攻击者更倾向于通过Windows快捷方式部署恶意软件
Tags
attack-pattern: | Msiexec - T1218.007 Powershell - T1059.001 Rundll32 - T1218.011 Powershell - T1086 Rundll32 - T1085 |
Common Information
Type | Value |
---|---|
UUID | 0701f0c7-45b2-4838-89a6-5f8fc722ad46 |
Fingerprint | 321aa877fb175077 |
Analysis status | IN_PROGRESS |
Considered CTI value | 0 |
Text language | |
Published | Aug. 16, 2022, midnight |
Added to db | Dec. 20, 2024, 12:34 a.m. |
Last updated | Dec. 23, 2024, 5:11 p.m. |
Headline | 攻击者更倾向于通过Windows快捷方式部署恶意软件 |
Title | 攻击者更倾向于通过Windows快捷方式部署恶意软件 |
Detected Hints/Tags/Attributes | 11/1/57 |
Source URLs
Redirection | Url | |
---|---|---|
Details | Source | https://www.secrss.com/articles/45903 |
URL Provider
Attributes
Details | Type | #Events | CTI | Value |
---|---|---|---|---|
Details | Domain | 6752 | 163.com |
|
Details | File | 1348 | explorer.exe |
|
Details | File | 1 | 其次是powershell.exe |
|
Details | File | 418 | wscript.exe |
|
Details | File | 1 | 和rundll32.exe |
|
Details | File | 1 | 例如powershell.exe |
|
Details | File | 1 | 或mshta.exe |
|
Details | File | 1 | 这些文件会在受感染的系统上部署gammaload.ps1 |
|
Details | File | 2335 | cmd.exe |
|
Details | File | 1101 | rundll32.exe |
|
Details | File | 1356 | powershell.exe |
|
Details | File | 1 | 恶意快捷方式通过激活cmd.exe |
|
Details | File | 1 | 具有文件扩展名.exe |
|
Details | File | 1 | 文件扩展名不同于.exe |
|
Details | File | 1 | 非.exe |
|
Details | File | 1 | 再用cmd.exe |
|
Details | File | 1 | 链接后的命令语句是快捷方式目标cmd.exe |
|
Details | File | 1 | 图8中分析的恶意快捷方式是使用cmd.exe |
|
Details | File | 5 | 通过cmd.exe |
|
Details | File | 1 | 大多数攻击者通过cmd.exe |
|
Details | File | 1 | 例如streamer.exe |
|
Details | File | 229 | setup.exe |
|
Details | File | 1 | 或windowsupdater.exe |
|
Details | File | 1 | 研究人员根据.exe |
|
Details | File | 1 | 通过以上聚类方法可以观察到带有非随机文件名的.exe |
|
Details | File | 1 | 具有随机文件名的.exe |
|
Details | File | 1 | 这表明防御者应该考虑使用随机.exe |
|
Details | File | 1 | 同时掌握威胁环境中的.exe |
|
Details | File | 1 | 研究人员还观察到恶意快捷方式通过cmd.exe |
|
Details | File | 1 | 执行的非.exe |
|
Details | File | 1 | 恶意快捷方式通过cmd.exe |
|
Details | File | 1 | 例如文件扩展名为.vbs |
|
Details | File | 1 | vbe和.js |
|
Details | File | 1 | scr和.dll |
|
Details | File | 1 | 例如文件扩展名.docx |
|
Details | File | 1 | log和.dat |
|
Details | File | 1 | 绝大多数如.exe |
|
Details | File | 2 | 例如.docx |
|
Details | File | 1 | 或.avi |
|
Details | File | 1 | 经过观察发现字符填充的手法主要用于链接到powershell.exe |
|
Details | File | 52 | c:\\windows\\system32\\cmd.exe |
|
Details | File | 1 | %qcaqluf.exe |
|
Details | File | 1 | %temp%\\rplkl\\qcaqluf.exe |
|
Details | File | 2 | %systemroot%\\system32\\shell32.dll |
|
Details | File | 13 | storage.dll |
|
Details | File | 1 | invokecommand函数在shell32.dll |
|
Details | File | 1 | %systemroot%\\system32\\kernel32.dll |
|
Details | File | 2 | 和wscript.exe |
|
Details | File | 1 | 在快捷方式目标中通过cmd.exe |
|
Details | File | 1 | 启动的非.exe |
|
Details | File | 1 | 在所有经过分析的恶意快捷方式中非.exe |
|
Details | File | 1 | 大多数非.exe |
|
Details | File | 1 | 执行具有.exe |
|
Details | File | 1 | 文件名的.exe |
|
Details | File | 1 | 调查人员应密切关注威胁环境中的.exe |
|
Details | sha1 | 1 | 5b241d50f1a662d69c96d824d7567d4503379c37 |
|
Details | Url | 1 | https://www.sentinelone.com/labs/who-needs-macros-threat-actors-pivot-to-abusing-explorer-and-other-lolbins-via-windows-shortcuts |