


Protect your financial assets with platform-specific hunting queries
DarkCasino is an emerging APT threat group actively targeting online trading platforms worldwide. This sophisticated actor specializes in stealing credentials to drain victims' accounts across multiple financial sectors including cryptocurrencies, online casinos, banking, and credit platforms. If you're interested in deeper threat intelligence on this group, you can sign up for a free HUNTER471 community account today: intel471.com/lp/hunter-community-access
Industry: Crypto trading platforms, online casinos, network banks & online credit platforms
CVEs: CVE-2024-21412, CVE-2023-38831
DarkCasino, also known as Water Hydra, has been a significant player in 2024, targeting financial institutions with advanced tactics. Key methods include exploiting CVE-2024-21412 (Microsoft Defender SmartScreen) and abusing WebDAV to execute remote commands, escalate privileges, and maintain stealth.
Behavioral Hunts:
- The Abnormal Execution of WebDAV DLL via Rundll32
- Windows cmd Launching Script Interpreter
- 7z Password Protected Archive Accessed
Detect DarkCasino Activities
// Cyborg Hunter Link: https://hunter.cyborgsecurity.io/research/hunt-package/43542c5b-f282-4834-8602-ab2d076359c2
event_platform = "Win"
| where event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
// Filtering processes that execute suspicious scripts or files
| where (FileName matches regex "(?i)(cmd|wscript|powershell|rundll32|mshta)\.exe"
and CommandLine matches regex "\.(js|hta|bat|cmd|ps1|vbs)")
or (ParentBaseFileName == "explorer.exe"
and CommandLine matches regex "\.(iso|scr)|\]\.exe")
| where CommandLine matches regex "AppData\\Local\\Microsoft\\Windows\\INetCache\\IE"
// Assign default value for GrandParentBaseFileName if missing
| extend GrandParentBaseFileName = iff(isempty(GrandParentBaseFileName), "Unknown", GrandParentBaseFileName)
// Base URL for process and graph explorer links
| let rootURL = "https://falcon.us-2.crowdstrike.com/"
// Normalize ProcessStartTime
| extend ProcessStartTime = round(ProcessStartTime)
| extend processStart = format_datetime(ProcessStartTime, "MM/dd HH:mm:ss")
// Use Context Process ID if available, otherwise use Target Process ID
| extend ContextId = iff(isnotempty(ContextProcessId), ContextProcessId, TargetProcessId)
// Create URLs for Process and Graph Explorers
| extend ProcessExplorer = strcat("[ProcessExplorer]", rootURL, "investigate/process-explorer/", aid, "/", ContextId, "?_cid=", cid)
| extend GraphExplorer = strcat("[GraphExplorer]", rootURL, "graphs/process-explorer/graph?id=pid:", aid, ":", TargetProcessId)
// Format Execution Details for easy analysis
| extend ExecutionSummary = strcat(
GrandParentBaseFileName, "\n\t↳ ", ParentBaseFileName, "[ppid=", ParentProcessId, "]\n\t\t↳ ",
ImageFileName, " [pid=", TargetProcessId, "|raw_pid=", RawProcessId, "|start=", processStart, "]\n\t\t\t",
substring(CommandLine, 0, 100), "[...TRIMMED]\n\t\t\t", ProcessExplorer, "\n\t\t\t", GraphExplorer, "\n---"
)
// Group by Source Host
| summarize
executeCount = count(aid),
firstSeen = min(@timestamp),
lastSeen = max(@timestamp),
executionDetails = make_list(pack("UserName", UserName, "ExecutionSummary", ExecutionSummary,
"CommandLine", CommandLine, "ParentBaseFileName", ParentBaseFileName,
"ParentProcessId", ParentProcessId, "ImageFileName", ImageFileName,
"TargetProcessId", TargetProcessId), 1000)
by ComputerName
| extend firstSeen = format_datetime(firstSeen, "yyyy/MM/dd HH:mm:ss")
| extend lastSeen = format_datetime(lastSeen, "yyyy/MM/dd HH:mm:ss")
Hunting Query for Splunk (EDR)
index=* sourcetype=* TERM("INetCache")
(
(process_path IN ("*cmd.exe", "*wscript.exe", "*powershell.exe", "*rundll32.exe", "*mshta.exe")
