Just Another Blue Teamer
A threat hunter that has a passion for logs, especially endpoint logs, and for teaching the next generation of Threat Hunters to come!
I have recently been awarded the honor to be a trainer at #BlackHat 2023, which is an amazing opportunity and a goal I had set for myself. I am truly flattered!
- 9 Posts
- 8 Comments
Thank you all for awaiting patiently for your Threat Hunt Tip of the Day! And here you go!
I am not going to touch on the Windows Registry Run key that was mentioned, I lost track of how many times I shared that hunt package, even though it still proves to be useful, but what I will talk about are RMM tools. This list consists of tools like AnyDesk (seen in the Microsoft article), TeamViewer, AteraAgent, and many more!
How do you approach this? Hopefully you have an inventory and hopefully you have an application allow-list. If you have both of these, its a great start, but if you are like some organizations and living in the wild-west, it might be tougher. I would simply create a list of all the RMMs out there that have been abused by threat actors and search for them in your environment. Compare that to the software inventory if you have it and compare that to the application allow-list (if you have that as well) and then see what your data is telling you. This could be a quick win, especially if you see AnyDesk floating around your environment but no one approved it! Well, what are you waiting for? Go get those items and get hunting! Happy Hunting!
Nice little resource for RMMs from Red Canary!
https://redcanary.com/threat-detection-report/trends/rmm-tools/Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting #huntoftheday
For your Threat Hunting Tip of the Day:
Masquerading is a common technique used by attackers and by using legitimate names for their malicious programs it makes the victims more likely to click the application. But, as a hunter, what can you do? Easy: Look at the process chain!
Part of Threat Hunting is learning your environment and by identifying process chains that are legitimate in your environment, you can start to look for process chains that may not make sense. So when you are looking at “legit” sounding apps that are executing, make sure you look at the parent process!
Good luck and Happy Hunting!
Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting!
For your threat hunting tip of the day:
Once the malware was downloaded it started reaching out to some non-standard ports. Not only did the ports stick out as odd but the executables or programs doing it seemed strange as well. One example is the MSBuild.exe (an executable masquerading as a legitimate process) connected to an IP over port 6000.
Using speedguide.net as a reference to see what legitimate programs use port 6000, I see Medal of Honor Rising Sun, Madden NFL 2005, Army of Two for the PlayStation 3, and other games. BUT, if we look at the first part of the table we see that it has been used by different trojans. So the question you should ask yourself is this: Is someone playing PlayStation in my corporate environment, and an old one at that, or is this strange port something I should look into?
So, look for non-standard ports that aren’t tied to business or legitimate processes and do some research to see what they possibly could be! I hope this helps! Enjoy and Happy Hunting!
@cyborg@ioc.exchange Security @Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
Here is your Threat Hunting Tip of the Day:
In the The DFIR Report the attackers abused #PowerShell to execute encoded commands to hide their true activity from the defenders or the victims. Normally, PowerShell needs a parameter that tells it that the following command will be encoded, which is any valid variation of the “-encodedcommand” parameter. Now, this ranges from -e to -EnCoDeDcOmMaNd and everything in between to INCLUDE escape characters! So what are defenders to do?
You could leverage this Intel 471 Free Community Hunt Package that looks for these variations using regular expression! Now, this will help you identify the encoded commands that are run in your organization and possibly by attackers, but be warned! False-positives are a thing and once you start removing them you should have a better idea of what is abnormal. You can also use open source tools like CyberChef to decode the commands so you can make them human readable!
I hope this gets you started on your Threat Hunting journey, good luck and Happy Hunting!
Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88dbCyborg Security #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
Threat Hunting Tip of the Day:
I know I normally steer you to a Cyborg Security and Intel 471 Hunt package but something about this report stuck out that could be an issue in many organizations and that can be summed up to one word: visibility!
Under the "Data Access and Impact (TA0010 and TA0040) section, it states that “CloudTrail S3 data logging and S3 server access logging was not enabled…no logs existed that showed exfiltration activity from the S3 buckets.” [1]
Lesson learned: IF you are migrating to the cloud or bringing new hardware/software, assets, etc into your environment, please take time to assess what level of logging exists, and determine what is valuable to ingest. Taking that time will be worth it in the long run and allow your analysts to dig through logs, create detections, and threat hunt in your environment! Enjoy and Happy Hunting!
[1] https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
#CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #gethunting
@benfulton@fosstodon.org Looking at the report, I have to make an assumption: Since the malware is able to monitor the clipboard, maybe the user copied and pasted some admin creds OR since it is able to extract passwords and information from browsers if the victim has privileged creds stored in extensions or their browser password manager they could get them from there.
For your Threat Hunting Tip of the Day:
I have covered this one many times, but I will continue to beat this horse as long as it exists. Adversaries WILL abuse the Run Registry Key for persistence, old malware will and new malware will and even future malware will. Why? Because of the function: Execute on logon.
So, if you are hunting for this, first make sure you have visibility into that registry key, emulate the traffic if you need to. Then make sure your tools have the visibility, that means you can hunt for it. Then, you can take this Intel 471 Free Community Hunt Package and drop it in your tool to begin the hunt! Enjoy and Happy Hunting!
Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135cCyborg Security #CyberSecurity #ITSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting
@WarySec@hachyderm.io @slazer2au@lemmy.world
This could make a lot of crypto bros pretty sad.