==================================================

CREATED: WIN-POWERMEMORY-MSDSC-EXECUTION (#1368)

Description

Identifies the execution of msdsc.exe, a utility used in the execution of PowerMemory RWMC to dump credentials.

References

ATT&CK Technique T1003

==================================================

CREATED: WIN-USERINIT-SUSPECT-PATH (#1367)

Description

Identifies instances of userinit.exe executing from a suspect file path.

ATT&CK Technique T1036

==================================================

CREATED: WIN-SUSPICIOUS-PPT-PERSISTENCE-CREATE (#1354)

Description

Identifies the suspicious creation of MS PowerPoint add-ins via unexpected applications.

References

ATT&CK Technique T1137

==================================================

CREATED: WIN-SUSPICIOUS-WORD-PERSISTENCE-CREATE (#1353)

Description

Identifies the suspicious creation of MS Word add-ins via unexpected applications.

References

ATT&CK Technique T1137

==================================================

CREATED: WIN-PROCESSHANDLE-POWERSHELL-TO-LSASS (#1366)

Description

Identifies PowerShell cross-process OpenThread injections into lsass.exe. This activity may indicate the execution of code with the potential to read sensitive user credentials from LSASS.

ATT&CK Technique T1003

==================================================

CREATED: WIN-REGSVR32-NO-CLI (#1360)

Description

Identifies regsvr32.exe with no command line parameters present.

==================================================

CREATED: WIN-SVCHOST-NO-CLI (#1361)

Description

Identifies svchost.exe with no command line parameters present.

==================================================

CREATED: WIN-USERINIT-NO-CLI (#1362)

Description

Identifies userinit.exe with no command line parameters present.

==================================================

CREATED: WIN-VISIO-SPAWNING-RUNDLL (#1364)

Description

Identifies instances of rundll32.exe spawning from MS Visio.

References

ATT&CK Technique RC-13377
ATT&CK Technique T1193

==================================================

CREATED: WIN-MSPUB-SPAWNING-RUNDLL (#1365)

Description

Identifies instances of rundll32.exe spawning from MS Publisher.

References

ATT&CK Technique RC-13377
ATT&CK Technique T1193

==================================================

CREATED: WIN-MSACCESS-SPAWNING-RUNDLL (#1363)

Description

Identifies instances of rundll32.exe spawning from MS Access.

References

ATT&CK Technique RC-13377
ATT&CK Technique T1193

==================================================

CREATED: WIN-WORD-SPAWNING-RUNDLL (#1358)

Description

Identifies instances of rundll32.exe spawning from MS Word.

References

ATT&CK Technique RC-13377
ATT&CK Technique T1193

==================================================

CREATED: WIN-EXCEL-SPAWNING-RUNDLL (#1359)

Description

Identifies instances of rundll32.exe spawning from MS Excel.

References

ATT&CK Technique RC-13377
ATT&CK Technique T1193

==================================================

CREATED: WIN-NLTEST-RECON (#1357)

Description

Identifies when certain cmdline options are added to the cmdline of nltest.exe. This tool is commonly used by administrators and adversaries to enumerate details about an Active Directory environment.

References

ATT&CK Technique T1087
ATT&CK Technique T1018
ATT&CK Technique T1016

==================================================

CREATED: WIN-WSCRIPT-SPAWNING-SCHTASKS (#1356)

Description

Identifies instances of the Windows scripting host (wscript.exe) is observed spawning an instance of schtasks.exe

References

ATT&CK Technique T1053
ATT&CK Technique T1064
==================================================

CREATED: WIN-WINWORD-SPAWNING-WSCRIPT (#1355)

Description

Identifies instances of wscript.exe spawning as a child process of MS Word.

References

ATT&CK Technique T1193
ATT&CK Technique T1064

Did this answer your question?