy Hunting!
Suspicious bcdedit Activity - Potential Ransomware
https://hunter.cyborgsecurity.io/research/hunt-package/8a4f0a60-2b55-4dfd-8788-8691e11e1ca1
Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #HappyHunting #huntoftheday #gethunting
-
Threat Hunting Tip of the Day: LockBit edition!
A common behavior displayed by ransomware is the abuse of different COM Objects to conduct a User Account Control (UAC) Bypass and gain elevated privileges. Some of these COM Objects that are abused are targeted specifically because they run at an elevated level which could allow the adversary to gain those levels and reach their goals quicker.
As usual, attached is a Cyborg Security and Intel 471 FREE Community Hunt Package that helps uncover evidence of this type of activity! Hope this helps you find the bad! Happy Hunting!
UAC Bypass Attempt via Elevated COM Abuse
https://hunter.cyborgsecurity.io/research/hunt-package/03036b01-dc04-4cd1-9388-bd62e1b0ff2d#CyberSecurity #ITSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
-
For your Threat Hunting Tip of the Day:
When hunting for activity surrounding your Window machine's firewall being manipulated, specifically when adversaries try to add firewall rules using netsh, look for these parameters: "advfirewall", "set", and "rule". Or take the easy way out and check out this Cyborg Security and Intel 471 FREE Community hunt package! Enjoy and Happy Hunting!
Windows Firewall Rule Added via CMD/PowerShell - Potential Malware Defense Evasion
https://hunter.cyborgsecurity.io/research/hunt-package/a37ff816-53b3-4af3-a63c-3f87a3eab908#CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
-
Happy Friday everyone!
I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS #RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.
To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!
UAC Bypass Attempt via Elevated COM Abuse
https://hunter.cyborgsecurity.io/research/hunt-package/03036b01-dc04-4cd1-9388-bd62e1b0ff2dArticle Source:
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting
-
Happy Friday everyone!
I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS #RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.
To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!
UAC Bypass Attempt via Elevated COM Abuse
https://hunter.cyborgsecurity.io/research/hunt-package/03036b01-dc04-4cd1-9388-bd62e1b0ff2dArticle Source:
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting
-
Happy Friday everyone!
I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS #RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.
To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!
UAC Bypass Attempt via Elevated COM Abuse
https://hunter.cyborgsecurity.io/research/hunt-package/03036b01-dc04-4cd1-9388-bd62e1b0ff2dArticle Source:
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting
-
Happy Friday everyone!
I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS #RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.
To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!
UAC Bypass Attempt via Elevated COM Abuse
https://hunter.cyborgsecurity.io/research/hunt-package/03036b01-dc04-4cd1-9388-bd62e1b0ff2dArticle Source:
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting
-
Happy Friday everyone!
I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS #RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.
To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!
UAC Bypass Attempt via Elevated COM Abuse
https://hunter.cyborgsecurity.io/research/hunt-package/03036b01-dc04-4cd1-9388-bd62e1b0ff2dArticle Source:
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting
-
Happy Wednesday everyone!
The Proofpoint Threat Research team paired up with the Team Cymru to dissect the #Latrodectus malware. "First seen being used by #TA577 and more recently #TA578, Latrodectus is a downloader that likes to evade sandbox environments." The researchers take a deep dive into the code to see what information they could extract and found PLENTY!
After you are done reading, why not take a Cyborg Security Community Hunt Package to hunt for a threat like this? In the article, the researchers mention that the malware sets an AutoRun registry key for persistence, which is a common technique used by different adversaries and malware due to the capability and functionality of those registry keys. So, take this hunt package with you, it's dangerous out there! Enjoy and Happy Hunting!
Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135cSource of article:
https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting
-
Happy Tuesday everyone!
Proofpoint researches observed activity from TA450 (AKA #MuddyWater) that involved social engineering and targeted Israeli employees. The researches noticed a change in the adversaries #TTPs, moving from using a PDF with malicious attachments to putting the malicious link in the email body.
Taking this information into account, how can we hunt for this? Well, we can always look for Microsoft Office programs executing strange behavior such as spawning abnormal processes (especially the abuse of [LOLBINS]) or making network connections. Or, as a wise old man said back in 1986 "It's dangerous to go alone! Take this."
Potential Maldoc Execution Chain Observed
https://hunter.cyborgsecurity.io/research/hunt-package/b194088b-c846-4c72-a4b7-933627878db4This hunt package has been designed to detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). Enjoy and Happy Hunting!
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
Happy Monday everyone! I hope everyone is doing well!
Researchers from Rapid7 observed some updated #TTPs and behaviors exhibited by the APT known as #Kimsuky (AKA Black Banshee or Thallium). One update to their tactics include the use of a Compiled HTML Help file, or CHM file. Rapid7 found this significant because these types of files were seen to make it past the first line of defense and then lead to its execution. Following the CHM execution, other behaviors were seen and included registry key modification of the Windows Run registry key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run).
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
Happy Friday everyone!
I really appreciate this post by Cisco Talos Intelligence Group that focuses on the post-compromise activity performed by the APT known as #TinyTurla. What I really appreciate is all the artifacts you can gather from the activity vs the focus on IOCs like file names, hashes, etc. For example, the Windows registry run key was seen being modified with this command "reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v sysman /t REG_MULTI_SZ /d "sdm" /f".
New details on TinyTurla’s post-compromise activity reveal full kill chain
https://blog.talosintelligence.com/tinyturla-full-kill-chain/#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
Happy Thursday everyone!
The Volexity team share their findings from a recent incident that involved the APT known as #CharmingKitten (aka #CharmingCypress) and what lengths this group went to make their attack look as convincing as possible. The Volexity team also shared technical details about the malware that was used, specific commands seen, and TTPs used. Enjoy and Happy Hunting!
CharmingCypress: Innovating Persistence
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/As always, I don't want to leave you empty handed! So take this Community Hunt Package from Cyborg Security to help you identify discovery behavior from adversaries!
Excessive Windows Discovery and Execution Processes - Potential Malware Installation
https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
Good day everyone!
I have recently be researching worms and I wanted to share an article that was useful in identifying the Tactics, Techniques, and Procedures (TTPs) and behaviors associated with them. The #RaspberryRobin worm has been around for a while and reported on by Check Point Software Technologies Ltd researchers. This time around the researchers highlight more technical aspects and new capabilities but a couple of tactics that stood out to me was User Account Control (UAC) bypass to elevate privileges and the abuse of the registry run key to establish persistence. It's been an interesting topic to research and I hope you enjoy this article! Happy Hunting!
RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS
https://research.checkpoint.com/2024/raspberry-robin-keeps-riding-the-wave-of-endless-1-days/#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting
-
Happy Wednesday everyone!
Read this report by CrowdStrike this morning that covered a lot of technical details on the new tactics, techniques, and procedures (TTPs) observed by the researchers when analyzing the #HijackLoader. Now among all the creative or sophistication that went into making this malware more and more evasive, there is an artifact that sticks out to me, and that is execution of .dll's or .exe's out of the C:\Windows\SYSWOW64\ directory. This tells me right away that something suspicious might be happening. Now, if you have 32-bit versions of programs that run in your environment, then this hunt may be a bit harder due to a larger set of false-positives, but if there aren't a lot of false-positives this could be an easy win! Happy Hunting!
HijackLoader Expands Techniques to Improve Defense Evasion
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday