==================================================

CREATED: WIN-WMIC-CLIPBOARD (#1806)

Description

This detector identifies whenever the Windows Management Instrumentation process (wmic.exe) executes and stores its output to the clipboard.

ATT&CK Technique T1047

==================================================

CREATED: WIN-WINLOGON-SUSPECT-PARENT (#1811)

Description

This detector identifies the Windows Logon Application (winlogon.exe) executing with a suspect parent process.

ATT&CK Technique T1036

==================================================

CREATED: WIN-CSRSS-SUSPECT-PARENT (#1823)

Description

This detector identifies the Client/Server Run-Time Subsystem (csrss.exe) executing with a suspect parent process.

ATT&CK Technique T1036

==================================================

CREATED: WIN-WININIT-SUSPECT-PARENT (#1824)

Description

This detector identifies the process wininit.exe executing with a suspect parent process.

ATT&CK Technique T1036

==================================================

CREATED: WIN-RUNTIMEBROKER-SUSPECT-PARENT (#1833)

Description

This detector identifies Windows runtimebroker.exe executing with a suspect parent process.

ATT&CK Technique T1036

==================================================

CREATED: WIN-LSASS-SUSPECT-PARENT (#1835)

Description

This detector identifies the Local Security Authentication Subsystem Service (lsass.exe) executing with a suspect parent process.

ATT&CK Technique T1036

==================================================

CREATED: WIN-SERVICES-SUSPECT-PARENT (#1836)

Description

This detector identifies the Service Control Manager (services.exe) executing with a suspect parent process.

ATT&CK Technique T1036

==================================================

CREATED: OSX-POSSIBLE-FAKEUPDATE (#1878)

Description

This detector identifies macOS fake update malware families such as Shlayer.

ATT&CK Technique T1027
ATT&CK Technique T1036
ATT&CK Technique T1140
ATT&CK Technique T1158

==================================================

CREATED: OSX-UNZIP-PASSWORD-TMP (#1879)

Description

This detector identifies the execution of unzip for password protected archives in temporary locations. This behavior has been observed with varients of malware delivery on macOS platforms. 

ATT&CK Technique T1027

==================================================

CREATED: OSX-TMP-SECURITY-SUBSYSTEM (#1880)

Description

This detector identifies the spctl command issued with either the -a or --assess flag on a file located in the /tmp directory.

Did this answer your question?