I’ve been using Jupyter Notebook for quite sometime in threat hunting and incident response purposes. It is great as it offers the python data analytic tools to be used with the data that has been ingested to it. It supports whatever that you can imagine of using over the API and thus offers great...
Qakbot
Qakbot – anything new on a recent sample? I’ve been looking through tria.ge to see what has been the recent trend in the malware world. For the last couple of days the majority of the samples supplied (no actual statistics, just a hunch based on looking at the recently uploaded samples) has been Qakbot....
Recent phishing emails + Emotet recent sample analysis
Phishing emails It’s been a little quiet on the blog for a while now. I’ve been busy with other things and haven’t had the time to find any feasible topics to write about. Now it sort of landed to my lap. I’ve been receiving phishing messages for a ~week now to my personal mailbox....
Running live malware for threat hunting purposes
This time I am trying something different. I am in no way, shape or form capable in malware analysis but I was thinking if it could be useful to run a live malware on a device with MDE agent installed. This could potentially provide great telemetry data to generate ideas for threat hunting purposes....
Detecting a Payload delivered with ISO files with MDE
It’s been a little quiet on my blog for a while now – reason being that I was on a holiday and rather did other things than sit in front of a computer. Just got back and have some free time to keep on blogging. While I was on a vacation I read an...
AMSI bypass detection with MDE
Microsoft has developed AMSI to detect malicious content to be launched by Powershell. The AMSI.dll is injected to the process memory after which the Antivirus programs can use the API to scan the content before it is being launched. If the content is malicious the execution will be prevented. This function works with Defender...
Bzz.. Bzz.. Bumblebee loader
Quite recently, a new loader has been popping up. This loader is likely been developed to counter the Microsoft’s change to the macro behavior, as the macros will be disabled on the documents that have been downloaded from the internet. This is a very welcome change as macros have been often used by the...
Running multiple instances of discovery commands in short period of time
When the attackers have been able to gain initial access to the environment they are often running different kind of commands to gain further information of the environment. The commands that are being run are often the same in the attacks thus making it possible to hunt for these commands being run on a...
DLL image loads from suspicious locations by regsvr32.exe / rundll32.exe
DLL images are being used quite a lot by the attackers to load their malicious code. I’ve done several different queries that are targeting this attack technique. I have been having an idea of taking a look at DLL files that are being loaded from abnormal locations and then building more information around this....
(Trying to) hunt for a hidden scheduled task
Microsoft DART released an article yesterday of how the malware known as Tarrask has been using scheduled tasks for defense evasion. This malware has been in use by an APT group known as HAFNIUM, likely most notable known by leveraging the 0-day known as ProxyShell a year ago. The article states that the malware...