microsoft
/
Microsoft-365-Defender-Hunting-Queries
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

wording

This commit is contained in:
Marty Hernandez Avedon 2020-08-26 14:30:04 -04:00
Родитель b09756989f
Коммит f79db725c2
2 изменённых файлов: 3 добавлений и 3 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

4
Command and Control/recon-with-rundll.md
Просмотреть файл

@ -2,9 +2,9 @@
This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.
[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control.
[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control (C2) operations.
Trickbot operators are known to use the legitimate Windows process *rundll.exe* to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a command-and-control (C2) server for further action.
Trickbot operators are known to use the legitimate Windows process *rundll.exe* to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a C2 server for further action.
The following query detects suspicious rundll.exe activity associated with Trickbot campaigns.

2
Execution/office-apps-launching-wscipt.md
Просмотреть файл

@ -2,7 +2,7 @@
This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.
[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control.
[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations.
Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using *[wscript.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wscript)* to perform a variety of malicious tasks, particularly reconnaissance.