Happy Monday, or should I say, Happy #DFIRDay!
That’s right, The DFIR Report has dropped another one of their awesome reports, this time covering an attack that involved the #BlackSuit ransomware. There was a dash of #CobaltStrike, #SystemBC, some encoded Powershell commands for defense evasion (and to keep you guessing on what the command really is!), LSASS access for credentials, and ultimately led to the ransomware being deployed. This report provides a great example of all the things the adversary needs to do to be successful in an attack and all the information they need from your environment to do it!
Stay tuned for your Threat Hunting Tip of the Day but while you wait, enjoy the article! Happy Hunting!
And I promise you I am not going to take the easy way out and hit you with the AutoRun registry key hunt package again!
BlackSuit Ransomware
https://thedfirreport.com/2024/08/26/blacksuit-ransomware/
Cyborg Security Intel 471 #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday
Here is your Threat Hunting Tip of the Day:
In the The DFIR Report the attackers abused #PowerShell to execute encoded commands to hide their true activity from the defenders or the victims. Normally, PowerShell needs a parameter that tells it that the following command will be encoded, which is any valid variation of the “-encodedcommand” parameter. Now, this ranges from -e to -EnCoDeDcOmMaNd and everything in between to INCLUDE escape characters! So what are defenders to do?
You could leverage this Intel 471 Free Community Hunt Package that looks for these variations using regular expression! Now, this will help you identify the encoded commands that are run in your organization and possibly by attackers, but be warned! False-positives are a thing and once you start removing them you should have a better idea of what is abnormal. You can also use open source tools like CyberChef to decode the commands so you can make them human readable!
I hope this gets you started on your Threat Hunting journey, good luck and Happy Hunting!
Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88dbCyborg Security #CyberSecurity #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #huntoftheday #gethunting