==================================================

CREATED: WIN-POWERMEMORY-CLI-DEFAULT (#1393)

Description

Identifies default elements of PowerMemory execution being observed in the process commandline. PowerMemory is a PowerShell framework for credential exploitation, which does not rely on the standard code libraries (DLL files) commonly observed with credential theft.

References

ATT&CK Technique T1003

==================================================

CREATED: WIN-POWERMEMORY-PRIVESC-SC (#1394)

Description

Identifies a method used by PowerMemory for privilege escalation. PowerMemory is a PowerShell framework for credential exploitation, which does not rely on the standard code libraries (DLL files) commonly observed with credential theft.

References

ATT&CK Technique T1003

==================================================

CREATED: WIN-POWERMEMORY-PRIVESC-CHILDPROCS (#1395)

Description

Identifies a method used by PowerMemory for privilege escalation, based on specific child processes. PowerMemory is a PowerShell framework for credential exploitation, which does not rely on the standard code libraries (DLL files) commonly observed with credential theft.

References

ATT&CK Technique T1003

==================================================

CREATED: WIN-POWERMEMORY-DUMPFILE-CREATE (#1396)

Description

Identifies when PowerMemory, which includes Microsoft debuggers, creates and parses dump files as part of this process; this detector triggers on that chain of activity. PowerMemory is a PowerShell framework for credential exploitation, which does not rely on the standard code libraries (DLL files) commonly observed with credential theft.

References

ATT&CK Technique T1003

==================================================

CREATED: WIN-W3WP-CMD-EXTERNAL-NETCONN (#1382)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe) spawning the Command Processor (cmd.exe), which has an external network connection. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-CHILD-UNTRUSTED (#1383)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe) directly executing an unsigned/untrusted binary. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-FILEMOD-WEBFILE (#1384)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe) writing files to disk which are typically associated with executable web server code. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-CMD-FILEMOD-WEBFILE (#1385)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe) leading to the creation of files typically associated with executable web server code.  The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-CMD-CLI-URL (#1388)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe) spawning the Command Processor (cmd.exe), which has an external network connection. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-SPAWN-WMIC (#1379)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe) directly executing WMIC. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-SPAWN-MSHTA (#1380)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe) directly executing MSHTA. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-SPAWN-JAVA (#1381)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe) directly executing Java. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-CMD-POWERSHELL (#1371)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe), leading to an instance of PowerShell. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-CMD-WMIC (#1372)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe), leading to an instance of WMIC. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-CMD-SCRIPTENG (#1374)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe), leading to an instance of various scripting utilities. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-CMD-MSHTA (#1375)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe), leading to an instance of various scripting utilities. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-W3WP-CMD-JAVA (#1376)

Description

Identifies a chain of execution from a Windows IIS worker process (w3wp.exe), leading to an instance of various scripting utilities. The intent is to identify potential web server compromises from different angles.

References

ATT&CK Technique T1100

==================================================

CREATED: WIN-SYSTEM-INJECT-INTO-LSASS (#1391)

Description

Identifies possible activity of the password-stealing tool gsecdump. This tool always operates as SYSTEM and injects into LSASS.

ATT&CK Technique [T1003](https://attack.mitre.org/wiki/Technique/T1003)

==================================================

CREATED: WIN-QUARK-PWDUMP-SAM-DMP (#1390)

Description

Identifies the creation of a SAM registry dump file associated with the execution of Quarks PWDump.

References

ATT&CK Technique T1003

==================================================

CREATED: WIN-COBALTSTRIKE-BEACON-SMB (#1389)

Description

Identifies the use of a Cobalt Strike Beacon implant allowing adversaries to pivot and issue commands over SMB through the use of configurable named pipes.

References

ATT&CK Technique T1071

==================================================

CREATED: WIN-CSRSS-SUSPECT-USER (#1387)

Description

Identifies rogue processes claiming to be csrss.exe executing from unexpected users.

References

ATT&CK Technique T1036

==================================================

CREATED: WIN-UNMANAGED-POSH-EXECUTION (#1386)

Description

Identifies the use of unmanaged PowerShell code execution through the loading of PowerShell modules into suspicious processes.

ATT&CK Technique T1086

==================================================

CREATED: WIN-LSASS-SUSPECT-USER (#1377)

Description

Identifies rogue processes claiming to be lsass.exe executing from unexpected users.

References

ATT&CK Technique T1036

==================================================

CREATED: WIN-MIMIKATZ-TICKET-EXPORT (#1370)

Description

Identifies the creation of .kirbi files, whose creation is an indicator of Mimikatz execution with options to export Kerberos tickets.

References

ATT&CK Technique T1003
ATT&CK Technique T1208

==================================================

CREATED: WIN-POSSIBLE-DOUBLE-AGENT-REGMOD (#1378)

Description

Identifies registry key changes that could indicate persistence and privilege escalation stemming from the Double Agent zero day attack.

References

ATT&CK Technique [T1112](https://attack.mitre.org/wiki/Technique/T1112)

==================================================

CREATED: INTEL-COINBLOCKERLIST-MINING-DOMAINS (#1373)

Description

Identifies hits from the CoinBlockerList domain list intel feed.

Did this answer your question?