==================================================

CREATED: WIN-ONENOTE-SPAWNING-POWERSHELL (#1255)

Description

Identifies execution of Powershell binaries spawning from MS Onenote.

ATT&CK Technique RC-13377 & T1086

==================================================

CREATED: WIN-OUTLOOK-SPAWNING-POWERSHELL (#1254)

Description

Identifies execution of Powershell binaries spawning from MS Outlook.

ATT&CK Technique RC-13377 & T1086

==================================================

CREATED: WIN-MSACCESS-SPAWNING-POWERSHELL (#1253)

Description

Identifies execution of Powershell binaries spawning from MS Access.

ATT&CK Technique RC-13377 & T1086

==================================================

CREATED: WIN-WORDPAD-SPAWNING-POWERSHELL (#1252)

Description

Identifies execution of Powershell binaries spawning from MS Wordpad.

ATT&CK Technique RC-13377 & T1086

==================================================

CREATED: WIN-VISIO-SPAWNING-POWERSHELL (#1251)

Description

Identifies execution of Powershell binaries spawning from MS Visio.

ATT&CK Technique RC-13377 & T1086

==================================================

CREATED: WIN-MSPUBLISHER-SPAWNING-POWERSHELL (#1250)

Description

Identifies execution of Powershell binaries spawning from MS Publisher.

ATT&CK Technique RC-13377 & T1086

==================================================

CREATED: WIN-EXCEL-SPAWN-POWERSHELL (#1247)

Description

Identifies execution of Powershell binaries spawning from MS Excel.

ATT&CK Technique RC-13377 & T1086

==================================================

CREATED: WIN-WORD-SPAWN-POWERSHELL (#1248)

Description

Identifies execution of Powershell binaries spawning from MS Word.

ATT&CK Technique RC-13377 & T1086

==================================================

CREATED: WIN-POWERPOINT-SPAWN-POWERSHELL (#1249)

Description

Identifies execution of Powershell binaries spawning from MS Word.

ATT&CK Technique RC-13377 & T1086

==================================================

CREATED: WIN-POWERSHELL-EXTERNAL-NETCONN-PASTESITES (#1243)

Description

Identifies instances of Windows PowerShell establishing network connections to specific "paste sites", such as pastebin.

ATT&CK Technique T1086

==================================================

CREATED: WIN-POWERSHELL-EXTERNAL-NETCONN-CONTENTSITES (#1245)

Description

Identifies instances of Windows PowerShell establishing network connections to specific content hosting sites.

ATT&CK Technique T1086

==================================================

CREATED: WIN-POWERSHELL-EXTERNAL-NETCONN-SHORTENERS (#1246)

Description

Identifies instances of Windows PowerShell establishing network connections to specific "url shortener sites"

ATT&CK Technique T1086

==================================================

CREATED: WIN-SCRIPT-STARTUP-FOLDER-FILEMOD (#1244)

Description

Identifies wscript, cscript, or mshta writing to \start menu\programs\startup. This technique is commonly used to establish persistence mechanisms on Windows start.

ATT&CK Technique T1060

Did this answer your question?