==================================================

CREATED: NIX-CURL-PASTESITES (#1951)

Description

This detector identifies instances of MacOS or Linux curl establishing or attempting to establish network connections to specific "paste sites", such as pastebin.

ATT&CK Technique T1059

==================================================

CREATED: OSX-ENUM-OF-DOMAIN-ADMINS (#1957)

Description

This detector identifies the enumeration of Windows Domain Administrator accounts using dscl on macOS. This behavior is observed during post-exploitation phases, prior to credential theft or lateral movement. 

ATT&CK Technique T1087

==================================================

CREATED: NIX-CURL-BUNDLORE-CLI (#1958)

Description

This detector identifies instances of curl with a suspect command line indicating the download of OSX/Bundlore malware.

ATT&CK Technique T1036

==================================================

CREATED: WIN-INSTALL-TRANSPORT-AGENT (#1968)

Description

This detector identifies the installation of Microsoft Exchange Transport Agents via PowerShell. This technique has been used to install backdoors within Microsoft Exchange. 

ATT&CK Technique T1086

==================================================

CREATED: WIN-POSSIBLE-SAFETYKATZ (#1969)

Description

This detector identifies processes with file modifications typical to SafetyKatz. This tool is used by adversaries for unauthorized access to credentials.

ATT&CK Technique T1003

Did this answer your question?