==================================================

CREATED: WIN-SC-CREATE-SERVICE-COMPSEC (#1308)

Description

This detector will look for instances of sc.exe creating a fake service with %Compsec% in the cmdline.

References

ATT&CK Technique T1050 & T1035

==================================================

CREATED: WIN-FIREFOX-SELFXSS-MODIFIED (#1307)

Description

This detector looks for modification of the selfxss option in the prefs.js file of Firefox.  This protection protects users from executing javascript code directly from the console commonly utilized by banking malware and phishing techniques.

References

ATT&CK Technique T1059

==================================================

CREATED: NIX-DISABLE-OSSEC (#1306)

Description

This detector will look for whenever OSSEC is disabled.

ATT&CK Technique T1089

==================================================

CREATED: WIN-DLLHOST-EXTERNAL-NETCONN (#1293)

Description

This detector will seek dllhost.exe making external network connections.  Typically dllhost is a sacrificial process that will run unbeknownst to the user on behalf of another process.Network connections are also commonly seen as internal to internal.

ATT&CK Technique T1055

==================================================

CREATED: NIX-WGET-EXTERNAL-NETCONN-CONTENTSITES (#1304)

Description

This detector identifies instances of MacOS or Linux wget establishing network connections to specific content hosting sites.

ATT&CK Technique T1059

==================================================

CREATED: NIX-CURL-EXTERNAL-NETCONN-CONTENTSITES (#1303)

Description

This detector identifies instances of MacOS or Linux curl establishing network connections to specific content hosting sites.

ATT&CK Technique T1059

==================================================

CREATED: NIX-WGET-EXTERNAL-NETCONN-SHORTENERS (#1302)

Description

This detector identifies instances of MacOS and Linux wget establishing network connections to specific "url shortener sites".

ATT&CK Technique T1059

==================================================

CREATED: NIX-CURL-EXTERNAL-NETCONN-SHORTENERS (#1301)

Description

This detector identifies instances of MacOS and Linux curl establishing network connections to specific "url shortener sites".

ATT&CK Technique T1059

==================================================

CREATED: NIX-WGET-EXTERNAL-NETCONN-PASTESITES (#1300)

Description

This detector identifies instances of MacOS or Linux wget establishing network connections to specific "paste sites", such as pastebin.

ATT&CK Technique T1059

==================================================

CREATED: NIX-CURL-EXTERNAL-NETCONN-PASTESITES (#1299)

Description

This detector identifies instances of MacOS or Linux curl establishing network connections to specific "paste sites", such as pastebin.

ATT&CK Technique T1059

==================================================

CREATED: NIX-WGET-PIPE-BASH (#1298)

Description

This detector identifies instances of MacOS or Linux wget used to download content before piping to bash for execution.

ATT&CK Technique T1059

==================================================

CREATED: NIX-CURL-PIPE-BASH (#1297)

Description

This detector identifies instances of MacOS or Linux curl used to download content before piping to bash for execution.

ATT&CK Technique T1059

==================================================

CREATED: OSX-MIGRATION-TOOL-CUSTOM-PLUGIN (#1296)

Description

Identifies the execution of migrationTool loading and executing a custom plugin. This has been shown to bypass application whitelisting and execute unsigned code inside a signed Apple binary.

References

https://www.xorrior.com/abusing-migrationTool/

ATT&CK Technique T1036 & T1055

Did this answer your question?