The Adversary is trying to gain access to your Network
Here I will focus on the 2 Major Techniques for Initial Access, in this section we can take in consideration SpearPhishing in the form of Attachments and Links. Some of the Techniques demonstrated in the Offensive Section we can see what is being used, and how it's being used these 2 well known techniques but what can we do about this, what is our Hunter seeing when searching for a Threat, what do we leave behind that gets us caught.
Well let's dive a little bit deeper.
This one is very simple but hard to detect without a trained eye, or simply someone that isn't aware of this Attack. In this example will send various Links to our Victim and find what gets logged, what can a Blue Teamer find in this situation.
Some great examples we can find in our Famous SPAM Folder, we can see how they "Hide" these links into Images or Shortcut Links.
Here is a Sample on how they are worked on:
Aah that Blue Pill Scam
Where does this Link takes us to?:
By following this URL currently it directs us way into a Fake Purchase Page and it has been recently registered when the site claims YEARS of helping people.
So that is a way to view these fake URL's very recommended to check them on a controlled environment such as a VM.
Usually some very common thing's to do before clicking is using some tools to check URL reputations and when the site was registered or just to hover over the URL and you can see where it takes you.
Let's check our Attachment's some of these fly through the Email providers detection system and can easily bypass our own AV provider's. Recent techniques (VBA Stomping) and Obfuscation are used for this technique, and even sometimes this can be used with a link to download a file with our malicious code.
Let's work with Macros in this example it has been bypassed with Obfuscation and has executed in our Victim Machine, what can the hunter be looking for to find this?.
Let's first check Sysmon, it's a great tool for Threat Hunting and we can see that it logs in very detailed information we can see that a registry value was set when Executing Macros and the Target File with the Full PATH:
Registry Key Value
A trusted Record was created for the file:
Also the Command Line used by the Macro to execute a PowerShell command:
And view the Network Connection that was established:
Process Hacker here show's us that WORD has a child process executing PowerShell and establishing a connection to the Internet, pretty odd right, why would a Word Document establish a Network Connection:
These are some great things to look out for when Executing a Macro and/or Searching for this Technique these are some examples of what can be find, their are also some few things you can check, such as Prefetch and others.