==================================================

CREATED: WIN-GUEST-ACCT-ENABLE (#1260)

Description

Identifies processes that enable the Windows default Guest account. This account is off by default and allows anonymous interactive access.

ATT&CK Technique T1078

==================================================

CREATED: WIN-GUEST-LOCAL-ADMIN (#1261)

Description

Identifies processes that add the Windows default Guest account to the local administrators group. This account is off by default and allows anonymous interactive access.

ATT&CK Technique T1078

==================================================

CREATED: WIN-UNTRUSTED-ROAMING-SPAWNING-EXPLORER (#1227)

Description

Identifies unknown, unsigned, or untrusted binaries spawning Windows Explorer where the filepath contains roaming.

==================================================

CREATED: WIN-UNTRUSTED-DEVICE-SPAWNING-EXPLORER (#1228)

Description

Identifies unsigned, unknown or untrusted binaries spawning Windows Explorer from removable media or secondary drives.

==================================================

CREATED: WIN-POWERSHELL-OBF-CHAR (#1240)

Description

Identifies execution of PowerShell in which multiple uses of char in obfuscated command lines are used.

References

https://github.com/danielbohannon/Invoke-Obfuscation

ATT&CK Technique T1059

Did this answer your question?