==================================================

CREATED: WIN-WCE-SERVICE-EXECUTION (#1351)

Description

Identifies characteristics of the execution of the Windows Credential Editor tool commonly used to dump NTLM hashes and passwords when running as a service.

References

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

ATT&CK Technique T1003

==================================================

CREATED: WIN-WCE-EXECUTION (#1350)

Description

Identifies characteristics of the execution of the Windows Credential Editor tool commonly used to dump NTLM hashes and passwords.

References

https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment

ATT&CK Technique [T1003](https://attack.mitre.org/wiki/Technique/T1003)

==================================================

# CREATED: WIN-POSH-FIND-GPOPASSWORDS (#1348)

Description

Identifies successful execution of Find-GPOPasswords.ps1, a script closely related to PowerSploit Get-GPPPassword.ps1. Identification relies on the successful creationof a report generated by the script after execution.

References

ATT&CK Technique T1086
ATT&CK Technique T1003

==================================================

CREATED: WIN-PAEXEC-SUSP-EXECUTION (#1347)

Description

Identifies renamed instances of PowerAdmin PAExec, an open and redistributable replacement to Sysinternals PsExec. This tool is commonly used by adversaries to issue remote management commands to an endpoint.

References

ATT&CK Technique T1077
ATT&CK Technique T1035

==================================================

CREATED: WIN-WORD-SPAWN-SYSTEM-PROC (#1343)

Description

Identifies suspicious Windows system processes spawning from MS Word. System processes are commonly used in this manner when adversaries work with Cobalt Strike beacons.

ATT&CK Technique RC-13377

==================================================

CREATED: WIN-REMCOM-SUSP-RECEIVER (#1342)

Description

Identifies suspicious usage of RemComSvc.exe to receive a remote connection. This utility is an open-source replacement to PsExec.

References

ATT&CK Technique T1077
ATT&CK Technique T1035

==================================================

CREATED: WIN-REMCOM-SUSP-INIT (#1341)

Description

Identifies suspicious usage of RemCom to initiate a remote connection. This utility is an open-source replacement to PsExec.

References

ATT&CK Technique T1077
ATT&CK Technique T1035

==================================================

CREATED: WIN-NETCONN-445-OVER-THRESHOLD (#1344)

Description

Identifies processes with netconns to port 445 over determined suspect threshold.

==================================================

CREATED: WIN-SUSPECT-NAMED-PIPES-OVER-THRESHOLD (#1345)

Description

Identifies suspect named pipes in a process over a threshold. This behavior is common with tooling such as bloodhound.

==================================================

CREATED: OSX-DYLD-INSERT-LIBRARIES (#1346)

Description

Identifies when macOS runs a process, it will inspect the DYLD_INSERT_LIBRARIES environment variable and load any libraries it specifies into the process. Attackers can abuse this technique to load a malicious library into a desired target process whenever that process is started.

References

ATT&CK Technique T1055

Did this answer your question?