==================================================

CREATED: WIN-CMD-DIR-SUSP-KEYWORDS (#1313)

Description

Identifies suspicious keywords being used by the cmd subcommand dir.  This activity is typically seen during post-exploitation to gather credentials and sensitive data.

ATT&CK Technique T1083

==================================================

CREATED: WIN-MICROSOFT-ODD-BINARY-EXT (#1311)

Description

Identifies odd file extensions for files masquerading as legitimate Windows binaries.

ATT&CK Technique T1036

==================================================

CREATED: WIN-WMIC-HACKTOOL-CREDTHEFT-EXEC (#1310)

Description

Identifies WMIC loading DLLs associated with credential theft.  Additionally, there is likely a cross-process access to the memory of lsass.exe or injection into another process as a pivot.

ATT&CK Technique T1003

Did this answer your question?