The Check Point Software researchers highlight a recent attack by an adversary they call #VoidManticore and the tools, TTPs, and behaviors they observed. A notable technique was the deployment of different variants of wipers that, if you analyze some of the behaviors they exhibited, could be confused with ransomware. There was the destruction of shadow copies using vssadmin and abuse bcdedit to modify the boot configuration to prevent recovery. But the added activity of removing partition information is what revealed the wiper's true identity. It is a very good read and I highly recommend it! Enjoy and Happy Hunting!
A recent report from Rapid7 highlights a malvertising campaign that has targeted IT professionals which, is some cases, led to ransomware deployment. In these attacks, WinSCP (a remote file transfer tool) and PuTTY (a secure SSH client) were abused. The adversary included a Malicious DLL with the legitimate copy of the applications and used the technique of DLL-Sideloading to infect the victim. Another tactic that was observed is the abuse of locations not commonly used by employees, the C:\Users\Public\Downloads directory. By dropping their tools and malware in this location the adversary has a better chance to hide. This is a great technical analysis of this campaign and I barely did it any justice! Go check out the rest of the details!
If you are on the hunt for #ransomware, check out this Cyborg Security Community hunt package to capture the evidence of files with common ransomware note file extensions. Enjoy and Happy Hunting!
Next week ends early registration for Black Hat trainings, but that means you still have time to register for Cyborg Security's 2-day threat hunter training, "A Beginner's Guide To Threat Hunting: How TO Shift Focus from IOCs to Behaviors and TTPs". Which is just a long way of saying "We will teach you what resources we use to start our hunts, how to extract usable artifacts from intel reports, and how to navigate through a SIEM to find the suspicious or malicious activity!" Last year was a lot of fun and I really look forward to it again! I hope to see you at #BHUSA, but until then, Happy Hunting!
We have the privilege of running TWO sessions, one from Aug 3-4 and the next from AUG 5-6, so you get to choose!
To round out the Elastic series on "Dissecting #Remcos#RAT: An in-depth analysis of a widespread 2024 malware", part 4 focuses on the actionable intel that threat hunters and detection engineers can use to improve the security posture of their organization. What I really appreciate from this is the freedom to share what they know and what they built, but also the levels of coverage they provide. They aren't just looking at a single event type but sharing different artifacts and evidence left behind when it is executed, registry keys that it has modified, command and control artifacts, and many more. Having this multi-event type focus provides organizations more opportunities to catch the malicious activity! Enjoy and Happy Hunting!
The focus of the third part of Elastic's "Dissecting #REMCOS#RAT: An in-depth analysis of a widespread 2024 malware" is all about the command and control (C2) configuration and commands. Looking at the long list of capabilities, it is easy to see why this is a formidable malware indeed. Some of the commands that can be issued control the persistence between two registry run keys, can enable key logging, it can disable the User Account Control (UAC) within the registry and much more. I really don't have enough space or time to list everything that it is capable of, you just have to check it out yourself!
One of the TTPs and Behaviors that shows up time and time again when it comes to persistence is the abuse of the AutoRun registry key locations. In this instance, we see that the Remcos rat can modifies the CurrentVersion\Run keys in both the HKCU and HKLM hive. As always, if we can help we do! Cyborg Security has a community hunt package that captures this activity as well as other registry run locations. Enjoy and Happy Hunting!
Jumping around a bit because that is just how my brain works! But, here is Elastic's part two of their "Dissecting #REMCOS#RAT: An in-depth analysis of a widespread 2024 malware" series. This episode they focus on the watchdog, keylogger, and screen and audio recording capabilities and much more! The technical details here are amazing and I can't wait to finish the rest of the series!
Enjoy and Happy Hunting!
I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
The National Security Agency has released a report detailing evidence of North Korean actors exploiting weak Domain-based Message Authentication, Reporting and Conformance (DMARC) records to conceal social engineering attempts. Without proper DMARC configuration, the NSA says that the actors were able to spoof emails as if they came from a legitimate domain. They also provide more background information about DMARC configurations and examples of the emails and email headers.
