From b09756989fdcb2c5c76ab31ad56ac3c1b4e2874b Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 26 Aug 2020 12:49:02 -0400 Subject: [PATCH 1/2] added trickbot related pages --- Command and Control/recon-with-rundll.md | 49 +++++++++++++++++++++++ Execution/office-apps-launching-wscipt.md | 45 +++++++++++++++++++++ 2 files changed, 94 insertions(+) create mode 100644 Command and Control/recon-with-rundll.md create mode 100644 Execution/office-apps-launching-wscipt.md diff --git a/Command and Control/recon-with-rundll.md b/Command and Control/recon-with-rundll.md new file mode 100644 index 00000000..8f2a9894 --- /dev/null +++ b/Command and Control/recon-with-rundll.md @@ -0,0 +1,49 @@ +# Detect rundll.exe being used for reconnaissance and command-and-control + +This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*. + +[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control. + +Trickbot operators are known to use the legitimate Windows process *rundll.exe* to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a command-and-control (C2) server for further action. + +The following query detects suspicious rundll.exe activity associated with Trickbot campaigns. + +See [Office applications launching wscript.exe to run JScript](../Execution/office-apps-launching-wscipt.md) for another query related to Trickbot activity. + +## Query + +```Kusto +DeviceNetworkEvents +| where InitiatingProcessFileName =~ "rundll32.exe" +// Empty command line +| where InitiatingProcessCommandLine has "rundll32.exe" and InitiatingProcessCommandLine !contains " " +and InitiatingProcessCommandLine != "" +| summarize DestinationIPCount = dcount(RemoteIP), make_set(RemoteIP), make_set(RemoteUrl), +make_set(RemotePort) by InitiatingProcessCommandLine, DeviceId, bin(Timestamp, 5m) +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | v | | +| Lateral movement | | | +| Collection | v | | +| Command and control | v | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## Contributor info + +**Contributor:** Microsoft Threat Protection team diff --git a/Execution/office-apps-launching-wscipt.md b/Execution/office-apps-launching-wscipt.md new file mode 100644 index 00000000..3399911f --- /dev/null +++ b/Execution/office-apps-launching-wscipt.md @@ -0,0 +1,45 @@ +# Office applications launching wscript.exe to run JScript + +This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*. + +[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control. + +Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using *[wscript.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wscript)* to perform a variety of malicious tasks, particularly reconnaissance. + +The following query detects when Office applications have launched wscript.exe to run a JSE file. + +See [Detect rundll.exe being used for reconnaissance and command-and-control](../Command%20and%20Control/recon-with-rundll.md) for another query related to Trickbot activity. + +## Query + +```Kusto +DeviceProcessEvents +| where InitiatingProcessFileName in~('winword.exe', 'excel.exe', 'outlook.exe') +| where FileName =~ "wscript.exe" and ProcessCommandLine has ".jse" +``` + +## Category + +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. + +| Technique, tactic, or state | Covered? (v=yes) | Notes | +|-|-|-| +| Initial access | | | +| Execution | | | +| Persistence | | | +| Privilege escalation | | | +| Defense evasion | | | +| Credential Access | | | +| Discovery | | | +| Lateral movement | v | | +| Collection | v | | +| Command and control | v | | +| Exfiltration | | | +| Impact | | | +| Vulnerability | | | +| Misconfiguration | | | +| Malware, component | | | + +## Contributor info + +**Contributor:** Microsoft Threat Protection team From f79db725c25d045f7a0cf55ab06f98dbea73de69 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Wed, 26 Aug 2020 14:30:04 -0400 Subject: [PATCH 2/2] wording --- Command and Control/recon-with-rundll.md | 4 ++-- Execution/office-apps-launching-wscipt.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Command and Control/recon-with-rundll.md b/Command and Control/recon-with-rundll.md index 8f2a9894..1589d0a0 100644 --- a/Command and Control/recon-with-rundll.md +++ b/Command and Control/recon-with-rundll.md @@ -2,9 +2,9 @@ This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*. -[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control. +[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control (C2) operations. -Trickbot operators are known to use the legitimate Windows process *rundll.exe* to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a command-and-control (C2) server for further action. +Trickbot operators are known to use the legitimate Windows process *rundll.exe* to perform malicious activities, such as reconnaissance. Once a target is infected, the operator will drop a batch file that runs several commands and connects to a C2 server for further action. The following query detects suspicious rundll.exe activity associated with Trickbot campaigns. diff --git a/Execution/office-apps-launching-wscipt.md b/Execution/office-apps-launching-wscipt.md index 3399911f..ad608ea3 100644 --- a/Execution/office-apps-launching-wscipt.md +++ b/Execution/office-apps-launching-wscipt.md @@ -2,7 +2,7 @@ This query was originally published in the threat analytics report, *Trickbot: Pervasive & underestimated*. -[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command and control. +[Trickbot](https://attack.mitre.org/software/S0266/) is a very prevalent piece of malware with an array of malicious capabilities. Originally designed to steal banking credentials, it has since evolved into a modular trojan that can deploy other malware, disable security software, and perform command-and-control (C2) operations. Trickbot is frequently spread through email. An attacker will send a target a message with an attachment containing a malicious macro. If the target enables the macro, it will write a JScript Encoded (JSE) file to disk (JScript is a Microsoft dialect of ECMAScript). The JSE file will then be launched using *[wscript.exe](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wscript)* to perform a variety of malicious tasks, particularly reconnaissance.