attack.t1071

GALLIUM IOCs

Nov 25, 2024 · attack.credential-access attack.command-and-control attack.t1212 attack.t1071 attack.g0093 detection.emerging-threats ·

Share on:

Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.

Potentially Suspicious Rundll32.EXE Execution of UDL File

Aug 16, 2024 · attack.execution attack.t1218.011 attack.t1071 ·

Share on:

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.

Suspicious Rundll32 Execution of UDL File

Aug 16, 2024 · attack.execution attack.t1218.011 attack.t1071 ·

Share on:

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse the technique as a phishing vector to capture authentication credentials or other sensitive data.

GALLIUM Artefacts - Builtin

Aug 12, 2024 · attack.credential-access attack.command-and-control attack.t1071 detection.emerging-threats ·

Share on:

Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.

HackTool - SILENTTRINITY Stager DLL Load

Aug 12, 2024 · attack.command-and-control attack.t1071 ·

Share on:

Detects SILENTTRINITY stager dll loading activity

HackTool - SILENTTRINITY Stager Execution

Aug 12, 2024 · attack.command-and-control attack.t1071 ·

Share on:

Detects SILENTTRINITY stager use via PE metadata

Suspicious Installer Package Child Process

Aug 12, 2024 · attack.t1059 attack.t1059.007 attack.t1071 attack.t1071.001 attack.execution attack.command-and-control ·

Share on:

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

DNSCat2 Powershell Implementation Detection Via Process Creation

Apr 21, 2023 · attack.command_and_control attack.t1071 attack.t1071.004 attack.t1001.003 attack.t1041 ·

Share on:

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

DNS Query From Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Download by Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

File Creation by Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Network Connection From Process with Double File Extension

Jan 30, 2023 · attack.defense_evasion attack.command_and_control attack.t1218 attack.t1218.009 attack.t1071 attack.t1071.004 ·

Share on:

Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.