Hunting Lazarus Group’s TTPs
Contents
Hunting Lazarus Group’s TTPs
Introduction
This aims to serve as a repo of procedures attributed to Lazarus Group activity that can immediately be actioned on by threat hunters given the right logs. Along with each TTP is at least one potential way to hunt for the activity.
Let me be clear, you can run all of these hunts, have 0 results, and still be compromised. This is not a checklist. It simply aims to be a resource for how to hunt given Techniques by showcasing the Procedures.
I make no claims of attribution. The way this information was compiled was by studying all of the references to Lazarus Group listed in the MITRE Groups page (found here).
If I have made a mistake, feel free to DM me on Twitter @_montysecurity.
TTPs & Hunts
Initial Access — T1566.001 — Word Documents
- Procedure: Phishing via DOCX files
- Notes: they have also been suspected of using T1221 — Template …
Introduction
This aims to serve as a repo of procedures attributed to Lazarus Group activity that can immediately be actioned on by threat hunters given the right logs. Along with each TTP is at least one potential way to hunt for the activity.
Let me be clear, you can run all of these hunts, have 0 results, and still be compromised. This is not a checklist. It simply aims to be a resource for how to hunt given Techniques by showcasing the Procedures.
I make no claims of attribution. The way this information was compiled was by studying all of the references to Lazarus Group listed in the MITRE Groups page (found here).
If I have made a mistake, feel free to DM me on Twitter @_montysecurity.
TTPs & Hunts
Initial Access — T1566.001 — Word Documents
- Procedure: Phishing via DOCX files
- Notes: they have also been suspected of using T1221 — Template …