To aid you in your Threat Hunting journey, check out this Threat Profile based on behaviors associated with Amadey! There are two Community Hunt Packages that can get you started! Now get hunting!
Amadey
https://hunter.cyborgsecurity.io/research/threat-profile/eb857bc3-9908-4356-95e8-4cbba7c64134
And of course, another great resource that you can use for your Intel-Driven threat hunting efforts from MITRE ATT&CK. There is enough intel here to create a bunch of different hypotheses and hunt queries!
Salt Typhoon
https://attack.mitre.org/groups/G1045/
First, we have created a Hunt Package Collection based on hashtag#SaltTyphoon behaviors which you can find here! There is a Community Edition hunt package in there that can get your hunting started!
Salt Tyhpoon Hunt Package Collection
https://hunter.cyborgsecurity.io/research/search?state=(compatible:!f,filters:(actors:!(%27Salt%20Typhoon%27)),library:!(cyborg_collections),page:0,size:10,sort:relevance,term:!(),touched:!t)
Not to beat a dead horse, but deleting shadow copies is a very common behavior that many ransomware strains use. So if you are on the hunt, let us help you with this Community Hunt Package!
Shadow Copies Deletion Using Operating Systems Utilities
https://hunter.cyborgsecurity.io/research/hunt-package/2e3e9910-70c1-4822-804a-ee9919b0c419
If this article got you thinking about LOLBINs, take this great information and make it actionable with this Community Hunt Package! It covers the execution of common LOLBINs directly related to discovery activity! Now Get Hunting!
Excessive Windows Discovery and Execution Processes - Potential Malware Installation
https://hunter.cyborgsecurity.io/research/hunt-package/6d1c9f13-e43e-4b52-a443-5799465d573b
Apologies for the delay, didn't mean to leave all your threat hunters hanging! According to the researchers, #Anubis #ransomware runs the following command to inhibit system recovery (T1490) " vssadmin delete shadows /for=norealvolume /all /quiet". This is a common behavior from ransomware strains but you can use this Community Hunt Package to help discover that activity in your environment! Go find evil and get hunting!
Shadow Copies Deletion Using Operating Systems Utilities
https://hunter.cyborgsecurity.io/research/hunt-package/2e3e9910-70c1-4822-804a-ee9919b0c419
If RMM tool abuse is something you are concerned about check out this community hunt package! This hunt package is designed to identify when a service is created to run AnyDesk, which was a tactic the adversary used in this report! Hope you enjoy and Happy Hunting!
AnyDesk Service Installation - Potentially Malicious RMM Tool Installation
https://hunter.cyborgsecurity.io/research/hunt-package/4103B086-F093-4084-9125-15B9A6C872B8
I know I was away for a while but I'll make it up to you! Check out our Hunt Package Collection that focuses on Volt Typhoon! We have multiple community edition hunt packages that can get you started! Now, the next steps are up to you! Happy Hunting!
AND A HUNT OF THE DAY!?! You know it! Looking at where the malware created their scheduled task you can tell it is a little phishy, but there are more locations that adversaries like to use/abuse! See what you can find in your environment with this! Yes, it is community and I hope it gets you off on your journey if you haven't started OR it adds another tool to your existing toolbox! Happy Hunting!
Scheduled Task Executing from Abnormal Location
https://hunter.cyborgsecurity.io/research/hunt-package/09a380b3-45e5-408c-b14c-3787fa48d783
To compliment the work of the authors, why not take this Community Hunt Package with you to identify when a Powershell encoded command is executed in your environment:
Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88db
Just Another Blue Teamer