Tdork.zip

The typical attack flow for tdork.zip follows a multi-stage process:

If you're looking to write a deep blog post about something related to tdork.zip, here are some potential angles: tdork.zip

The final infostealer performs:

DeviceProcessEvents
| where FileName in~ ("wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine contains ".js" or ProcessCommandLine contains ".vbs"
| join kind=inner (
    DeviceFileEvents
    | where FolderPath contains "\\Downloads\\" and FileName endswith ".zip"
) on DeviceId

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *