Acquiredsec

@[email protected]
24 Followers
62 Following
18 Posts

#DFIR, #ThreatHunting | Sr. IR Solutions Architect | check out my #SentinelOne threat hunting guide and queries on Git. https://github.com/acquiredsecurity


Toots πŸ’¨ do not represent my employer.

AcquiredsecDec 1, 2022

#bumblebee #malware
Bumblebee sample

SHA1: e845d373bdbfad8c95c4eed2d56bd43649e1695a

https://bazaar.abuse.ch/sample/111884defe575650260a2eaab6c0fc2a3ebd3fbe4a9bf75bb56944a13f0aa009/

PWD Protected ZIP > ISO > LNK > BAT >DLL / EXE

C:\Windows\System32\cmd.exe /c navbar.bat

Starts process from LNK file and creates a scheduled task to install service.
Runs EXE from root of PrgramData.

SCHTASKS/create/tn"UpdateService"/tr"cmd.exe/cC:\programdata\YxurWe0fMb8Vi.exeC:\programdata\taxonomy.dll,cmfgutil"/schourly/mo1/sd01/01/2022/st00:00

MalwareBazaar | Checking your browser

AcquiredsecNov 30, 2022

#Qakbot #threathunting tips for the week. πŸ¦† πŸ€–

🚨 ISO > JS > wscript>PowerShell>DLL🚨

PowerShell Command Line Args
-ExecutionPolicy Bypass

πŸ“’ Anything Executing out of users\Public?
C:\users\public\*.jpg

And more Cmdline Args:

βœ”οΈ FromBase64String
βœ”οΈstart-process regsvr32
βœ”οΈstart-process Rundll32

Show threadAcquiredsecNov 23, 2022

Cmdline Telemetry

"C:\Windows\System32\cmd.exe" /c if exist C:\Users\<user>\AppData\Local\Temp\temp1_job_offer.zip\job_descr_10_22.pdf.lnk (certutil.exe -decode C:\Users\<user>\AppData\Local\Temp\temp1_job_offer.zip\job_descr_10_22.pdf.lnk C:\Users\<user>\AppData\Local\Temp\.hta&start C:\Users\<user>\AppData\Local\Temp\.hta)else (certutil -decode job_descr_10_22.pdf.lnk C:\Users\<user>\AppData\Local\Temp\.hta&start C:\Users\<user>\AppData\Local\Temp\.hta)

Show threadAcquiredsecNov 23, 2022

For anyone using SentinelOne here's a few easy ways to find this.

The initial execution of the LNK file: IndicatorName = "SuspiciousCmdFromLnk"

IndicatorName = "SuspiciousCmdFromLnk" AND SrcProcCmdLine Contains Anycase "certutil"

documented here on my GIT:

https://github.com/acquiredsecurity/Sentinel-One-STAR-Rules-Threat-Hunts/blob/main/HUNT/Malware:%20ZippyReads

Sentinel-One-STAR-Rules-Threat-Hunts/Malware: ZippyReads at main Β· acquiredsecurity/Sentinel-One-STAR-Rules-Threat-Hunts

SentinelOne STAR Rules. Contribute to acquiredsecurity/Sentinel-One-STAR-Rules-Threat-Hunts development by creating an account on GitHub.

GitHub
AcquiredsecNov 23, 2022

Some hunting opportunities for:
https://www.virustotal.com/gui/file/13846a9778f224ae692edddcc90746d0e619f872733c2c880188c36797b2c4e7

@k3dg3 and pointed out by @gossithedog #ZippyReads

PDF LNK file uses cerutil -decode and .hta. fetches .zip file payload and connects to C2.

michaelpagerecruitment-ukoffers(d)com
r3(d)o(d)lencr(d)org

#threatintel

VirusTotal

VirusTotal

AcquiredsecNov 23, 2022
Kevin BeaumontNov 23, 2022

Great #malware sample caught by @k3dg3 #threatintel

Exploits #ZippyReads (read only file for bypass of Mark-of-the-Web) and #DefenderExplode, a large file zero day in Microsoft Defender AV which breaks their telemetry and detection.

Targets Italy. Calls michaelpagerecruitment-ukoffers.]com

https://www.virustotal.com/gui/file/13846a9778f224ae692edddcc90746d0e619f872733c2c880188c36797b2c4e7

VirusTotal

VirusTotal

AcquiredsecNov 22, 2022

Two easy detection/hunt opportunities for this week and the last several weeks, months, years. #qakbot #bumblebee #malware #threathunt

ISO Files, JS, VBS, DLL OH MY 🦁 πŸ… 🐻

🚨 **regsvr outgoing IP connection events πŸ¦† πŸ€–

🚨 **rundll32 outgoing IP connection events with rundll32 and a command parameter of CheckSettings in the cmdline telemetry 🐝