This detection identifies the use of CMSTP to load an INF file. Obfuscated Files or Information - T1027.If necessary, rebuild the host from a known, good source and have the user change their password. Investigate the user's inbox to identify any malicious emails, and determine if any other users received the email. The source could be a malicious document sent by a malicious actor to the user by email. RecommendationĪcquire additional process artifacts and identify the root cause of the suspicious process invocation. The executed file is visible within the command line parameters of the process start event. This technique is used by malicious actors to subvert antivirus and other defensive countermeasures. This detection identifies Microsoft Office processes spawning ‘MSBuild.exe’, which is the result of various droppers or downloaders using ‘MSBuild.exe’ to compile and execute arbitrary code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |