==================================================

CREATED: WIN-SCHEDULED-SCRIPT-EXECUTION-USERS (#1201)

Description

Identifies scheduled execution of scripts via Windows scripting engines wscript.exe or cscript.exe. When the path contains Users.

ATT&CK Technique T1053

==================================================

CREATED: WIN-PROCDUMP-LSASS (#1200)

Description

Identifies instances of Sysinternals ProcDump being used to dump the memory of
the Windows Local Security Authority Subsystem lsass.exe. This action may be used with Mimikatz or other credential theft tools to acquire account hashes.

References

ATT&CK Technique T1003

Did this answer your question?