Review the firewall and web proxy logs from this endpoint to identify any malware retrieval from remote systems.
A malicious actor could pass commands to PowerShell obfuscated or encoded using compression tools, such as Base64 or gzip. Review the command passed to PowerShell to determine if it is malicious activity. If necessary, rebuild the host from a known, good source and have the user change their password. Review the URL passed to ‘mshta.exe’ to identify if it is from a trusted source., Review the firewall and web proxy logs from this endpoint to identify any malware retrieval from remote systems. Malicious actors use phishing emails to send malicious documents. Other methods to execute malicious code in an Office document include using Dynamic Data Exchange objects or exploiting software vulnerabilities.
Macros run commands using built-in Windows utilities to download malware and compromise the system.
These malicious documents leverage macros, which are small Visual Basic for Applications (VBA) scripts embedded inside of Microsoft Office documents, such as Word, PowerPoint, and Excel. This detection identifies suspicious processes spawned by Microsoft Office applications, which could indicate that a malicious actor is using a malicious document.
0 kommentar(er)