AND process_cmdline IN ("*.js*", "*.hta*", "*.bat*", "*.cmd*", "*.ps1*", "*.vbs*"))
OR
(parent_process_path="*explorer.exe"
AND process_cmdline IN ("*.iso*", "*.exe", "*.scr*", "*.exe\""))
)
AND process_cmdline="*AppData\\Local\\Microsoft\\Windows\\INetCache\\IE*"
| eval parentProcessID = case(parent_process_id like "%x%", tonumber(parent_process_id, 16))
| eval processID = case(process_id like "%x%", tonumber(process_id, 16))
| stats
values(_time) as eventTimes,
values(parent_process_path) as parentProcessPaths,
values(process_cmdline) as commandLines,
values(parent_process_id) as rawParentProcessIds,
values(parentProcessID) as parentProcessIds,
values(process_id) as rawProcessIds,
values(processID) as processIds,
count
by process_path, hostname
| convert ctime(eventTimes)
| sort eventTimes asc
Hunting Query for Splunk (Endpoint - Sysmon)
index=* sourcetype=* TERM("INetCache")
(
(process_path IN ("*cmd.exe", "*wscript.exe", "*powershell.exe", "*rundll32.exe", "*mshta.exe")
AND process_cmdline IN ("*.js*", "*.hta*", "*.bat*", "*.cmd*", "*.ps1*", "*.vbs*"))
OR
(parent_process_path="*explorer.exe"
AND process_cmdline IN ("*.iso*", "*.exe", "*.scr*", "*.exe\""))
)
AND process_cmdline="*AppData\\Local\\Microsoft\\Windows\\INetCache\\IE*"
| eval parentProcessID = if(match(parent_process_id, "^0x"), tonumber(parent_process_id, 16), parent_process_id)
| eval processID = if(match(process_id, "^0x"), tonumber(process_id, 16), process_id)
| stats
values(_time) as eventTimes,
values(parent_process_path) as parentProcessPaths,
values(process_cmdline) as commandLines,
values(parent_process_id) as rawParentProcessIds,
values(parentProcessID) as parentProcessIds,
values(process_id) as rawProcessIds,
values(processID) as processIds,
count
by process_path, hostname
| convert ctime(eventTimes)
| sort eventTimes asc
Hunting Query for Splunk (Endpoint - WinEventLog)
index=* sourcetype=* TERM("INetCache")
(
(process_path IN ("*cmd.exe", "*wscript.exe", "*powershell.exe", "*rundll32.exe", "*mshta.exe")
AND process_cmdline IN ("*.js*", "*.hta*", "*.bat*", "*.cmd*", "*.ps1*", "*.vbs*"))
OR
(parent_process_path="*explorer.exe"
AND process_cmdline IN ("*.iso*", "*.exe", "*.scr*", "*.exe\""))
)
AND process_cmdline="*AppData\\Local\\Microsoft\\Windows\\INetCache\\IE*"
| eval parentProcessID = if(match(parent_process_id, "^0x"), tonumber(parent_process_id, 16), parent_process_id)
| eval processID = if(match(process_id, "^0x"), tonumber(process_id, 16), process_id)
| stats
values(_time) as eventTimes,
values(parent_process_path) as parentProcessPaths,
values(process_cmdline) as commandLines,
values(parent_process_id) as rawParentProcessIds,
values(parentProcessID) as parentProcessIds,
values(process_id) as rawProcessIds,
values(processID) as processIds,
count
by process_path, hostname
| convert ctime(eventTimes)
| sort eventTimes asc
Hunting Query for Crowdstrike (LogScale, XDR)
// Cyborg Hunter Link: https://hunter.cyborgsecurity.io/research/hunt-package/43542c5b-f282-4834-8602-ab2d076359c2
event_platform=Win
| in(#event_simpleName, values=["ProcessRollup2","SyntheticProcessRollup2"])
| (
FileName=~ /(cmd|wscript|powershell|rundll32|mshta)\.exe/i
AND CommandLine=~ /\.(js|hta|bat|cmd|ps1|vbs)/i
)
OR
(
ParentBaseFileName="explorer.exe"
AND CommandLine=~ /\.(iso|scr)|\]\.exe/i
)
| CommandLine=~ /AppData\\Local\\Microsoft\\Windows\\INetCache\\IE/i
| default(field=GrandParentBaseFileName, value="Unknown")
// Define base URL for process and graph explorer links
| rootURL := "https://falcon.us-2.crowdstrike.com/"
// Standardize Process Start Time
| ProcessStartTime := round(ProcessStartTime)
| processStart := formattime(field=ProcessStartTime, format="%m/%d %H:%M:%S")
// Determine Context Process ID
