The following threat reports are scheduled to be pushed to production, scheduled for January 21, by 4pm EST. These threat reports will be pushed to Advanced Threat Indicators. We will post another update when these changes are complete. Please allow time for your VMware CB Response and/or VMware CB ThreatHunter instances to populate with these changes.
Advanced Threat Indicators
The following threat reports will be pushed to the Advanced Threat Indicators Production Feed.
Name: Suspicious HTA Module Load
Query: (process_name:mshta.exe AND modload:clr.dll) -(cmdline:"Amazon Assistant" AND cmdline:aa.hta)
Name: HTA Abuse
Description: A malicious HTA file can be leveraged without dropping any additional files to disk. In certain instances, MSHTA will read the attacker’s malicious code from the registry and execute a shell via registering an active object. This query looks for the higher confidence indicators for overt calls via command line.
Name: Remote Credential Theft via API
Query: (modload:comsvcs.dll cmdline:minidump) OR (cmdline:procdump.exe and cmdline:lsass)
Description: Attackers will commonly target lsass.exe in order to perform credential dumping, obtaining account login and password information. These stolen credentials can be leveraged for lateral movement and/or accessing restricted information. Attackers may be able to dump credentials remotely via various tools. For additional information, sample tactics are detailed here: https://en.hackndo.com/remote-lsass-dump-passwords/
Credit: Special thank you to @fsn for contributing this query to our threat intelligence :)
Name: Malicious Driver Modloads Spawn Command Interpreter
Query: (childproc_name:cmd.exe AND (modload:elrawdsk.sys OR modload:assistant.sys))
Description: Attackers may have signed or unsigned malicious drivers. These module loads should be regularly audited. Invocation of a command interpreter may be indicative of progression down the kill chain and of additional execution. This technique has been observed in the Dustman Attack.
On initial deployment of new threat reports, CB Response will perform a historical run-through across all of your data. Because of this, it is expected for an influx of initial positive hits to occur. This will subside once the historical tagging is complete and CB Response begins tagging hits with more recent data. Customers who have alerting enabled for these feeds will notice this most.
Future Threat Report Update Notifications
If you'd like to be notified about future threat intelligence updates at least 24 hours ahead of time, please see Future Threat Report Update Notifications.