==================================================

CREATED: WIN-SDCLT-UAC-BYPASS-EXEC (#1491)

Description

This detector identifies instances of Windows Backup Client (sdclt.exe) with command line options indicating use of a UAC bypass/privilege exploit technique.

ATT&CK Technique T1088

==================================================

CREATED: WIN-REMOTE-AT-TASK (#1497)

Description

This detector identifies instances of at.exe interacting with the task scheduler on remote hosts.  This is commonly observed with adversaries performing lateral movement. 

ATT&CK Technique T1053

==================================================

CREATED: WIN-SCHTASKS-CREATE-REMOTE (#1759)

Description

This detector identifies instances of the Windows Command Line Task Scheduler utility (schtasks.exe) creating tasks on remote hosts. This technique is used for lateral movement via Server Message Block (SMB) and Remote Procedure Call (RPC). 

ATT&CK Technique T1053

Did this answer your question?