mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-19 12:23:37 +00:00
Add periods to alt text
No other changes
This commit is contained in:
Gary Moore
@ -17,7 +17,7 @@ ms.technology: mde
|
||||
---
|
||||
# Coordinated Malware Eradication
|
||||
|
||||
|
||||
|
||||
|
||||
Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) fo
|
||||
|
||||
For clarity, fileless threats are grouped into different categories.
|
||||
|
||||
<br>
|
||||
<br>
|
||||
*Figure 1. Comprehensive diagram of fileless malware*
|
||||
|
||||
Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts.
|
||||
@ -56,7 +56,7 @@ It’s possible to carry out such installation via command line without requirin
|
||||
|
||||
Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
|
||||
|
||||
<br>
|
||||
<br>
|
||||
*Figure 2. Kovter’s registry key*
|
||||
|
||||
When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts.
|
||||
|
||||
@ -20,7 +20,7 @@ ms.technology: mde
|
||||
|
||||
We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format:
|
||||
|
||||
|
||||
|
||||
|
||||
When our analysts research a particular threat, they'll determine what each of the components of the name will be.
|
||||
|
||||
|
||||
@ -35,7 +35,7 @@ Here are several telltale signs of a phishing scam:
|
||||
|
||||
* The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to.
|
||||
|
||||
|
||||
|
||||
|
||||
* There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
|
||||
|
||||
|
||||
@ -33,7 +33,7 @@ This process requires a global or application admin in the tenant.
|
||||
2. Select **Grant admin consent for organization**.
|
||||
3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
|
||||
|
||||
|
||||
|
||||
|
||||
4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
|
||||
|
||||
@ -43,13 +43,13 @@ This process requires a global or application admin in the tenant.
|
||||
|
||||
Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/).
|
||||
|
||||
|
||||
|
||||
|
||||
More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow).
|
||||
|
||||
Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification.
|
||||
|
||||
|
||||
|
||||
|
||||
Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/).
|
||||
|
||||
@ -58,7 +58,7 @@ After providing consent, all users in the tenant will be able to use the applica
|
||||
## Option 2 Provide admin consent by authenticating the application as an admin
|
||||
This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission).
|
||||
|
||||
|
||||
|
||||
|
||||
Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
|
||||
|
||||
@ -70,20 +70,20 @@ If neither of these options resolve the issue, try the following steps (as an ad
|
||||
1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
|
||||
and select **delete**.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
|
||||
|
||||
3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed.
|
||||
``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access``
|
||||
|
||||
|
||||
|
||||
|
||||
4. Review the permissions required by the application, and then select **Accept**.
|
||||
|
||||
5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
|
||||
|
||||
|
||||
|
||||
|
||||
6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access.
|
||||
|
||||
|
||||
@ -39,7 +39,7 @@ Both Bondat and Gamarue have clever ways of obscuring themselves to evade detect
|
||||
|
||||
This image shows how a worm can quickly spread through a shared USB drive.
|
||||
|
||||
|
||||
|
||||
|
||||
### *Figure worm spreading from a shared USB drive*
|
||||
|
||||
|
||||
Reference in New Issue
Block a user