Executable File types: Typically an attacker needs to get a user to launch their malware in order take over a host; referred to as "getting code execution". There are a number of file formats that can host the attackers malware. The most common formats include files that have a file extension that ends in: .bat; .exe; .js; .cmd; .ps; .docm; .doc; .docx; .xlsm; .xls; .xlsx; .ppt; .pptm; .pptx Unfortunately, office file formats are in this list. Always use caution when receiving a file from an unverified source.
|Tip: If you receive a file with one of these extensions and must open it, ensure it came from a trusted source. Prior to opening any files you should always perform an Anti-Virus scan of the file prior to launching it. If it is flagged as having a virus or malicious, contact your Information Security Officer immediately.|
|Pop-ups = Caution: It you open a file and receive a pop-up message requesting permission to launch something; Stop - Read, Think! The operating system manufactures' put this warning in place to alert you to unexpected or privileged access request is pending. Ask yourself, is this normal behavior for this type of file? If you open a Word Document and it ask you to Launch Cmd.exe - freeze; its likely malware trying to launch.|
|Tip: If you get a pop-up or unusual prompt from a file once launched, stop and seek service desk assistance before proceeding.|
Advanced Techniques (Hunting):
|Suspect Processes: If you suspect that something odd is occurring on your system, consider reviewing the running processes for unusual child processes. This assumes you are familiar with what normally is running on your system. Often malware will piggy-back (hollow) a legitimate process and inject itself so it can spawn a child process to run. While it could take years of experience to be good at this, try using Microsoft Systernals Process Explorer to identify odd processes|
Tip: Open Process Explorer |
Select Columns | Check Verified Signer; Image Path;
VirusTotal | Options | VirusTotal.com | Check VirusTotal.com |
Wait for VirusTotal Column to update. Any file with a digit
> 0/X requires further review.
(e.g. time-sync-notifier c:\windows\tmp\tdm.exe 3/65 )
|Suspect Connections: Another method you can use is to observe the remote connections running on your system in an attempt to detect an executable or connection that appears suspect. Again this assumes you know what look right on your host. Get-foreign-connections.ps1|
|Tip: This is a Powershell script that requires an Admin Powershell Console to run properly.|