Recent searches
Search options
Happy Monday everyone! I hope everyone is doing well!
Researchers from Rapid7 observed some updated #TTPs and behaviors exhibited by the APT known as #Kimsuky (AKA Black Banshee or Thallium). One update to their tactics include the use of a Compiled HTML Help file, or CHM file. Rapid7 found this significant because these types of files were seen to make it past the first line of defense and then lead to its execution. Following the CHM execution, other behaviors were seen and included registry key modification of the Windows Run registry key (SOFTWARE\Microsoft\Windows\CurrentVersion\Run).
Once the registry key was modified and the payload linked to in the registry data, persistence was successfully gained, which enabled the adversaries repeated access to the victim. This is a great article and just the tip of the iceberg when it comes to technical details, so check it out for yourself! Enjoy and Happy Hunting!
The Updated APT Playbook: Tales from the Kimsuky threat actor group
https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-from-the-kimsuky-threat-actor-group/
I know I share this Cyborg Security Community hunt package a lot, but it's because this behavior is extremely commonly used! It is just one of many behaviors that we help you hunt for that stand the test of time!
Autorun or ASEP Registry Key Modification
https://hunter.cyborgsecurity.io/research/hunt-package/8289e2ad-bc74-4ae3-bfaa-cdeb4335135c
#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #get hunting