==================================================

CREATED: WIN-SCP-BINARY-DOWNLOAD (#1279)

Description

Identifies the use of scp.exe to make an external network connection and then download or modify executable files. With the recent port of OpenSSH tools to Windows, threat actors will start utilizing host based tools to establish shells and pivot between machines.

ATT&CK Technique T1021 & T1105

==================================================

CREATED: WIN-SFTP-BINARY-DOWNLOAD (#1280)

Description

Identifies the use of sftp.exe to make an external network connection and then download or modify executable files. With the recent port of OpenSSH tools to Windows, threat actors will start utilizing host based tools to establish shells and pivot between machines.

ATT&CK Technique T1021 & T1105

==================================================

CREATED: WIN-SSH-BINARY-DOWNLOAD (#1278)

Description

Identifies the use of ssh.exe to make an external network connection and then download or modify executable files. With the recent port of OpenSSH tools to Windows, threat actors will start utilizing host based tools to establish shells and pivot between machines.

ATT&CK Technique T1021 & T1105

==================================================

CREATED: WIN-EXCEL-CROSSPROC-DLLHOST (#1281)

Description

Identifies instances of 'DLLHost.exe' that receive RemoteThread injections from Microsoft Excel. This tactic is used to execute actions from MS Excel macros as 'DLLHost.exe'.

ATT&CK Technique T1055

==================================================

CREATED: WIN-POWERPOINT-CROSSPROC-DLLHOST (#1282)

Description

Identifies instances of 'DLLHost.exe' that receive RemoteThread injections from Microsoft PowerPoint. This tactic is used to execute actions from MS PowerPoint macros as 'DLLHost.exe'.

ATT&CK Technique T1055

==================================================

CREATED: WIN-MSPUB-CROSSPROC-DLLHOST (#1283)

Description

Identifies instances of 'DLLHost.exe' that receive RemoteThread injections from MS Publisher. This tactic is used to execute actions from MS Publisher macros as 'DLLHost.exe'.

ATT&CK Technique T1055

==================================================

CREATED: WIN-VISIO-CROSSPROC-DLLHOST (#1284)

Description

Identifies instances of 'DLLHost.exe' that receive RemoteThread injections from Microsoft Visio. This tactic is used to execute actions from MS Visio macros as 'DLLHost.exe'.

ATT&CK Technique T1055

==================================================

CREATED: WIN-WORDPAD-CROSSPROC-DLLHOST (#1285)

Description

Identifies instances of 'DLLHost.exe' that receive RemoteThread injections from Microsoft Word. This tactic is used to execute actions from MS Wordpad as 'DLLHost.exe'.

ATT&CK Technique T1055

==================================================

CREATED: WIN-ONENOTE-CROSSPROC-DLLHOST (#1286)

Description

Identifies instances of 'DLLHost.exe' that receive RemoteThread injections from Microsoft OneNote. This tactic is used to execute actions from MS OneNote as 'DLLHost.exe'.

ATT&CK Technique T1055

==================================================

CREATED: WIN-OUTLOOK-CROSSPROC-DLLHOST (#1287)

Description

Identifies instances of 'DLLHost.exe' that receive RemoteThread injections from Microsoft Outlook. This tactic is used to execute actions from MS Outlook as 'DLLHost.exe'.

ATT&CK Technique T1055

==================================================

CREATED: WIN-MSACCESS-CROSSPROC-DLLHOST (#1288)

Description

This detector identifies instances of 'DLLHost.exe' that receive RemoteThread injections from Microsoft Access. This tactic is used to execute actions from MS Access macros as 'DLLHost.exe'.

ATT&CK Technique T1055

Did this answer your question?