The “Why” Behind Tactics
Windows Incident Response – H. Carvey
Very often we’ll see mention in open reporting of a threat actor’s tactics, be they “new” or just what’s being observed, and while we may consider how our technology stack might be used to detect these tactics, or maybe how we’d respond to an incident where we saw these tactics used, how often to do we consider why the tactic was used?

If you so much as dip your toe into “news” within the cyber security arena, you’ve likely seen mention that Emotet has returned after a brief hiatus [here, here]. New tactics observed associated with the deployment of this malware include the fact that the lure document is an old-style MS Word .doc file, which presents a warning message to the user to copy the file to a ‘safe’ location and reopen it. The lure document itself is in excess of 500MB in size (padded with zeros), and when the macros are executed, a DLL that is similarly zero-padded to over 500MB is downloaded.

Okay, why was this approach taken. Why pad out two files to such a size, albeit with zeros?

So, what’s happening here is that whether or not it’s specifically intended, these tactics are targeting analysts, relying on their lacking in experience, and targeting response processes within the security stack. How about DFIR consulting teams. How many DFIR consulting teams have an automated process for parsing acquired data, and automatically tagging and decorating it based on intrusion intel developed from previous engagements?

In this case, an automated process could parse the MFT and automatically tag the folder with a note for analysts, with tips regarding how to validate the use of TSSv2, and maybe even tag any files found within the folder.
Link: https://windowsir.blogspot.com/2023/03/the-why-behind-tactics.html