Lunchtime threat hunt: map recent MS/Storm-0558 detections to Google Workpace/GMail. Summary: fail.

CISA noted that a US gov entity detected the incident via analysis of the `MailItemsAccessed` event type: "In Mid-June 2023, an FCEB agency observed MailItemsAccessed events with an unexpected ClientAppID and AppID in M365 Audit Logs." This event type was only available via more expensive E5 logging, which many/most don't pay for). MS changed this today to make available to more customers without paying extra, after pressure.

Maybe I'm missing something but I can't seem to find a Google Workspace equivalent event type in Security Center ( https://support.google.com/a/answer/11482175?sjid=7101640716602908317-NA , Enterprise Plus licensing). Does Google not log these types of events?

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a

This technique of infecting common file types on target networks for reinfection is under appreciated by defenders and under utilized by adversaries. It’s why we prepared so thoroughly for migration of an Aurora victim to a clean network back in 2010.

Thrunting file mods by process other than the default URI handler is a great starting query, especially PowersHell.exe.

"Another interesting aspect of Gamaredon infections is that the threat actors plant as many as 120 malicious infected files per week on the compromised system to increase the likelihood of re-infection."

https://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/?

This post brought to you by bitcoin.

https://apnews.com/article/north-korea-kim-icbm-nuclear-802a6a0719460463030c50429d27a087