==================================================

CREATED: WIN-REGSVCS-SUSPECT-BINARY (#1763)

Description

This detector identifies the .NET Services Installation Tool (regsvcs.exe) spawning with a suspicious internal name value. This tactic is used to masquerade malicious processes as a legitimate one. 

ATT&CK Technique T1036

==================================================

CREATED: NIX-CHATTR-RM-IMMUTABLE (#1784)

Description

This detector identifies instances of the Unix chattr utility removing an "immutable" attribute from sensitive files and folders. Adversaries use this technique to prepare read-only files for editing.

ATT&CK Technique T1222

==================================================

CREATED: NIX-TOUCH-TIMESTOMP-REFERENCE (#1785)

Description

This detector identifies instances of the Unix touch utility with command line options indicating timestomping activity. Adversaries use this technique to hinder forensic analysis during compromises.

ATT&CK Technique T1099

Did this answer your question?