==================================================

CREATED: WIN-CMD-SET-COMMAND (#1214)

Description

Identifies obfuscation within cmd.exe - a new method of potentially evading detection released via a new tool made by Daniel Bohannon of Mandiant.

References

ATT&CK Technique T1059

==================================================

CREATED: WIN-EXPLORER-SPAWNING-MSHTA (#1209)

Description

Identifies mshta.exe spawned from Explorer. This behavior indicates a user interactively executed an HTA script.

ATT&CK Technique T1170

==================================================

CREATED: WIN-W3WP-SPAWN-SCRIPT (#1212)

Description

Identifies instances of Windows Script Hosts wscript.exe or cscript.exe spawning from the Windows IIS worker process w3wp.exe. The intent is to identify potential web server compromises.

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-SPAWN-POWERSHELL (#1211)

Description

Identifies instances of Windows PowerShell spawning from the Windows IIS worker process w3wp.exe. The intent is to identify potential web server compromises.

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-SPAWN-CMD (#1210)

Description

Identifies instances of the Windows Command Processor cmd.exe spawning from the Windows IIS worker process w3wp.exe. The intent is to identify potential web server compromises.

ATT&CK Technique T1100

Did this answer your question?