==================================================

CREATED: WIN-SCRIPT-HACKTOOL-CREDTHEFT-EXEC (#1229)

Description

Identifies MS Script Hosts loading DLLs associated with credential theft. Additionally, there is likely a cross-process access to the memory of lsass.exe or injection into another process as a pivot.

ATT&CK Technique T1003

==================================================

CREATED: WIN-INSTALLUTIL-HACKTOOL-CREDTHEFT-EXEC (#1230)

Description

Identifies InstallUtil loading DLLs associated with credential theft. Additionally, there is likely a cross-process access to the memory of lsass.exe or injection into another process as a pivot.

ATT&CK Technique T1003

==================================================

CREATED: WIN-MSBUILD-HACKTOOL-CREDTHEFT-EXEC (#1231)

Description

Identifies MSBuild loading DLLs associated with credential theft. Additionally, there is likely a cross-process access to the memory of lsass.exe or injection into another process as a pivot.

ATT&CK Technique T1003

==================================================

CREATED: WIN-UNTRUSTED-HACKTOOL-CREDTHEFT-EXEC (#1233)

Description

Identifies untrusted binaries loading DLLs associated with credential theft. Additionally, there is likely a cross-process access to the memory of lsass.exe or injection into another process asa pivot.

ATT&CK Technique T1003

Did this answer your question?