==================================================

CREATED: WIN-WINWORD-SPAWNING-CERTUTIL

Description

Identifies instances of certutil to decode embedded payloads within office documents and writing them to disk.

References

ATT&CK Technique T1059

==================================================

CREATED: WIN-EXCEL-SPAWNING-CERTUTIL

Description

Identifies instances of certutil to decode embedded payloads within office documents and writing them to disk.

References

ATT&CK Technique T1059

==================================================

CREATED: WIN-POWERPNT-SPAWNING-CERTUTIL

Description

Identifies instances of certutil to decode embedded payloads within office documents and writing them to disk.

References

ATT&CK Technique T1059

==================================================

CREATED: WIN-MSPUB-SPAWNING-CERTUTIL

Description

Identifies instances of certutil to decode embedded payloads within office documents and writing them to disk.

References

ATT&CK Technique T1059

==================================================

CREATED: WIN-VISIO-SPAWNING-CERTUTIL

Description

Identifies instances of certutil to decode embedded payloads within office documents and writing them to disk.

References

[https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities](https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities)

ATT&CK Technique T1059

==================================================

CREATED: WIN-WINWORD-SPAWNING-MSHTA

Description

Identifies instances of mshta.exe spawning from MS Word. This utility is commonly used to download additional payloads or to commonly spawn instances of cmd/powershell.

==================================================

CREATED: WIN-EXCEL-SPAWNING-MSHTA

Description

Identifies instances of mshta.exe spawning as a child process of MS Excel.
This behavior is commonly observed during exploitation of Office applications or execution of macros in malicious documents.
In addition, this behavior has been observed in association with banking trojan malware.

==================================================

CREATED: WIN-POWERPOINT-SPAWNING-MSHTA

Description

Identifies instances of mshta.exe spawning as a child process of MS Powerpoint.
This behavior is commonly observed during exploitation of Office applications or execution of macros in malicious documents.
In addition, this behavior has been observed in association with banking trojan malware.

==================================================

CREATED: WIN-VISIO-SPAWNING-MSHTA

Description

Identifies instances of mshta.exe spawning as child processes of MS Visio.
This behavior is commonly observed during execution of macros from malicious documents. False positives may include Office
extensions.

==================================================

CREATED: WIN-MSPUBLISHER-SPAWNING-MSHTA

Description

Identifies instances of svchost.exe spawning as a child process of MS Publisher.
This behavior is commonly observed during exploitation of Office applications or execution of macros in malicious documents.
In addition, this behavior has been observed in association with banking trojan malware.

==================================================

CREATED: WIN-POSSIBLE-ROKRAT

Description

Identifies behavior that is commonly seen in malicious documents to deliver Rokrat.

References

ATT&CK Technique T1064

==================================================

CREATED: WIN-SCHTASK-CREATE-MSHTA

Description

Identifies the creation of Windows scheduled tasks that include a reference to mshta.exe in the CLI. This could be used to establish a persistence mechanism or as a delayed malware execution.

References

ATT&CK Technique T1170 and T1053

==================================================

CREATED: WIN-SVCHOST-SPAWNING-MSHTA

Description

Identifies the Windows Service Host process svchost.exe spawning suspect child processes, specifically mshta.exe.

ATT&CK Technique T1170

==================================================

CREATED: WIN-SVCHOST-SPAWNING-SCRIPT

Description

Identifies the Windows Service Host process svchost.exe spawning suspect child processes, specifically wscript.exe and cscript.exe.

ATT&CK Technique T1064

==================================================

CREATED: WIN-SVCHOST-SPAWNING-POWERSHELL

Description

Identifies the Windows Service Host process svchost.exe spawning suspect child processes, specifically powershell.exe.

ATT&CK Technique T1086

==================================================

# CREATED: WIN-SVCHOST-SPAWNING-CMD

Description

Identifies the Windows Service Host process svchost.exe spawning suspect child processes, specifically cmd.exe.

ATT&CK Technique T1059

==================================================

CREATED: WIN-POSSIBLE-MIMIKATZ-CLI

Description

Identifies instances of Mimikatz that may not trigger Intel hits or other detectors. The intent is to look for command line elements common to Mimikatz execution.

References

ATT&CK Technique T1003

==================================================

CREATED: OSX-LAUNCHCTL-KERBEROSDUMP

Description

Identifies the dumping of kerberos tickets from OSX systems via a the script in the Empire Project.

References

https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py

ATT&CK Technique T1003

==================================================

CREATED: WIN-MSXSL-SCRIPT-EXECUTION

Description

Identifies malicious use of MSXSL.EXE to execute malicious scripts either locally or remotely.

References

https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/

ATT&CK Technique T1127

==================================================

CREATED: WIN-EXECUTION-FROM-FONTS-FOLDER

Description

Identifies execution of binaries from C:\Windows\Fonts on windows systems.

References

ATT&CK Technique T1036

==================================================

CREATED: WIN-EXECUTION-FROM-SHARE

Description

Identifies execution of binaries from single letter shares on windows systems.

ATT&CK Technique T1077

==================================================

CREATED: WIN-EXECUTION-FROM-PRINT-SHARE

Description

Identifies execution of binaries from print$ on windows systems.

ATT&CK Technique T1077

==================================================

CREATED: WIN-KMS-BYPASS

Description

Identifies Microsoft Windows and/or Office KMS (Key Management System) bypass techniques used by utilities like AutoPico and KMSPico to bypass activation of Microsoft Windows or Office.

References

ATT&CK Technique T1112 and T1040

Did this answer your question?