Target Package: APT 18 Summary: APT 18 is a threat group that has been in operation since at least 2009. A broad overview of how they operate consists of usually sending their victims a phishing email which will download a Remote Access Trojan (RAT). Some of their observed persistence mechanisms have been using registry run […]

Read More Target Package: APT 18

Today I wanted to write a quick blog post on how you can detect, with free and open source tools, attackers using rundll32.dll and the comsvcs.dll to dump the memory from LSASS. You can find out how my environment is setup in part1 of this series: https://marcusedmondson.com/2020/07/29/detecting-mitre-attck-technique-t1218-010-regsvr32/ So now let’s cover how MITRE ATT&CK describes […]

Read More Detecting MITRE ATT&CK Technique: Part 2 – T1003.001 (LSASS Memory)

Today I wanted to write a quick blog post on how you can detect, with free and open source tools, attackers using regsvr32.exe to download scriptlet files on remote servers to get code execution in your environment.  First, I will cover how I setup my environment. It is a pretty basic environment, I have a […]

Read More Detecting MITRE ATT&CK Technique: Part 1 – T1218.010 (regsvr32)