SOC Incident Toolkit
Back to Campaigns
GuptiMiner's Campaign: The Trojan Tango of Infiltrating Antivirus Updates for Digital Deception

GuptiMiner's Campaign: The Trojan Tango of Infiltrating Antivirus Updates for Digital Deception

Guptiminerdns textdns serverKimsuky

Researchers have detected a malware campaign in which North Korean hackers used eScan antivirus updates to install backdoors and GuptiMiner for crypto mining on large networks. The campaign linked to Kimsuky involved multiple types of backdoors and was neutralized by eScan on July 31, 2023, following alerts to India's CERT.

Indicators of Compromise

Domains (52)

ns.lesagencestv.netns.gravelmart.netwww.elimpacific.netwww.bascap.netns1.earthscienceclass.comgesucht.netcrl.peepzo.comm.korkyt.netm.satchmos.netns1.securtelecom.comns.dreamsoles.comns1.peepzo.comm.insomniaccinema.comns.suechilton.comns1.sneakerhost.comdl.sneakerhost.comdesmoinesreg.comns.srnmicro.netns.trafomo.comm.guterman.net+32 more

Hashes (42)

31dfba1b102bbf4092b25e63aae0f27386c480c10191c96c04295cb284f20878572b5b1e9b84adc60655c4b8c7c3e6afd5bc6cf988c6d3c60e71195d8a5c2f7525f633bb54059688ad8cfa1d4b72aa6cdddc57299857e6ecb2b80cbab2ae6f1978e89c4bfe664c7607129b0fc8db8b1f47d7135b31d9b4cfd000e0634c5bfe8a969688614c8b7db2184d2952d3e4dabd94220fd3529763ac53562be3c1bb2c42bcab51e3ad8f8a568c0f558e8f0481331d66b54b8e82dec15aab2fe102b757a0dbaa66a54b4d31fb110e5e4f74c285f86406dfa87673a95a41900dc3b0f94d84888dffacbc10bd7f9983b2d681b55d7e932c2d952d47ee606058df54364984e8d62eb42fd880755a296bd4a93cc071b9705c1f1b43e4c19dd84adc65331c9ae049b2ede6a42fc1fdf5c1c06ffbc5986ca3d9448501d9453ed4fbb7b4ccb52a484204fefa87ff3e5f04b18432976c46b6fe36500a31070c2ea30e6b4e1c270df94be1036ae7f8616b8e96d15864ec0cc6d3976d87e9e76e6eeccc23c551b22dcfacb60232773ec0492968c77d176140925689df4d9aeedc7a74d7f1af69fb706e87ff0116b8e4fa3a9b87275505e2ee7a32a8628a2d066549f656a418fca7c4275f2441840faaeb70947e4f39d3826d6d2e50a3e7b8120e4e+22 more

IPv4 (4)

179.38.204.38185.248.160.141185.45.192.4323.195.101.1

CVEs (1)

CVE-2024-21338

APT Groups

Kimsuky

Notes

<div><b>CONCLUSION</b></div><div>Our study highlights GuptiMiner, an advanced threat that exploits eScan antivirus updates to conduct man-in-the-middle (MitM) attacks. After the vulnerability was reported to India CERT, eScan addressed the issue on July 31, 2023. GuptiMiner employs various strategies including extracting payloads from images, signing payloads with a private certificate authority, and making DNS queries to servers controlled by the attackers. Researchers identified two types of backdoors within major networks; one enables surveillance of network vulnerabilities particularly in older Windows systems, while the other is a sophisticated module crafted to exfiltrate wallets and keys. Notably, XMRig emerged as the primary payload in this campaign. Additionally, potential links to Kimsuky, a North Korean APT group, suggest a shared tactic among these cyber threats.</div><div><br></div>

Mitigation

<span id="docs-internal-guid-c9e8ab69-7fff-5d00-9ea3-4998660f1f40"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">MITIGATIONS</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Countermeasure methods are given in the remediation section, mitigations show which vectors the attack can occur by showcasing the attack types.</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Hijack Execution Flow: DLL Side-Loading</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking, side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).</span></p><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;"><br></span></p><br><p style="line-height: 1.44; margin-top: 0pt; margin-bottom: 4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigations</span></p><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></h2></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></h2></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></h2></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><a href="https://attack.mitre.org/mitigations/M1013"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1013</span></a></h2></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><a href="https://attack.mitre.org/mitigations/M1013"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Application Developer Guidance</span></a></h2></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">When possible, include hash values in manifest files to help prevent side-loading of malicious libraries.</span></h2></td></tr><tr style="height:42.25pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><a href="https://attack.mitre.org/mitigations/M1051"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1051</span></a></h2></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><a href="https://attack.mitre.org/mitigations/M1051"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Update Software</span></a></h2></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><h2 style="line-height:1.44;background-color:#ffffff;margin-top:0pt;margin-bottom:4pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Update software regularly to include patches that fix DLL side-loading vulnerabilities.</span></h2></td></tr></tbody></table></div><h2 style="line-height: 1.44; margin-top: 0pt; margin-bottom: 0pt; padding: 0pt 0pt 4pt;"><span style="background-color: transparent; color: rgb(0, 0, 0); font-family: Arial, sans-serif; font-size: 10pt; font-weight: 700; letter-spacing: -0.00833em;">Detection</span><br></h2><br><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Data Source</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Data Component</span></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:bottom;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Detects</span></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">DS0022</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0022"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">File</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0022/#File%20Creation"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">File Creation</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Monitor for newly constructed files in common folders on the computer system.</span></p></td></tr><tr style="height:29.25pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><br></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0022/#File%20Modification"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">File Modification</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Monitor for changes made to files for unexpected modifications to access permissions and attributes</span></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0011"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">DS0011</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0011"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Module</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0011/#Module%20Load"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Module Load</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.</span></p></td></tr><tr style="height:42.75pt;"><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0009"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">DS0009</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0009"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Process</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/datasources/DS0009/#Process%20Creation"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Process Creation</span></a></p></td><td style="border-left:solid #dfdfdf 0.8333325pt;border-right:solid #dfdfdf 0.8333325pt;border-bottom:solid #dfdfdf 0.8333325pt;border-top:solid #dfdfdf 0.8333325pt;vertical-align:top;padding:8pt 8pt 8pt 8pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(0, 0, 0); background-color: transparent; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Monitor newly constructed processes for unusual activity (e.g., a process that does not use the network begins to do so) as well as the introduction of new files/programs.</span></p></td></tr></tbody></table></div><br></span>