Threat Overview - Black Basta Ransomware and Threat Group
**Black Basta** Ransomware and Threat Group (originally seen in 2022) is known to encrypt files on a victim's computer or network, and hold data "ransom" until the victim pays the attacker for the decryption key/software. Further, the group utilizes a double extortion tactic - which means that after the data is encrypted and held ransom, there also exists a threat of publishing the data (which was exfiltrated before encryption) to the public. Financially motivated and Russian-speaking, **Black Basta** operates under the Ransomware-as-a-Service (RaaS) model and has targeted many countries worldwide; including the United States, Japan, Australia, The United Kingdom, Canada and New Zealand.
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Hunt Packages
Suspicious Scheduled Task Created - Execution Details Contains Scripting Reference
This content is designed to detect when scripting references are found in scheduled tasks. Malware and adversaries use this technique to maintain persistence on a compromised system.
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Microsoft Defender Antivirus Disabled via Registry Key Manipulation (Powershell ScriptBlock Logging Detection)
This package is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key by changing the value from a 0 to a 1 via Powershell commandlets.
Potential Abuse of Built-in Network Tools for Network and Configuration Discovery
Searches for multiple LOLB network discovery and configuration tools being run in a short period of time. This indicates an attacker attempting to perform network discovery of assets that are reachable, as well as the local configuration of the system.
Potential Exfiltration - Common Rclone Arguments
This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
Living Off The Land Technique - Esentutl.exe
This package is designed when the Microsoft Windows native binary esentutl.exe is used to perform actions that may be abnormal and possibly malicious.
Excessive Windows Discovery and Execution Processes - Potential Malware Installation
This package utilizes a list of commonly abused LOLB which an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host. To reduce false positives, distinct counts per process name can be utilized to ensure over 5 unique processes from the list were executed versus just checking more than 6 events were generated on the host.
Usage of chmod to Enable Execution - Potential Payload Staging
This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.
Rundll32 Run Without Arguments
Rundll32 running without any command-line arguments is very anomalous and should be investigated. This can be indicative of malicious activity.
Suspicious Scheduled Task Created - Encoded PowerShell Payload Executed From Registry
This package is intended to identify when a scheduled task command is executed to create a task utilizing PowerShell to execute a base64 encoded payload that has been stored in the Windows Registry.
Atera Agent utilized for Unauthorized Remote Access
This package identifies when the Atera Agent is installed for remote connectivity by looking for key registry values or command line arguments used to install and register the agent to an unauthorized account. This package uses different artifacts in order to identify this behavior. Check out the 'Deployment Requirements' section for each tool in order to understand the limitations or requirements.
RDP Enabled Via NETSH
This hunt package is designed to capture the activity surrounding commandline arguments being executed in order to enable Remote Desktop Protocol (RDP).
Suspicious bcdedit Activity - Potential Ransomware
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
Local Data Staging - ADFind.exe
This content has been designed to identify when ADFind.exe is staging data, possibly for exfil, on a local resource.
Microsoft Defender Antivirus Disabled via Registry Key Manipulation
This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.
Suspicious Child Process - Calc.exe
This use case is meant to identify when calc.exe contains a child process other than calc.exe. Calc.exe containing a child process other than itself should be considered abnormal, and could be indicative of process injection or other malicious activity.
Shadow Copies Deletion Using Operating Systems Utilities
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
Regsvr32 Running Files from Temp Directories
This Hunt Package is designed to identify files executed (such as DLLs) from a temporary directory by regsvr32.exe. This LOLB is often abused to proxy execution or launch malicious applications/malware.
