==================================================

CREATED: ANY-BLOODHOUND-FILEMOD (#1929)

Description

This detector identifies processes modifying files consistent with the download of Bloodhound.

ATT&CK Technique T1069

==================================================

CREATED: WIN-WMIAPSRV-SUSPECT-DLL-HIJACK (#1935)

Description

This detector identifies wmiapsrv.exe loading a suspicious instance of bcrypt.exe for Windows 10 and loadperf.dll for earlier versions of Windows. This technique is used by adversaries as part of a DLL hijacking attack.

==================================================

CREATED: WIN-COMPUTERDEFAULTS-SPAWN-CHILDPROC (#1952)

Description

This detector identifies instances of the Windows Program Access and Computer Defaults Control Panel (ComputerDefaults.exe) spawning child processes. This activity is commonly observed as a UAC bypass/privilege escalation technique.

ATT&CK Technique T1088

==================================================

CREATED: WIN-POWERSHELL-PW-PROMPT (#1953)

Description

This detector identifies PowerShell commands to create a suspicious input prompt to request the user's password. This technique is used by adversaries to request the user enter their password under false pretenses. 

ATT&CK Technique T1141

==================================================

CREATED: NIX-CURL-SOCKS-PROXY (#1956)

Description

This detector identifies instances of curl used in conjunction with a SOCKS proxy. This technique is used to proxy network traffic and avoid security controls. 

ATT&CK Technique T1041
ATT&CK Technique T1090

Did this answer your question?