While detecting malicious emails can be accomplished by deploying email gateways, antivirus, and spam filters just to name a few. But what happens when some slip through the tracks? Then you look for the behaviors! A common TTP and behavior is to provide the victim with a malicious document that will run some code or commands to progress the attack. In a Microsoft environment, this is commonly accomplished by executing #Powershell, Windows Command Shell (cmd.exe), or other living-off-the-land binaries (LOLBINs). And that is the basis of this Cyborg Security Community Edition Hunt Package! Enjoy the article, get your free account, and Happy Hunting!
I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS#RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.
To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!
The Proofpoint Threat Research team paired up with the Team Cymru to dissect the #Latrodectus malware. "First seen being used by #TA577 and more recently #TA578, Latrodectus is a downloader that likes to evade sandbox environments." The researchers take a deep dive into the code to see what information they could extract and found PLENTY!
After you are done reading, why not take a Cyborg Security Community Hunt Package to hunt for a threat like this? In the article, the researchers mention that the malware sets an AutoRun registry key for persistence, which is a common technique used by different adversaries and malware due to the capability and functionality of those registry keys. So, take this hunt package with you, it's dangerous out there! Enjoy and Happy Hunting!
The Microsoft Threat Intel team has recently dropped some new #ForestBlizzard TTPs and behaviors! They take a look at the malware the group used, named GooseEgg, and reveal how it set up a scheduled task for persistence calling on a batch file named servtask.bat. Find much more information in the article, but I am not going to spoil it! Enjoy and Happy Hunting!
I know this was posted a week or two back, but I wanted to bring it up again in another light. The first time I read it from a technical level looking for the usual TTPs and behaviors but while I was mowing my yard and listening to The Cybersecurity Defender's Podcast by @limacharlieio the participants mentioned something that I didn't even realize the first time I read it. They mentioned that #APT44, or Sandworm, is a very serious adversary due to the amount of capabilities they have and on so many different levels. From espionage to persistence to destructive activity, they are a very refined group and should be taken seriously. Thanks for the great insight! I hope you enjoy and Happy Hunting!
I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
Looking for ACTIONABLE information on #DLLSideLoading? Look no further than this complete article from the Securonix Threat Research team. They provide a clear overview of the technique, provide the answer to the question "Why should I be worried?", give examples of real-world malware that used it, and some great detection and hunt opportunities. This is well worth the read and I hope you enjoy! Happy Hunting!
I haven't finished this one yet, and if you check it out you will see why, but so far it is a wonderful resource on #APT44. Mandiant (now part of Google Cloud) researches put together what is years of knowledge and research on the group into a single, complete document. I really do wish more of these existed (and if they do please drop them in the comments!) simply due to the amount of information contained within. I hope you enjoy and Happy Hunting!
Ever wanted to know more about #ransomware and the TTPs and behaviors that are common with a ransomware attack? Look no further than Symantec's 2024 Ransomware Threat Landscape report! Their Threat Hunter Team shares their findings of common behaviors that lead up to an attack and they also dissect the different strains that they observed. There is a lot of information here! Enjoy and Happy Hunting!
If you are like me and hesitant to leave the safety and comfort of a #Windows machine, here is an awesome article from Elastic focusing on detection engineering with Auditd in #Linux. It’s what I’ve been waiting for for a long time and I’m excited to get started! Enjoy and Happy Hunting!
Happy Monday (and for those in the U.S., Happy Tax Day!) everyone!
