attack.t1071

GALLIUM Artefacts - Builtin

Oct 26, 2023 · attack.credential_access attack.command_and_control attack.t1071 detection.emerging_threats ·

Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.

GALLIUM IOCs

Oct 18, 2023 · attack.credential_access attack.command_and_control attack.t1212 attack.t1071 attack.g0093 detection.emerging_threats ·

Share on:

Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.

DNSCat2 Powershell Implementation Detection Via Process Creation

Apr 21, 2023 · attack.command_and_control attack.t1071 attack.t1071.004 attack.t1001.003 attack.t1041 ·

Share on:

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

Suspicious Installer Package Child Process

Feb 21, 2023 · attack.t1059 attack.t1059.007 attack.t1071 attack.t1071.001 attack.execution attack.command_and_control ·

Share on:

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

HackTool - SILENTTRINITY Stager DLL Load

Feb 17, 2023 · attack.command_and_control attack.t1071 ·

Share on:

Detects SILENTTRINITY stager dll loading activity

HackTool - SILENTTRINITY Stager Execution

Feb 17, 2023 · attack.command_and_control attack.t1071 ·

Share on:

Detects SILENTTRINITY stager use via PE metadata

DNS Query From Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Download by Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

File Creation by Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Network Connection From Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.