Properties

Property Value
Category Defense Evasion
Response Phase Contain / Eradicate / Recover
Status Published
Related TTPs T1218.005
Related Queries Linked Queries
Related Tools typeperf.exe, msxsl.exe

Steps

  1. Trigger: Alert on typeperf.exe or msxsl.exe execution from non-standard paths.
  2. Triage:
    • Retrieve process lineage and hashes.
    • Verify AppData\Roaming\Microsoft\Network\msxsl.exe existence.
    • Search for command typeperf.exe "\System\Processor Queue Length" -si 30 -sc 1.
  3. Containment:
    • Isolate host; preserve volatile memory.
    • Block related domains (eggs-serve[.]corp, more-eggs[.]net).
  4. Eradication:
    • Remove malicious files and persistence.
    • Reset user credentials and clear tokens.
  5. Recovery:
    • Reimage host if persistence confirmed.
    • Validate clean DNS, process, and service baselines.
  6. Post-Incident:
    • Add detection logic for msxsl.exe and typeperf.exe execution in user context.
    • Review similar patterns across network for lateral movement.