Fileless attacks against enterprise networks
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 193fd932-cf4b-4f42-bbd8-b41b80798c38 |
| Fingerprint | 348329c94131efe3 |
| Analysis status | DONE |
| Considered CTI value | 1 |
| Text language | |
| Published | Feb. 8, 2017, 8:58 a.m. |
| Added to db | Feb. 18, 2023, 1:03 a.m. |
| Last updated | Nov. 17, 2024, 6:54 p.m. |
| Headline | Fileless attacks against enterprise networks |
| Title | Fileless attacks against enterprise networks |
| Detected Hints/Tags/Attributes | 56/1/12 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | adobeupdates.sytes.net |
|
| Details | File | 7 | windowssystem32cmd.exe |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 1 | mal_powershell.ps1 |
|
| Details | IPv4 | 2 | 10.10.1.11 |
|
| Details | IPv4 | 1 | 10.10.1.12 |
|
| Details | IPv4 | 619 | 0.0.0.0 |
|
| Details | Windows Registry Key | 1 | HKLMSYSTEMControlSet001services |
|
| Details | Windows Registry Key | 1 | HKLMSYSTEMControlSet001servicesPortProxyv4tov4tcp |
|
| Details | Windows Registry Key | 3 | HKLM\SYSTEM\ControlSet001\services |
|
| Details | Windows Registry Key | 1 | HKLM\SYSTEM\ControlSet001\services\PortProxy\v4tov4\tcp |
|
| Details | Yara rule | 1 | rule msf_or_tunnel_in_registry {
strings:
$port_number_in_registry = "/4444"
$hidden_powershell_in_registry = "powershell.exe -nop -w hidden" wide
condition:
uint32(0) == 0x66676572 and any of them
} |