Happy Wednesday everyone!

Secureworks released their “State of the Threat” Report that covers cybercrime, state-sponsored threat activity, and, my favorite part, the notable trends in Tactics, Techniques, and Procedures (TTPs).

On page 30, we can find some great information related to #Infostealers and their capabilities. They highlight that the information that they collect are sold as logs and that these logs may contain “local application data such as crypto wallets and VPN data; documents; system information…”.

Focusing on the #Lumma stealer, we find that a common behavior associated with it is the abuse of #Windows living-off-the-land binary schtasks to schedule a task that executes from an abnormal location.

If you are currently or planning to hunt for the Lumma Stealer in your environment, this is a good place to start! It is an Intel 471 Community Edition hunt package that anyone with a community account can access! Enjoy and Happy Hunting!

Scheduled Task Executing from Abnormal Location
https://hunter.cyborgsecurity.io/research/hunt-package/09a380b3-45e5-408c-b14c-3787fa48d783

Cyborg Security, Now Part of Intel 471 #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday