==================================================

CREATED: WIN-WCE-SERVICE-EXECUTION (#1351)

Description

Identifies certain characteristics of the execution of the Windows Credential Editor tool commonly used to dump NTLM hashes and passwords when running as a service.

References

ATT&CK Technique T1003

==================================================

CREATED: WIN-WCE-EXECUTION (#1350)

Description

Identifes certain characteristics of the execution of the Windows Credential Editor tool commonly used to dump NTLM hashes and passwords.

References

ATT&CK Technique T1003

==================================================

CREATED: WIN-OFFICE-ENABLE-MACROS-REGMOD (#1330)

Description

Identifies when there are any registry modifications to the key that allows macros in office products.

References

ATT&CK Technique T1112

==================================================

CREATED: WIN-POSH-FIND-GPOPASSWORDS (#1348)

Description

Identifies successful execution of Find-GPOPasswords.ps1, a script closely related to PowerSploit Get-GPPPassword.ps1. Identification relies on the successful creationof a report generated by the script after execution.

References

ATT&CK Technique T1086
ATT&CK Technique T1003

==================================================

CREATED: WIN-PAEXEC-SUSP-EXECUTION (#1347)

Description

Identifies renamed instances of PowerAdmin PAExec, an open and redistributable replacement to Sysinternals PsExec. This tool is commonly used by adversaries to issue remote management commands to an endpoint.

References

ATT&CK Technique T1077
ATT&CK Technique T1035

==================================================

CREATED: WIN-WORD-SPAWN-SYSTEM-PROC (#1343)

Description

Identifies suspicious Windows system processes spawning from MS Word. System processes are commonly used in this manner when adversaries work with Cobalt Strike beacons.

ATT&CK Technique RC-13377

==================================================

CREATED: WIN-REMCOM-SUSP-RECEIVER (#1342)

Description

Identifies suspicious usage of RemComSvc.exe to receive a remote connection. This utility is an open-source replacement to PsExec.

References

ATT&CK Technique T1077
ATT&CK Technique T1035

==================================================

CREATED: WIN-REMCOM-SUSP-INIT (#1341)

Description

Identifies suspicious usage of RemCom to initiate a remote connection. This utility is an open-source replacement to PsExec.

References

ATT&CK Technique T1077
ATT&CK Technique T1035

==================================================

CREATED: OSX-TMP-DIR-EXECUTION (#1332)

Description

Identifies the execution of binaries located in world-writable temporary directories in macOS.

References

ATT&CK Technique T1074

==================================================

CREATED: WIN-SUSPICIOUS-EXCEL-PERSISTENCE-CREATE (#1328)

Description

Identifies the suspicious creation of MS Excel add-ins via unexpected applications.

References

ATT&CK Technique T1137

==================================================

CREATED: WIN-SUSPICIOUS-DOC-TEMPLATE-MOD (#1327)

Description

Identifies the modification of the MS Word document template normal.dotm file with unusual applications.

References

ATT&CK Technique T1137

Did this answer your question?