==================================================

CREATED: WIN-CMD-CONTAINS-ADMIN-SHARE (#1217)

Description

Identifies when a command prompt instance is spawned from an admin$ directory. This is a common tactic used by attackers and frameworks to transfer tools and malware.

ATT&CK Technique T1135 and T1077

Did this answer your question?