Specific detections
If installed, in the event of a laptop being stolen, the Computrace software tracks the stolen computer and provides to authorities the information they need to get it back. The issue is that this same software can download and install unknown programs in an unauthorized manner, even if explicitly disabled by the user.
References:
Covenant is a .NET C&C framework, that aims to (ab)use offensive .NET tradecraft capabilities and serve as a collaborative command and control platform for red teamers. Network security analysts should investigate similar detections and determine if such frameworks are authorized to be run inside the organizational network.
References:
Detection of network communication attempts for North Korea's SiliVaccine anti-virus software.
References:
- https://research.checkpoint.com/2018/silivaccine-a-look-inside-north-koreas-anti-virus/
- https://otx.alienvault.com/pulse/5c96b4b5fed1b34723da7b54/
Malicious campaign abusing push notifications to impact systems with malfeasant push notifications. This activity to date represents a type of social engineering, bypassing many security controls and potentially obtaining persistence by installing a service worker in the browser.
References:
Python BYOB (Build Your Own Botnet) is an open-source project, that provides a library of packages and modules which provide a basic framework for testing the limits of security assets capacity for local network defense.
Note: Network security analysts should investigate similar cases to determine if such framework is authorized to run inside the organizational network.
Framework using several social engineering themes for impersonating browser updates (Chrome/Firefox), Flash Player updates, Microsoft Teams updates.
References:
Detection of domains and IP addresses, that are related to Lenovo laptops preinstalled adware, named as Superfish.
References: