==================================================

CREATED: OSX-REMOVE-QUARANTINE-ATTRIBUTES (#1413)

Description

This detector identifies the use of xattr to remove the quarantine extended attribute from files. The quarantine extended attribute is applied on files from external sources such as the internet. Removal of this attribute by malware will evade alerting the user via a gatekeeper popup request.

ATT&CK Technique T1044

==================================================

CREATED: WIN-APPCMD-DISABLE-LOGGING (#1423)

Description

This detector identifies instances of the Windows IIS command line configuration tool (appcmd.exe) disabling HTTP logging. This tactic is observed during defense evasion tactics. 

ATT&CK Technique T1089

==================================================

CREATED: WIN-ADEXPLORER-SNAPSHOT (#1435)

Description

This detector identifies Sysinternals ADExplorer creating a snapshot of Active Directory. This technique is a precursor to offline credential theft attacks. 

ATT&CK Technique T1003

Did this answer your question?