Detecting Ransomware Precursors

The business model for Ransomware has evolved to include multi-level and multi-stage services and tool kits. Initial access is often accomplished by 1st stage compromise, followed by 2nd stage download/drop of tools like Emotet, Trickbot, and Qakbot. This 2nd stage allows adversaries to lurk in your network, profiling normal use and/or searching for targets of … Continue reading Detecting Ransomware Precursors

Detecting RunDLL32 ATT&CK Techniques

Launching a strange binary file on a target endpoint is a good way to raise alarm bells within the target organization's SOC. One of the more common #LOLBINS we see is to use RunDLL32.exe to execute malicious DLL files. This technique is well documented in MITRE's ATT&CK framework under T1085. In this post, we look … Continue reading Detecting RunDLL32 ATT&CK Techniques