Threat Objects
Cisco Talos researchers recently observed ransomware actors abusing Velociraptor, an open-source digital forensics and incident response, during a highly disruptive attack. We previously spotlighted the trend of adversaries abusing freely available, legitimate utilities in their ongoing efforts to evade defenses and persist in victim environments.
We extracted rich, varied details from the report that would be most relevant to Threat-Led Defense, powering new content in our knowledge base, including a Campaign, myriad new threat object & Technique relationships, and 10 discrete Procedure Sightings. The activity is attributed to Storm-2603, a China-based threat actor that is now known to deploy at least three distinct families of ransomware and who drew attention this summer for its suspected ties to the “ToolShell” exploit campaign.
Threat-Led Defense commentary: Recommended mitigations include restricting or monitoring msiexec.exe usage, especially with remote URLs; disabling or restricting Windows Installer; monitoring for suspicious process creation (e.g., msiexec.exe launched by LNK files or via GPO); and deploying network analytics (e.g., Suricata DNS rules for known malicious domains). Publicly available detection analytics have also been published relevant to this Sighting, e.g. Sigma or Elastic rules.
Threat-Led Defense commentary: The report did not provide explicit commands or policies that were modified, but pivoting to this Sighting’s Procedure Cluster highlights previous cases where other ransomware actors (LockBit & Egregor) modified GPOs to set registry values like DisableAntiSpyware and DisableRealtimeMonitoring, disabling Windows Defender. This activity can be detected with Sigma analytics like this.