The Trend Micro researchers have identified truly sophisticated activity from the APT group with a focus on cyberespionage, known as #EarthHunden. The researchers observed the group using malware (Waterbear and Deuterbear) that has been maintained, updated, and refined since 2009. One of the REALLY interesting items that was noted is that EarthHunden uses a legitimate executable that, in some cases, they have patched, is capable of running a DLL with the ordinal position being 0. I had to do some extra research here, but it confirmed what I thought. When the adversary drop the executable and a DLL in the same directory or when referencing a DLL for side-loading, in many occurrences the command line arguments will have a pound sign (or a hashtag) included. An example would be "C:\windows\system32\rundll32.exe malicious.dll,#1". BUT, since the ordinal is 0, they don't have to reference it at all. Now, there are many other tactics in this article so if this is a group or malware you are concerned about, make sure you read this article! Enjoy and Happy Hunting!
It's always a good morning when you get news of some new MITRE ATT&CK Tactics, Techniques, or Sub-techniques! Nate Nelson highlights the new additions and discusses how #APT37 and #APT41 are adopting the techniques in recent attacks! Enjoy and Happy Hunting!
I am flattered that I have the opportunity to present my 2-day training "A Beginner's Guide To Threat Hunting: How to Shift Focus from IOCs to Behaviors and TTPs" again at Black Hat USA 2024 and that early bird registration is open and you have two opportunities to take the course!
Day 1 begins with a theory section where we discuss resources and models that can help aid our threat hunting from both an intel and communication perspective. We then move to a section that covers how to extract artifacts from an intel report and how to make those artifacts actionable. Then we create some hypotheses and test them against a set of data to see what we can find.
Day 2 will put all the theory and applications to the test where the students will break into teams, process another intel report, create hypotheses, and hunt again!
Last year was a lot of fun and we receive high ratings, so we hope you can join us again this year for the fun! I hope to see you there, but until then, Happy Hunting!
In Part 4 of the "Investigating Ivanti" series, the Mandiant (now part of Google Cloud) researchers highlight how the adversaries were able to laterally move through the environment to the vCenter server. From there they created three virtual machines mimicking their naming convention to blend in with the environment they were in. Leveraging another masquerading technique, UNC5221 then downloaded their backdoor, #Brickstorm, and named it "vami-http" which looks like a legitimate vCenter process. As always, this was a very interesting read but take a look for yourself to see the details I didn't mention. Enjoy and Happy Hunting!
I feel like I left anyone paying attention to this threat hanging, I meant to post over the weekend but life got in the way, which isn't always a bad thing. But, without further comment:
Part 3 of the "Investigating Ivanti" series, Mandiant (now part of Google Cloud) provides us with updates to the TTPs and malware as well as identifies the persistence mechanism that was used by the adversaries! Another great article to read as there are MANY MANY more details in it! Enjoy and Happy Hunting!
In the second part of the #Ivanti investigation, the Mandiant (now part of Google Cloud) researchers discuss their findings of more post exploitation activity. The initial mitigation provided by Ivanti was bypassed by the adversary that led to the deployment of a web shell. And that is just the start, the team highlights variants of different malware, updated behavior seen, and they share some open-source tooling that was used in the attack! Enjoy and Happy Hunting!
The research team at Mandiant (now part of Google Cloud) has released Part 4 of their series, I'd like to take you all back to the first episode where the team discuses the pos exploitation activity. In the first part, they discussed the behaviors of #Lightwire (Web Shell), #Thinspool (Web Shell Dropper), #Warpwire (Credential Harvester), #Wirefire (Web Shell), and #Zipline (Passive backdoor). All of these components played a part in the incident and are detailed in the article! Enjoy and Happy Hunting!
The researchers at COFENSE share their findings of a recent campaign they witnessed involving the #RhadamanthysStealer. The campaign spoofed the Federal Bureau of Transportation and started with a PDF and led to the stealer being deployed on the victim machine! Plenty of more technical details can be found in the article, so go and read it for yourself! Enjoy and Happy Hunting!
If you are looking to hunt for this type of activity of initial access technique, look no further than this free Cyborg Security hunt package. It was one of the hunt packages mentioned in our most recent workshops and lets you hunt for #Microsoft Office programs spawning interesting child processes!