Today I wanted to do a quick blog post on how to use the tool Sigma to create Elastalert rules, for alerting purposes for your Elastic Stack instance.  Sigma So, first things first, what is Sigma? According to the official Github site, “Sigma is a generic and open signature format that allows you to describe […]

Target Package: APT 18 Summary: APT 18 is a threat group that has been in operation since at least 2009. A broad overview of how they operate consists of usually sending their victims a phishing email which will download a Remote Access Trojan (RAT). Some of their observed persistence mechanisms have been using registry run […]

Today I wanted to write a quick blog post on how you can detect, with free and open source tools, attackers using rundll32.dll and the comsvcs.dll to dump the memory from LSASS. You can find out how my environment is setup in part1 of this series: https://marcusedmondson.com/2020/07/29/detecting-mitre-attck-technique-t1218-010-regsvr32/ So now let’s cover how MITRE ATT&CK describes […]

Today I wanted to write a quick blog post on how you can detect, with free and open source tools, attackers using regsvr32.exe to download scriptlet files on remote servers to get code execution in your environment.  First, I will cover how I setup my environment. It is a pretty basic environment, I have a […]

Today I wanted to do a post on a sample that I pulled down from 0xffff0800 website here. It is just a quick behavioral analysis in order to rip out some IOC’s for quick wins. A little background on who APT32 or OceanLotus is, according to FireEye, “APT32 (OceanLotus Group), are carrying out intrusions into […]

Today I wanted to do a real quick post on a PowerShell downloader linked to Emotet. Here is a little background on what Emotet is according to Malwarebytes: Emotet is a Trojan that is primarily spread through spam emails. The infection may arrive either via malicious script, macro-enabled document files, or malicious link. Emotet emails […]

So today I wanted to do a blog post on Black Energy. The sample I will be working with was sourced from hybrid analysis here: https://www.hybrid-analysis.com/sample/39d04828ab0bba42a0e4cdd53fe1c04e4eef6d7b26d0008bd0d88b06cc316a81?environmentId=4. This particular piece of malware was used to target the networks used to control power grids and has been associated to the Sandworm Team, who used it to also […]

Today I wanted to do a quick behavioral analysis of Vidar. This particular piece of malware I downloaded from https://www.malware-traffic-analysis.net/2019/01/10/index2.html and is part of the Hookads campaign that is using the Rig Exploit Kit to push Vidar. So lets get started… So what I will be doing is fairly straight forward. I will first setup my […]

So today I wanted to do a blog post on an executable SHA-256: 408e38b4d81de63e5762dcb8024f81360b426429821f9934b087aa0a6b44c56f that has been tied back to the Gamaredon Group, in my research. I pulled it down from @0xffff0800 .onion website http://iec56w4ibovnb4wc.onion/Library/GamaredonGroup/. Thank you @0xffff0800 with sharing these samples with the community! A little background on who the Gamaredon Group is. According […]

Today I wanted to do a blog post on unpacking Shade (Troldesh) ransomware md5 7F9D970C685F7F33AA8A961F2A10173D. The sample I used was acquired from here. Troldesh is a crypto ransomware variant that was created in Russia. So the short story is it will encrypt your files and try to extort money from you. The technique I used on […]