==================================================
CREATED: WIN-CMD-DIR-SUSP-KEYWORDS (#1313)
Description
Identifies suspicious keywords being used by the cmd subcommand dir. This activity is typically seen during post-exploitation to gather credentials and sensitive data.
ATT&CK Technique T1083
==================================================
CREATED: WIN-MICROSOFT-ODD-BINARY-EXT (#1311)
Description
Identifies odd file extensions for files masquerading as legitimate Windows binaries.
ATT&CK Technique T1036
==================================================
CREATED: WIN-WMIC-HACKTOOL-CREDTHEFT-EXEC (#1310)
Description
Identifies WMIC loading DLLs associated with credential theft. Additionally, there is likely a cross-process access to the memory of lsass.exe or injection into another process as a pivot.
ATT&CK Technique T1003