==================================================

CREATED: WIN-POWERSHELL-DUMP-LSASS (#1269)

Description

Identifies the use of Powershell code to dump the memory space of lsass.exe to a file for later analysis.

References

ATT&CK Technique T1003

==================================================

CREATED: WIN-JAVA-POSSIBLE-WEBSHELL (#1265)

Description

This detector identifies instances of java.exe writing an archive .war file to disk and spawning a child process. The intent is to identify potential webshells executing on Java-based web application servers such as JBoss or Weblogic.

ATT&CK Technique T1100

==================================================

CREATED: WIN-NVUDISP-SYSTEM-COMMAND (#1264)

Description

This detector identifies instances of nvudisp.exe, a binary included with certain NVIDIA driver installations, which may be used to "live off the land" and launch processes in an unexpected manner.

References

ATT&CK Technique T1059

Did this answer your question?