![]() ![]() Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.īloodHound was created by and is maintained by the BloodHound Enterprise team. Defenders can use BloodHound to identify and eliminate those same attack paths. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. About BloodHoundīloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a C# data collector.īloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. ![]() One hypothesis as to why we observe Gootkit so frequently is that it is downloaded from sites victims navigated to based on search results they initiated themselves, as we further discuss in the user-initiated initial access section.To get started with BloodHound, check out the BloodHound docs. Accordingly, Gootkit remains a threat to all organizations. Given the volume of Gootkit detections and the range of victims, this threat is likely more opportunistic than targeted to a specific industry or organization. Victims were likely directed to these sites after initiating queries in common search engines with keywords such as “agreement,” “contract,” and the names of various financial institutions. While we’ve observed Gootkit detections in customer environments across multiple sectors, almost without exception, infections occurred after victims visited compromised websites purporting to host content related to legal or financial agreements. We have also observed Gootkit dropping the Osiris banking trojan. Based on public research and follow-on activity observed in customer environments last year, it’s likely that Gootkit operators facilitate ransomware-as-a-service (RaaS) activity in some cases, either deploying other payloads directly or selling access to environments with Gootkit infections. Though we didn’t observe any ransomware in that intrusion, the intrusion chain mirrored public reporting of compromises where victims’ networks were ultimately encrypted with Sodinokibi (REvil) ransomware. ![]() In 2021, Red Canary saw operators use Gootkit to deliver Cobalt Strike. While some researchers track the delivery mechanism as “Gootloader” and the trojan activity as “Gootkit,” Red Canary tracks both components as “Gootkit.” Our classification may shift as we gather additional information.įollow-on activity varies. #Bloodhunt malware archive#Upon visiting a compromised website, victims are prompted to download a ZIP archive containing a malicious JavaScript file, which if executed can allow an adversary to remotely access a victim’s system. Specifically, operators alter search engine results to direct victims to legitimate but compromised websites hosting Gootkit. Gootkit was originally delivered via spam email campaigns and older exploit kits, but over time its initial access has shifted to SEO poisoning tactics. Over the past several years, it has evolved into a multi-stage tool used to facilitate a range of hands-on-keyboard activity in multi-pronged attacks, wherein more than one objective is likely accomplished. A malware threat with a JavaScript loader component, Gootkit has been actively observed in the wild for more than a decade. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |