If RMM tool abuse is something you are concerned about check out this community hunt package! This hunt package is designed to identify when a service is created to run AnyDesk, which was a tactic the adversary used in this report! Hope you enjoy and Happy Hunting!
AnyDesk Service Installation - Potentially Malicious RMM Tool Installation
https://hunter.cyborgsecurity.io/research/hunt-package/4103B086-F093-4084-9125-15B9A6C872B8
I know I was away for a while but I'll make it up to you! Check out our Hunt Package Collection that focuses on Volt Typhoon! We have multiple community edition hunt packages that can get you started! Now, the next steps are up to you! Happy Hunting!
AND A HUNT OF THE DAY!?! You know it! Looking at where the malware created their scheduled task you can tell it is a little phishy, but there are more locations that adversaries like to use/abuse! See what you can find in your environment with this! Yes, it is community and I hope it gets you off on your journey if you haven't started OR it adds another tool to your existing toolbox! Happy Hunting!
Scheduled Task Executing from Abnormal Location
https://hunter.cyborgsecurity.io/research/hunt-package/09a380b3-45e5-408c-b14c-3787fa48d783
To compliment the work of the authors, why not take this Community Hunt Package with you to identify when a Powershell encoded command is executed in your environment:
Powershell Encoded Command Execution
https://hunter.cyborgsecurity.io/research/hunt-package/d2d3bbc2-6e57-4043-ab24-988a6a6c88db
I had this all ready but forgot to send yesterday! For your #huntoftheday I would recommend conducting an unstructured hunt on processes making network detections that could lead to C2 activity! Enjoy and Happy Hunting!
And, if you are taking this wonderful intel and using it to threat hunt, why not let us help you! Check out this Community Hunt Package that helps identify when AnyDesk is executed from an abnormal folder. Yes it wasn't mentioned in the article, but there are PLENTY of examples of this abuse in many other articles! Enjoy and Happy Hunting!
AnyDesk Execution from Abnormal Folder - Potential Malicious Use of RMM Tool
https://hunter.cyborgsecurity.io/research/hunt-package/93F71607-F35D-4AA6-AEC9-C2F8A62CBD8A
Don't think I was going to leave you hanging! If you haven't got this hunt package yet, what are you waiting for? This is probably the top community hunt package I post because the technique is SO common! Let us help you hunt for persistence through the modification of the Windows Run Registry key and other locations. I promise, the NanoCore RAT is not the only malware to use it, so you got multiple threats covers. Enjoy and Happy Hunting!
Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c
And more good news! I am going to leave you with a community hunt package from our Ransomware Collection for you to stay diligent in your threat hunting efforts! So go get hunting!
Windows sc Used to Disable Multiple Services in Brief Period - Potential Ransomware
https://hunter.cyborgsecurity.io/research/hunt-package/5387a0d8-7890-4338-b1d5-8611dbfdcfee
Diving a little deeper into RDPWrapper, I found that, like it's Windows Native version, it is designed to communicate on Port 3389. Now, knowing that Kimsuky has it's own version, I am curious as to whether the custom version used 3389 as well. Either way, you can run an unstructured hunt for internal->external communication over abnormal ports to hunt for this, and many other, threats. Honestly, a good way to start may be to exclude port 80 (hopefully nothing is there to begin with), port 443, port 53 to remove DNS, and maybe 22 if that is something in your environment. Of course, this is going to differ per environment, so take it and make it your own! Happy Hunting!
To help get you up and running, or to add another hunt to your list, here is one you may be using already! While this attack involves different malware and actors, this behavior is a common one that is seen AND used by many different adversaries and malware! Enjoy and Happy Hunting!
Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c
Just Another Blue Teamer