Detect ClickOnce abuse and AppDomainManager injection using ClickOnceBlobber. Covers dfsvc.exe process telemetry, ClickOnce cache artifacts, Zeek logs, Sysmon unsigned module loads, and Suricata TLS fingerprints. Includes KQL detection queries.
This is a simple emulation of a campaign documented by ReliaQuest, 'New Campaign Uses Screensavers for RMM-Based Persistence'. LimeWire.com is used to deliver a self-extracting archive masquerading as a Windows screensaver file that installs ScreenConnect.
This attack simulation is inspired by Seqrite Lab's Operation HanKook Phantom: North Korean APT37 targeting South Korea and Praetorian's Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals. It relies on a simple ClickFix attack to launch a PowerShell script that drops a Loki C2 payload, which is in turn used to establish persistence with a Mandatory User Profile.
Detect ClickOnce abuse and AppDomainManager injection using ClickOnceBlobber. Covers dfsvc.exe process telemetry, ClickOnce cache artifacts, Zeek logs, Sysmon unsigned module loads, and Suricata TLS fingerprints. Includes KQL detection queries.
This is a simple emulation of a campaign documented by ReliaQuest, 'New Campaign Uses Screensavers for RMM-Based Persistence'. LimeWire.com is used to deliver a self-extracting archive masquerading as a Windows screensaver file that installs ScreenConnect.
Abuse of Python .pth files to establish persistence on Windows. The lab demonstrates how code embedded in site-packages path files executes automatically when Python starts.
This attack simulation is inspired by Seqrite Lab's Operation HanKook Phantom: North Korean APT37 targeting South Korea and Praetorian's Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals. It relies on a simple ClickFix attack to launch a PowerShell script that drops a Loki C2 payload, which is in turn used to establish persistence with a Mandatory User Profile.
Detect ClickOnce abuse and AppDomainManager injection using ClickOnceBlobber. Covers dfsvc.exe process telemetry, ClickOnce cache artifacts, Zeek logs, Sysmon unsigned module loads, and Suricata TLS fingerprints. Includes KQL detection queries.
This is a simple emulation of a campaign documented by ReliaQuest, 'New Campaign Uses Screensavers for RMM-Based Persistence'. LimeWire.com is used to deliver a self-extracting archive masquerading as a Windows screensaver file that installs ScreenConnect.
Abuse of Python .pth files to establish persistence on Windows. The lab demonstrates how code embedded in site-packages path files executes automatically when Python starts.
KQL analysis lab of malicious DLL sideloading via the Windows Bluetooth File Transfer Wizard. Demonstrates loading from a user dir and how to detect the behavior using MDE telemetry.
This attack simulation is inspired by Seqrite Lab's Operation HanKook Phantom: North Korean APT37 targeting South Korea and Praetorian's Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals. It relies on a simple ClickFix attack to launch a PowerShell script that drops a Loki C2 payload, which is in turn used to establish persistence with a Mandatory User Profile.
Detect ClickOnce abuse and AppDomainManager injection using ClickOnceBlobber. Covers dfsvc.exe process telemetry, ClickOnce cache artifacts, Zeek logs, Sysmon unsigned module loads, and Suricata TLS fingerprints. Includes KQL detection queries.
This is a simple emulation of a campaign documented by ReliaQuest, 'New Campaign Uses Screensavers for RMM-Based Persistence'. LimeWire.com is used to deliver a self-extracting archive masquerading as a Windows screensaver file that installs ScreenConnect.
Abuse of Python .pth files to establish persistence on Windows. The lab demonstrates how code embedded in site-packages path files executes automatically when Python starts.
This attack simulation is inspired by Seqrite Lab's Operation HanKook Phantom: North Korean APT37 targeting South Korea and Praetorian's Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals. It relies on a simple ClickFix attack to launch a PowerShell script that drops a Loki C2 payload, which is in turn used to establish persistence with a Mandatory User Profile.
This is a simple emulation of a campaign documented by ReliaQuest, 'New Campaign Uses Screensavers for RMM-Based Persistence'. LimeWire.com is used to deliver a self-extracting archive masquerading as a Windows screensaver file that installs ScreenConnect.
Abuse of Python .pth files to establish persistence on Windows. The lab demonstrates how code embedded in site-packages path files executes automatically when Python starts.
KQL analysis lab of malicious DLL sideloading via the Windows Bluetooth File Transfer Wizard. Demonstrates loading from a user dir and how to detect the behavior using MDE telemetry.
Abuse of Python .pth files to establish persistence on Windows. The lab demonstrates how code embedded in site-packages path files executes automatically when Python starts.
This attack simulation is inspired by Seqrite Lab's Operation HanKook Phantom: North Korean APT37 targeting South Korea and Praetorian's Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals. It relies on a simple ClickFix attack to launch a PowerShell script that drops a Loki C2 payload, which is in turn used to establish persistence with a Mandatory User Profile.
Abuse of Python .pth files to establish persistence on Windows. The lab demonstrates how code embedded in site-packages path files executes automatically when Python starts.
This attack simulation is inspired by Seqrite Lab's Operation HanKook Phantom: North Korean APT37 targeting South Korea and Praetorian's Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals. It relies on a simple ClickFix attack to launch a PowerShell script that drops a Loki C2 payload, which is in turn used to establish persistence with a Mandatory User Profile.
Detect ClickOnce abuse and AppDomainManager injection using ClickOnceBlobber. Covers dfsvc.exe process telemetry, ClickOnce cache artifacts, Zeek logs, Sysmon unsigned module loads, and Suricata TLS fingerprints. Includes KQL detection queries.
This is a simple emulation of a campaign documented by ReliaQuest, 'New Campaign Uses Screensavers for RMM-Based Persistence'. LimeWire.com is used to deliver a self-extracting archive masquerading as a Windows screensaver file that installs ScreenConnect.
Abuse of Python .pth files to establish persistence on Windows. The lab demonstrates how code embedded in site-packages path files executes automatically when Python starts.
Hands-on lab demonstrating a BYOVD technique using Microsoft's KslD.sys driver to extract domain credentials from LSASS. Explore detection gaps in Windows telemetry, learn how to implement controls using WDAC, and see how attackers evade monitoring.
KQL analysis lab of malicious DLL sideloading via the Windows Bluetooth File Transfer Wizard. Demonstrates loading from a user dir and how to detect the behavior using MDE telemetry.
This attack simulation is inspired by Seqrite Lab's Operation HanKook Phantom: North Korean APT37 targeting South Korea and Praetorian's Corrupting the Hive Mind: Persistence Through Forgotten Windows Internals. It relies on a simple ClickFix attack to launch a PowerShell script that drops a Loki C2 payload, which is in turn used to establish persistence with a Mandatory User Profile.