added trickbot related pages

martyav · martyav · commit b09756989fdc · 2020-08-26T12:49:02.000-04:00
diff --git a/Command and Control/recon-with-rundll.md b/Command and Control/recon-with-rundll.md
@@ -0,0 +1,49 @@
+# Detect rundll.exe being used for reconnaissance and command-and-control
+
+This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.
+
+[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control.
+
+Trickbot operators are known to use the legitimate Windows process *rundll.exe* to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a command-and-control (C2) server for further action.
+
+The following query detects suspicious rundll.exe activity associated with Trickbot campaigns.
+
+See [Office applications launching wscript.exe to run JScript](../Execution/office-apps-launching-wscipt.md) for another query related to Trickbot activity.
+
+## Query
+
+```Kusto
+DeviceNetworkEvents
+| where InitiatingProcessFileName =~ "rundll32.exe"
+// Empty command line
+| where InitiatingProcessCommandLine has "rundll32.exe" and InitiatingProcessCommandLine !contains " " 
+and InitiatingProcessCommandLine != "" 
+| summarize DestinationIPCount = dcount(RemoteIP), make_set(RemoteIP), make_set(RemoteUrl), 
+make_set(RemotePort) by InitiatingProcessCommandLine, DeviceId, bin(Timestamp, 5m)
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery | v |  |
+| Lateral movement |  |  |
+| Collection | v |  |
+| Command and control | v |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
diff --git a/Execution/office-apps-launching-wscipt.md b/Execution/office-apps-launching-wscipt.md
@@ -0,0 +1,45 @@
+# Office applications launching wscript.exe to run JScript
+
+This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*.
+
+[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control.
+
+Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using *[wscript.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wscript)* to perform a variety of malicious tasks, particularly reconnaissance.
+
+The following query detects when Office applications have launched wscript.exe to run a JSE file.
+
+See [Detect rundll.exe being used for reconnaissance and command-and-control](../Command%20and%20Control/recon-with-rundll.md) for another query related to Trickbot activity.
+
+## Query
+
+```Kusto
+DeviceProcessEvents 
+| where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') 
+| where FileName =~ "wscript.exe" and ProcessCommandLine has ".jse" 
+```
+
+## Category
+
+This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states.
+
+| Technique, tactic, or state | Covered? (v=yes) | Notes |
+|-|-|-|
+| Initial access |  |  |
+| Execution |  |  |
+| Persistence |  |  |
+| Privilege escalation |  |  |
+| Defense evasion |  |  |
+| Credential Access |  |  |
+| Discovery |  |  |
+| Lateral movement | v |  |
+| Collection | v |  |
+| Command and control | v |  |
+| Exfiltration |  |  |
+| Impact |  |  |
+| Vulnerability |  |  |
+| Misconfiguration |  |  |
+| Malware, component |  |  |
+
+## Contributor info
+
+**Contributor:** Microsoft Threat Protection team
