UPDATE 03/04/2025: A significant leak of internal chat logs from within Black Basta ransomware group has provided the community with a glimpse into their operations, including further information regarding their capabilities, tools and motivations. It was released via JSON file on February 11, 2024 by a Telegram user named ExploitWhispers, and contained around 200,000 chat messages dated between September 2023 and June 2024. Black Basta is considered one of the most impactful Ransomware groups of recent years, and this event rivals the 2022 leaks that affected the Conti ransomware gang in 2022. With newly discovered information uncovered due to these leaks, threat hunters at Intel 471 have updated the collection with newly uncovered TTPs (Tactics, Techniques and Procedures).
Titan References:
Related Hunt Package: Black Basta Emerging Threat Collection
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Rclone is a command-line tool used to manage (and potentially exfiltrate) files on cloud storage. A larger number of ransomware cases have been uncovered where Rclone has been utilized to exfiltrate files off of victim machines.
This content is designed to detect when scripting references are found in scheduled tasks. Malware and adversaries use this technique to maintain persistence on a compromised system.
This will identify the potentially malicious use of WMI (Windows Management Interface) utilized for local enumeration and discovery of a host.
A common method that adversaries and malicious software alike achieve persistence is by adding a program to the startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder allows the referenced program to be executed when a user logs in. They are often utilized for legitimate purposes, however when utilized maliciously the key name/value is often obviously suspicious, such as random names, or objects loaded from temp or public folders.
This package is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key by changing the value from a 0 to a 1 via Powershell commandlets.
This Threat Hunt Package is meant to identify the use of powershell to stop all vms on a Hyper-v Host. This technique is often a precursor to ransomware being deployed, so it can properly encrypt the target data.
Searches for multiple LOLB network discovery and configuration tools being run in a short period of time. This indicates an attacker attempting to perform network discovery of assets that are reachable, as well as the local configuration of the system.
This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
This package is designed when the Microsoft Windows native binary esentutl.exe is used to perform actions that may be abnormal and possibly malicious.
This package utilizes a list of commonly abused LOLB which an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host. To reduce false positives, distinct counts per process name can be utilized to ensure over 5 unique processes from the list were executed versus just checking more than 6 events were generated on the host.
This package will identify when a Mimikatz payload has been executed on a system as one-liner likely to output to a file for collection. This is not the standard way Mimikatz is typically run, but adversaries still execute it in this fashion.
This hunt package identifies instances where the 'chmod' command is used to modify file permissions, specifically focusing on changes that grant executable rights. By correlating these events with user contexts and known file paths, the package aims to highlight potentially malicious activities, such as the preparation of a system for exploitation or the setup of persistence mechanisms by unauthorized users.
Rundll32 running without any command-line arguments is very anomalous and should be investigated. This can be indicative of malicious activity.
This use case detects when shares are mapped via "net.exe" within command line. More specifically, hidden administrative shares that can be mapped and used to remote file copy malicious files and/or executables.
This package is designed to detect when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key by changing the value from a 0 to a 1. It focuses on the commandline arguments that are executed to modify the registry key.
This package is intended to identify when a scheduled task command is executed to create a task utilizing PowerShell to execute a base64 encoded payload that has been stored in the Windows Registry.
This package identifies when the Atera Agent is installed for remote connectivity by looking for key registry values or command line arguments used to install and register the agent to an unauthorized account. This package uses different artifacts in order to identify this behavior. Check out the 'Deployment Requirements' section for each tool in order to understand the limitations or requirements. NOTE: Queries will require to put your business name into the query parameters if your organization utilizes Atera.
This hunt package is designed to capture the activity surrounding commandline arguments being executed in order to enable Remote Desktop Protocol (RDP).
This hunt searches for wmic.exe being launched with parameters to operate on remote systems. This could uncover an attacker abusing WMI functionality, in order to potentially perform remote executions or to simply gather information.
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
This content has been designed to identify when ADFind.exe is staging data, possibly for exfil, on a local resource.
This content is designed to detect when the same discovery tool (ifconfig.exe, netstat.exe, ping.exe) is executed in quick succession that contains different arguments and strings.
This content is designed to identify when Microsoft Defender Antivirus is disabled through manipulation of the DisableAntiSpyware registry key or by modifying how Microsoft Defender will respond to threats based by changing the configuration through registry keys.
This use case is meant to identify when calc.exe contains a child process other than calc.exe. Calc.exe containing a child process other than itself should be considered abnormal, and could be indicative of process injection or other malicious activity.
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
This Hunt Package is designed to identify files executed (such as DLLs) from a temporary directory by regsvr32.exe. This LOLB is often abused to proxy execution or launch malicious applications/malware.
Anydesk is a common and widely utilized tool for remotely controlling machines. However, it has also been adopted by many actors to remotely access victim machines and deploying malware or ransomware payloads. This Hunt Package is designed to exclude common paths where AnyDesk is executed from. Due to AnyDesk being able to be installed or executed from nearly any directory, Analysts should review whether AnyDesk is allowed, and follow internal policies if it is not authorized. Some common "red flag" type directories can be temporary directories, ProgramData and System32. Additionally, to appear more legitimate, some attackers may utilize installation paths that include legitimate sounding names, such as "Microsoft Management" or "Customer Service"
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.