We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:BAT/Wenam.A
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat is a malicious batch script file usually dropped and launched by web shells such as Trojan:Win32/Chopper variants during their post exploitation run.
A web shell is a malicious code that attackers implant on web servers to provide remote access and code execution to server functions. Web shells allow attackers to run commands remotely on servers to steal data or use the server as launch pad for other activities like credential theft, lateral movement, deployment of additional payloads, or hands-on-keyboard activity, while allowing attackers to persist in an affected organization.
For information about web shells, read this blog post:
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
Guidance for enterprise administrators
- Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
- Remediate vulnerabilities or misconfigurations in web applications and web servers.
- Implement proper segmentation of your perimeter network, such that a compromised web server does not lead to the compromise of the enterprise network.
- Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
- Enable antivirus protection on web servers. Turn on cloud-delivered protection to get the latest defenses against new and emerging threats. Users should only be able to upload files in directories that can be scanned by antivirus and configured to not allow server-side scripting or execution.
- Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
- Check your perimeter firewall and proxy to restrict unnecessary access to services, including access to services through non-standard ports.
- Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
- Turn on attack surface reduction rules, including rules that block ransomware activity and other activities associated with human adversaries. To assess the impact of these rules, deploy them in audit mode.
- Turn on tamper protection features to prevent attackers from stopping security services.
- Use Microsoft Defender for Office 365 for enhanced protection and coverage against new multi-faceted threats and polymorphic variants. Microsoft 365 Defender correlates threat data from endpoints, email and data, identities, and apps to coordinate cross-domain protection.
- Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
- Practice good credential hygiene. Limit the use of accounts with local or domain admin level privileges.
You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.
