Hunting for WSL based Badness Windows Subsystem for Linux has been a thing for a long while and has been extended to version 2 already years ago. It is an amazing feature which allows you to, well, run lightweight linux on top of Windows OS. It offers the linux capabilities which many of us...
Hunting for malicious scheduled tasks
Why? Executing code & persistence through scheduled tasks is one of the most common techniques used by the threat actors to persist on a device. I also have noted that quite often the threat hunting is based on something like schtasks being used to create those tasks. This is fine as that is likely...
Impacket – Part 2
Hello mr. Impacket – I am back! Today I will write about Impacket. Last time I wrote about the psexec and smbexec modules which I found to be the most logical start to the series (BTW I would like to remind that 2 posts can be series). You know, it is a gift which...
Exploring hunting options for catching Impacket
Hunting for usage of Impacket Impacket is one of those tools which the threat actors are constantly using during the attacks. It is interesting tool as it allows interacting with several protocols with Python. It, for example, allows for a PsExec like behavior which is very often one of the key tools the threats...
Threat hunting for signs of credential dumping
Why this topic? I chose this topic because I’ve seen a lot of different queries to hunt for signs of credential dumping. However, these have been mostly developed around finding certain tools which do dump the credentials. My idea was to try to hunt for the activity done by the application which dumps the...
Hunting for signs of SEO poisoning
How to hunt for SEO poisoning? Well this is a good question to which I don’t have a good answer. This query is going to go through the very basics of how this can be started but it is not really that easy to do. I’ve had several different ideas of how to hunt...
Rare process launch as a service
Back after a long break The last post on this blog was published on mid-September 2023 so it has been a while since I was able to update the blog. The main reason for this is that I have been too busy. I’ve had extremely busy season at work and on top of that...
Analysis of the current malware – Icedid
Making the decision of what to analyze The last blog post that I wrote was about creating an ELK with a Kibana view of the currently active malware, using the common publicly available sandbox services. This gives some insight of what is currently active and I think it can be quite current as I...
Hunting for msbuild based execution
Why? There has been a new Advanced Persistent Threat group, named Dark Pink which have been using the msbuild.exe LOLBIN for doing their malicious deed. The group has been especially active in the APAC area, with some activity in Europe too – specifically in Bosnia and Herzegovina – weirdly enough. The group is mostly...
AsyncRAT
I haven’t observed any interesting new techniques recently, which is why I decided to analyze something that has been around for some time now. I’ve been interested in AsyncRAT for a while and decided to analyze it closer with threat hunting in mind. AsyncRAT is a Remote Access Tool which has been according to...