==================================================

CREATED: WIN-POWERSHELL-ENCODEDCOMMAND-SWITCH (#1882)

Description

This detector identifies use of the encodedCommand flag in PowerShell. This activity is often used by attackers to obfuscate the use of malicious code on an endpoint.

ATT&CK Technique T1086

==================================================

CREATED: NIX-KWORKER-IMPERSONATION (#1883)

Description

This detector identifies processes impersonating the Linux kworker kernel thread process. This impersonation is used by adversaries to mask suspect activity.

ATT&CK Technique T1036

==================================================

CREATED: NIX-KTHREADD-IMPERSONATION (#1885)

Description

This detector identifies processes impersonating the Linux kthreadd kernel thread process. This impersonation is used by adversaries to mask malicious activity.

ATT&CK Technique T1036

==================================================

CREATED: NIX-CURL-SHLAYER-CLI (#1886)

Description

This detector identifies instances of curl with a suspect command line indicating the download of Shlayer malware.

ATT&CK Technique T1036

==================================================

CREATED: OSX-NOT-TRUSTED-KEYCHAIN-ACCESS (#1893)

Description

This detector identifies launchd spawning an untrusted process, which creates and deletes keychain files.  This activity has been observed with macOS malware.

ATT&CK Technique T1142

==================================================

CREATED: OSX-CRON-APPLICATIONSUPPORT (#1894)

Description

This detector identifies macOS cron jobs executing binaries and scripts within an Application Support folder. This behavior is commonly seen in the execution of macOS malware.

ATT&CK Technique T1168

Did this answer your question?