Edgewater Federal Solutions’ expert cyber threat hunters continuously seek innovative ways to detect and mitigate malicious activity. Our proactive approach blends traditional cyber threat intelligence with deep environmental awareness, allowing us to identify and track threats targeting critical assets—especially those that evade conventional detection methods.
Recently, our team analyzed the latest report on the Russian APT group, Seashell Blizzard, and developed enhanced hunting queries to strengthen threat detection capabilities.
Edgewater’s Hypothesis:
Threat actor Seashell Blizzard, as part of the BadPilot campaign, has compromised a public-facing web application via known CVE and has established persistence and an active presence within our network.
Hunting Queries:
Renamed Procdump:
What Caught Our Eye: The report noted that adversaries in the BadPilot campaign used renamed utilities to dump credentials from LSASS.
Objective: The query identifies processes that don’t have the typical “procdump” name but include the command-line flags (“-accepteula” and “lsass”) that are commonly used when procdump is leveraged to dump LSASS memory. This indicates an attempt to evade detection by renaming the utility while still performing a credential dumping action.
Rationale: Attackers can rename a known tool (in this case, procdump) to avoid the usual alarms that trigger when the tool’s real name is seen. Even though the tool has been renamed, its behavior—like using specific command-line options to target the LSASS process—is still suspicious. So, by disguising the tool’s name, the attacker hopes to slip past systems that only look for the original, well-known name, while still carrying out their credential-dumping actions.
MITRE ATT&CK: T1003.001 (LSASS memory dumping)
Query Syntax:
//Credential Access via Renamed Procdump
DeviceProcessEvents
| where FileName !has "procdump" and FileName !has "procdump64"
| where ProcessCommandLine has "-accepteula" and ProcessCommandLine has "lsass"
| summarize count() by DeviceName, InitiatingProcessFileName, ProcessCommandLine Task Manager UI
What Caught Our Eye: The report noted adversaries in the BadPilot campaign were observed leveraging built-in system tools to interact with LSASS, a key process containing credential data.
Objective: This query is looking for suspicious activity where the built-in Task Manager is being used to access the LSASS process. Under normal circumstances, Task Manager doesn’t open LSASS with the OpenProcess API call. When it does, it may be an indication that an attacker is using Task Manager—an otherwise trusted system tool—to perform credential dumping by reading LSASS memory.
Rationale: Attackers can use a normally trusted tool (Task Manager) to do something it’s not supposed to do—access the LSASS process, which holds sensitive credentials. Since Task Manager is a built-in Windows program, using it in this way might not immediately raise alarms with security software that typically looks for unusual or foreign tools. This tactic lets the attacker blend in with normal system activity, making their malicious actions harder to spot.
MITRE ATT&CK: T1003.001 (LSASS memory dumping)
Query Syntax:
DeviceEvents
| where ActionType has "OpenProcessApiCall"
| where FileName has "lsass"
| where InitiatingProcessFileName has "taskmgr"
| summarize count() by InitiatingProcessParentFileName Suspicious Remote Admin Tools
What Caught Our Eye: The report noted adversaries in the BadPilot campaign used legitimate remote access applications to blend into normal administrative activity.
Objective: This query is looking for signs that an attacker is using a remote management tool to gain access to a target system. Threat hunters should focus on cases where the remote access software (like TeamViewer, AnyDesk, etc.) is not expected or known to be used in the environment as this may uncover suspicious activity.
Rationale: Attackers deploy and use trusted remote tools within their target networks so that their actions look like normal administrative tasks. This lets the attacker perform any actions that would be available to an IT professional using the same tool. In this case, the attacker used Task Manager to quietly check running processes and gather system details without drawing attention, effectively hiding their true intentions.
MITRE ATT&CK: T1219 (Remote access Software)
Query Syntax:
https://github.com/redcanaryco/surveyor/blob/master/definitions/remote-admin.json
let rmms = dynamic([
"AeroAdmin.exe",
"anydesk.exe",
"AnyViewerSetup.exe",
"atera_agent.exe",
"bomgar-scc.exe",
"screenconnect.clientservice.exe",
"distant-desktop.exe",
"dwagsvc.exe",
"g2comm.exe",
"ROMServer.exe",
"termsrv.exe",
"mstsc.exe",
"client32.exe",
"awrem32.exe",
"awhost32.exe",
"PCMonitorManager.exe",
"quickassist.exe",
"radmin3.exe",
"rutserv.exe",
"Remote Workforce Client.exe",
"RemoteWorkforceClientWpf.exe",
"strwinclt.exe",
"supremo.exe",
"teamviewer_desktop.exe",
"teamviewer.exe",
"winvnc.exe",
"saazapsc.exe",
"lmiignition.exe",
"Zaservice.exe",
"dcagentservice.exe",
"UltraViewer_Desktop.exe",
"NinjaRMMAgent.exe",
"fleetdeck_agent.exe",
"level-windows-amd64.exe",
"FixMeit Expert Setup.exe",
"ITarianRemoteAccessSetup.exe",
"domotz.exe",
"rport.exe",
"Sorillus Launcher.exe",
"Syncro.Service.exe",
"Syncro.Installer.exe",
"ltsvc.exe",
"ERAAgent.exe",
"dwrcs.exe",
"BASupApp.exe",
"SplashtopSOS.exe",
"action1_agent.exe",
"action1_agent.exe",
"smpcsetup.exe",
"xeox_service_windows.exe",
"ImperoClientSVC.exe",
"ImperoClientSVC.exe",
"Specialist Sign-in.exe",
"InstantHousecall.exe",
"InstantHousecall.exe",
"ISLLight.exe",
"ISLLightClient.exe",
"TSClient.exe",
"superops.exe",
"RDConsole.exe",
"GetScreen.exe",
"ManageEngine_Remote_Access_Plus.exe"
]);
DeviceProcessEvents
| where InitiatingProcessParentFileName in~ (rmms) or InitiatingProcessFileName in~ (rmms)
| where FileName has "taskmgr"
| summarize count() by FileName, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine