Just Another Blue TeamerGood day everyone!
Sophos has released their second "Active Adversary Report" of 2024 where they look specifically at patterns and developments they noted during the first half of the year. They provided 3 key takeaways which were:
- Abuse of built-in Microsoft services (LOLbins) is up - way up
- RDP (Remote Desktop Protocol) abuse continues rampant, with a twist
- The ransomware scene: Banyans vs poplars.
LOLBIN abuse:
The Sophos researchers organized all their data and found that RPD, cmd.exe, and powershell were the top hitters for most prevalent LOLBIN being abused and they share the trend of LOLBIN abuse of which applications are being seen more or less from 2023 compared to the first part of 2024. Notable increases were seen in cmd.exe, net.exe, notepad.exe and ipconfig.exe. Notable decreases were PsExec, Task Scheduler, and a slight decrease in RDP, even though it remains at the top.
Now the question is, how does this help you and what are you going to do about it? Well, there is always the question as to whether to run a structured or unstructured hunt. For unstructured, I would prioritize that list from first to last and look for anomalies in the data. For structured hunts, I would try to better understand the behavior and the reason the adversaries are using them. Then you can focus on these behaviors, improve your query using different options/flags/parameters (whatever you want to call them) and dig deeper. Use the knowledge you have of how they have been used maliciously in the past to help guide you! Enjoy and Happy Hunting!
The Bite from Inside: The Sophos Active Adversary Report
https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/
Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting Cyborg Security, Now Part of Intel 471
