4/ Bottom line: Pay attention to downloads and or AV alerts which could indicate the download or the use of one of these tools, as this might be an active TA in your network. 📞🚒🧑🚒
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Monitoring or creating a baseline (which users are using Python) could be helpful here, or just monitoring from which paths Python is started (like in our example from the Music directory).
This scanner is trendy among ransomware groups and has been mentioned in reports by @TheDFIRReport, among others. [1] 🧵
2/ This HTTP request can now be used very well for an alert.
Or better, collect and monitor all your DNS logs, because a DNS request will still go out if the Advanced IP Scanner is run without an installation (portable version).
An excellent opportunity for detection.
3/ You can see the DNS request for the domain www.advanced-ip-scanner[.]com below.
3/ On our specified endpoint on the Internet (with the
-Destination parameter), we can capture incoming SMB connections (again, if SMB is not blocked on the FW):
# tcpdump -i eth0 port 445 -nn
IP X.X.X.20.64516 > 142.93.X.X.445
2/ Hunting for credentials in the PowerShell history is quickly done with @Velocidex Velociraptor.
We can get the file's entire content from the hosts or search specifically for keywords within the file.
3/ The content of this file (the PowerShell history), is not only interesting for searching stored credentials in it but also an excellent forensic artifact.
In the case of a CA, we can specifically search for (older) traces of TAs (Invoke-commands, downloading of tools/code..)
If the Windows App sideloading feature is enabled, users can also install APPX packages not originating not from the Microsoft Store, ideal for distributing malware with these packages 🤯[1],[2]
#QuasarRAT is another RAT we see from time to time in our IR cases and was also used against NATO facilities in March. [1]
We can hunt for
1⃣ The default port within the FW logs
2⃣Mutexes
3⃣User-Agent
4⃣Persistence mechanisms
🧵
2/ @qualys has published an excellent paper ("Stealthy Quasar Evolving to Lead the RAT Race") about Quasar, where the whole builder and much more are described in detail. [2]
3/ In the client builder (which creates an executable which is used for the infection), the default port is pre-configured to 4782.