==================================================

CREATED: WIN-BROWSERS-SPAWN-MSHTA (#1224)

Description

Identifies instances of Windows Web Browsers launching HTML applications downloaded from the Internet. This is intended to identify the execution of HTML applications posing as fake updates to Flash Player or similar.

References

ATT&CK Technique T1170

==================================================

CREATED: WIN-WMIC-MODLOAD-VBSCRIPT-JSCRIPT (#1223)

Description

Identifies instances of wmic.exe with module loads of jscript.dll or vbscript.dll wmic.exe has a parameter called /FORMAT: that allows the caller to pass a path or url to a stylesheet that can contain VBscript or JScript code.

References

ATT&CK Technique T1064
ATT&CK Technique T1047

==================================================

CREATED: WIN-WMIPRVSE-SPAWN-MSBUILD (#1218)

Description

Identifies execution of MSBuild from WMI. Based on research this occurs very rarely if not at all and should be considered highly suspect.

ATT&CK Technique T1127 and T1047

==================================================

CREATED: NIX-CLEAR-SH-HISTORY (#1220)

Description

Identifies clearing or modifying .sh_history files. Clearing these history files is an anti-forensic technique used by attackers in post-exploitation phases of attacks.

ATT&CK Technique T1146

==================================================

CREATED: NIX-CLEAR-ZSH-HISTORY (#1219)

Description

Identifies tools clearing or modifying .zsh_history files. Clearing these history files is an anti-forensic technique used by attackers in post-exploitation phases of attacks.

ATT&CK Technique T1146

Did this answer your question?