| case{
ContextProcessId != "*" | ContextId := ContextProcessId;
TargetProcessId != "*" | ContextId := TargetProcessId
}
// Generate Process and Graph Explorer URLs
| format(
"[ProcessExplorer]%sinvestigate/process-explorer/%s/%s?_cid=%s",
field=["rootURL", "aid", "ContextId", "cid"],
as="ProcessExplorer"
)
| format(
"[GraphExplorer]%sgraphs/process-explorer/graph?id=pid:%s:%s",
field=["rootURL", "aid", "TargetProcessId"],
as="GraphExplorer"
)
// Format Execution Summary
| format(
"%s\n\t↳ %s [ppid=%s]\n\t\t↳ %s [pid=%s | raw_pid=%s | start=%s]\n\t\t\t%,.100s [...TRIMMED]\n\t\t\t%s\n\t\t\t%s\n---",
field=[
GrandParentBaseFileName, ParentBaseFileName, ParentProcessId,
ImageFileName, TargetProcessId, RawProcessId, processStart,
CommandLine, ProcessExplorer, GraphExplorer
],
as="ExecutionSummary"
)
// Grouping by Source Host
| groupBy(
[ComputerName],
function=([
count(aid, as=executeCount),
min(@timestamp, as=firstSeen),
max(@timestamp, as=lastSeen),
collect([
UserName, ExecutionSummary, CommandLine,
ParentBaseFileName, ParentProcessId,
ImageFileName, TargetProcessId
], limit=1000)
])
)
// Format timestamps
| firstSeen := formattime(field=firstSeen, format="%Y/%m/%d %H:%M:%S")
| lastSeen := formattime(field=lastSeen, format="%Y/%m/%d %H:%M:%S")
Hunting Query for SentinelOne (EDR)
EventType = "Process Creation"
AND (
(
SrcProcName In AnyCase ("cmd.exe", "mshta.exe", "powershell.exe", "rundll32.exe", "wscript.exe")
AND SrcProcCmdLine In Contains AnyCase (".js", ".hta", ".bat", ".cmd", ".ps1", ".vbs")
)
OR
(
(
SrcProcCmdLine In Contains AnyCase (".iso", ".scr")
OR SrcProcCmdline EndsWith AnyCase ".exe"
OR SrcProcCmdLine EndsWith AnyCase ".exe\""
)
AND SrcProcParentName EndsWith AnyCase "explorer.exe"
)
)
AND SrcProcCmdLine Contains AnyCase "AppData\Local\Microsoft\Windows\INetCache\IE"
Hunting Query for Microsoft Defender
DeviceProcessEvents
| where (
(FolderPath has_any ("cmd.exe", "wscript.exe", "powershell.exe", "rundll32.exe", "mshta.exe")
and ProcessCommandLine has_any (".js", ".hta", ".bat", ".cmd", ".ps1", ".vbs"))
or
(InitiatingProcessFileName endswith "explorer.exe"
and ProcessCommandLine has_any (".iso", ".exe\"", ".scr"))
)
| where ProcessCommandLine contains "AppData\\Local\\Microsoft\\Windows\\INetCache\\IE"
| project Timestamp, DeviceName, ActionType, AccountName, AccountDomain, FileName, FolderPath, ProcessId,
ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
InitiatingProcessFolderPath, InitiatingProcessId, InitiatingProcessParentFileName,
InitiatingProcessParentId, InitiatingProcessAccountDomain, InitiatingProcessAccountName,
ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessVersionInfoProductVersion,
ProcessVersionInfoInternalFileName, ProcessVersionInfoOriginalFileName,
ProcessVersionInfoFileDescription, FileSize, SHA256, DeviceId, ReportId
| order by Timestamp asc
Hunting Query for Carbon Black
(((((process_name:cmd.exe OR
process_name:wscript.exe OR
process_name:powershell.exe OR
process_name:rundll32.exe OR
process_name:mshta.exe)
AND
(process_cmdline:.js OR
process_cmdline:.hta OR
process_cmdline:.bat OR
process_cmdline:.cmd OR
process_cmdline:.ps1 OR
process_cmdline:.vbs))
OR
(parent_name:explorer.exe
AND
(process_cmdline:.iso OR
process_cmdline:.scr)))
AND
process_cmdline:AppData\\Local\\Microsoft\\Windows\\INetCache\\IE))


Hear all about the latest threat actor behaviors and practical detection strategies
Watch this episode of the Detection Dispatch, as Alex and Lee Archinal from Intel 471 to dive deep into 12 significant emerging threats observed in late 2024. Learn how to leverage Intel 471's hunting packages across major EDR platforms and understand the critical intersection between threat hunting and detection engineering.