Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
PWS:Win32/AgentTesla
Detected by Microsoft Defender Antivirus
Aliases: No associated aliases
Summary
PWS:Win32/AgentTesla is a trojan designed to steal sensitive information. It possesses numerous features allowing it to collect data through various methods. Specifically, it targets Windows credentials and sensitive information from various applications such as browsers, email clients, FTP, VPN, etc.
To mitigate the issue, follow these steps:
- Apply security updates promptly, especially for the specified vulnerabilities, on all applications and operating systems. Consult the Microsoft Security Update Guide for comprehensive information on available Microsoft Security updates.
- Follow the principle of least privilege and maintain credential hygiene. Avoid using domain-wide, admin-level service accounts. Restrict local administrative privileges to mitigate the potential installation of remote access trojans (RATs) and other undesirable applications.
- Network segmentation is useful in constraining the propagation of malware infections. The process involves partitioning a network into smaller segments, effectively confining an infection to a single segment rather than permitting its unrestricted spread across the entire network.
- Promote the use of Microsoft Edge and other web browsers that support SmartScreen, a feature identifying and blocking malicious websites, including phishing sites, scam sites, and those hosting exploits or malware.
- Block the launch of downloaded executable content by disabling JavaScript or VBScript.