==================================================

CREATED: WIN-POWERSHELL-EXEC-SUSPECT-FILE (#1436)

Description

This detector identifies PowerShell executing files from suspect locations which include the hidden parameter in the command line. This allows adversaries to run code without exposing it to the user.

ATT&CK Technique T1086

==================================================

CREATED: WIN-PERSISTENCE-MPR-LOGON-SCRIPT (#1431)

Description

This detector identifies the registry value write to the key UserInitMPRLogonScript, a known persistence technique for logon scripts.

ATT&CK Technique T1037

==================================================

CREATED: WIN-CMD-POSSIBLE-DOSFUSCATION-SET (#1425)

Description

This detector identifies instances of the Windows Command Processor (cmd.exe) with command lines that set numerous variables in a single command. Adversaries commonly use this tactic as a method of command obfuscation to evade detection.

ATT&CK Technique T1059

Did this answer your question?