攻击者更倾向于通过Windows快捷方式部署恶意软件
Common Information
Type Value
UUID 0701f0c7-45b2-4838-89a6-5f8fc722ad46
Fingerprint 321aa877fb175077
Analysis status IN_PROGRESS
Considered CTI value 0
Text language
Published Aug. 16, 2022, midnight
Added to db Dec. 20, 2024, 12:34 a.m.
Last updated Dec. 23, 2024, 5:11 p.m.
Headline 攻击者更倾向于通过Windows快捷方式部署恶意软件
Title 攻击者更倾向于通过Windows快捷方式部署恶意软件
Detected Hints/Tags/Attributes 11/1/57
Source URLs
Attributes
Details Type #Events CTI Value
Details Domain 6752
163.com
Details File 1348
explorer.exe
Details File 1
其次是powershell.exe
Details File 418
wscript.exe
Details File 1
和rundll32.exe
Details File 1
例如powershell.exe
Details File 1
或mshta.exe
Details File 1
这些文件会在受感染的系统上部署gammaload.ps1
Details File 2335
cmd.exe
Details File 1101
rundll32.exe
Details File 1356
powershell.exe
Details File 1
恶意快捷方式通过激活cmd.exe
Details File 1
具有文件扩展名.exe
Details File 1
文件扩展名不同于.exe
Details File 1
非.exe
Details File 1
再用cmd.exe
Details File 1
链接后的命令语句是快捷方式目标cmd.exe
Details File 1
图8中分析的恶意快捷方式是使用cmd.exe
Details File 5
通过cmd.exe
Details File 1
大多数攻击者通过cmd.exe
Details File 1
例如streamer.exe
Details File 229
setup.exe
Details File 1
或windowsupdater.exe
Details File 1
研究人员根据.exe
Details File 1
通过以上聚类方法可以观察到带有非随机文件名的.exe
Details File 1
具有随机文件名的.exe
Details File 1
这表明防御者应该考虑使用随机.exe
Details File 1
同时掌握威胁环境中的.exe
Details File 1
研究人员还观察到恶意快捷方式通过cmd.exe
Details File 1
执行的非.exe
Details File 1
恶意快捷方式通过cmd.exe
Details File 1
例如文件扩展名为.vbs
Details File 1
vbe和.js
Details File 1
scr和.dll
Details File 1
例如文件扩展名.docx
Details File 1
log和.dat
Details File 1
绝大多数如.exe
Details File 2
例如.docx
Details File 1
或.avi
Details File 1
经过观察发现字符填充的手法主要用于链接到powershell.exe
Details File 52
c:\\windows\\system32\\cmd.exe
Details File 1
%qcaqluf.exe
Details File 1
%temp%\\rplkl\\qcaqluf.exe
Details File 2
%systemroot%\\system32\\shell32.dll
Details File 13
storage.dll
Details File 1
invokecommand函数在shell32.dll
Details File 1
%systemroot%\\system32\\kernel32.dll
Details File 2
和wscript.exe
Details File 1
在快捷方式目标中通过cmd.exe
Details File 1
启动的非.exe
Details File 1
在所有经过分析的恶意快捷方式中非.exe
Details File 1
大多数非.exe
Details File 1
执行具有.exe
Details File 1
文件名的.exe
Details File 1
调查人员应密切关注威胁环境中的.exe
Details sha1 1
5b241d50f1a662d69c96d824d7567d4503379c37
Details Url 1
https://www.sentinelone.com/labs/who-needs-macros-threat-actors-pivot-to-abusing-explorer-and-other-lolbins-via-windows-shortcuts