From f79db725c25d045f7a0cf55ab06f98dbea73de69 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 26 Aug 2020 14:30:04 -0400 Subject: [PATCH] wording --- Command and Control/recon-with-rundll.md | 4 ++-- Execution/office-apps-launching-wscipt.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Command and Control/recon-with-rundll.md b/Command and Control/recon-with-rundll.md index 8f2a989..1589d0a 100644 --- a/Command and Control/recon-with-rundll.md +++ b/Command and Control/recon-with-rundll.md @@ -2,9 +2,9 @@ This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*. -[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control. +[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control (C2) operations. -Trickbot operators are known to use the legitimate Windows process *rundll.exe* to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a command-and-control (C2) server for further action. +Trickbot operators are known to use the legitimate Windows process *rundll.exe* to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a C2 server for further action. The following query detects suspicious rundll.exe activity associated with Trickbot campaigns. diff --git a/Execution/office-apps-launching-wscipt.md b/Execution/office-apps-launching-wscipt.md index 3399911..ad608ea 100644 --- a/Execution/office-apps-launching-wscipt.md +++ b/Execution/office-apps-launching-wscipt.md @@ -2,7 +2,7 @@ This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*. -[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control. +[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using *[wscript.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wscript)* to perform a variety of malicious tasks, particularly reconnaissance.