CB Connect 2020 early-bird discount pricing expires on February 21. Learn more and reserve your spot today!
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Carbon Black Employee

CBR/CBTH - Upcoming New Threat Reports - 1/21/2020

The following threat reports are scheduled to be pushed to production, scheduled for January 21, by 4pm EST. These threat reports will be pushed to Advanced Threat Indicators. We will post another update when these changes are complete. Please allow time for your VMware CB Response and/or VMware CB ThreatHunter instances to populate with these changes.


Advanced Threat Indicators

The following threat reports will be pushed to the Advanced Threat Indicators Production Feed. 


Name: Suspicious HTA Module Load

Query: (process_name:mshta.exe AND modload:clr.dll) -(cmdline:"Amazon Assistant" AND cmdline:aa.hta)

Link: https://redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/

Description: HTA can be easily abused by attackers. From MSDN: "HTAs pack all the power of Internet Explorer—its object model, performance, rendering power and protocol support—without enforcing the strict security model and user interface of the browser.” These HTML files execute JavaScript and VBScript outside of the browser, but under the full permission of the user.


Name: HTA Abuse

Query: process_name:mshta.exe AND (cmdline:"javascript" OR cmdline:".regread" OR cmdline:"activexobject")

Link: https://redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/

Description: A malicious HTA file can be leveraged without dropping any additional files to disk. In certain instances, MSHTA will read the attacker’s malicious code from the registry and execute a shell via registering an active object. This query looks for the higher confidence indicators for overt calls via command line.


Name: Remote Credential Theft via API

Query: (modload:comsvcs.dll cmdline:minidump) OR (cmdline:procdump.exe and cmdline:lsass)

Link: https://community.carbonblack.com/t5/Threat-Research-Discussion/Catch-LSASSY-execution/m-p/84601/hig...

Description: Attackers will commonly target lsass.exe in order to perform credential dumping, obtaining account login and password information. These stolen credentials can be leveraged for lateral movement and/or accessing restricted information. Attackers may be able to dump credentials remotely via various tools. For additional information, sample tactics are detailed here: https://en.hackndo.com/remote-lsass-dump-passwords/

Credit: Special thank you to @fsn  for contributing this query to our threat intelligence :)


Name: Malicious Driver Modloads Spawn Command Interpreter

Query: (childproc_name:cmd.exe AND (modload:elrawdsk.sys OR modload:assistant.sys))

Link: https://www.darkreading.com/vulnerabilities---threats/advanced-threats/dustman-attack-underscores-ir... 

TAU-TIN: https://community.carbonblack.com/t5/Threat-Research-Docs/ZeroCleare-Dustman-Wiper/ta-p/84911

Description: Attackers may have signed or unsigned malicious drivers. These module loads should be regularly audited. Invocation of a command interpreter may be indicative of progression down the kill chain and of additional execution. This technique has been observed in the Dustman Attack.



Customer Impact

On initial deployment of new threat reports, CB Response will perform a historical run-through across all of your data. Because of this, it is expected for an influx of initial positive hits to occur. This will subside once the historical tagging is complete and CB Response begins tagging hits with more recent data. Customers who have alerting enabled for these feeds will notice this most.

Future Threat Report Update Notifications


If you'd like to be notified about future threat intelligence updates at least 24 hours ahead of time, please see Future Threat Report Update Notifications.

Labels (1)