The National Security Agency has released a report detailing evidence of North Korean actors exploiting weak Domain-based Message Authentication, Reporting and Conformance (DMARC) records to conceal social engineering attempts. Without proper DMARC configuration, the NSA says that the actors were able to spoof emails as if they came from a legitimate domain. They also provide more background information about DMARC configurations and examples of the emails and email headers.
While detecting malicious emails can be accomplished by deploying email gateways, antivirus, and spam filters just to name a few. But what happens when some slip through the tracks? Then you look for the behaviors! A common TTP and behavior is to provide the victim with a malicious document that will run some code or commands to progress the attack. In a Microsoft environment, this is commonly accomplished by executing #Powershell, Windows Command Shell (cmd.exe), or other living-off-the-land binaries (LOLBINs). And that is the basis of this Cyborg Security Community Edition Hunt Package! Enjoy the article, get your free account, and Happy Hunting!