==================================================

CREATED: WIN-SPOOLSV-SPAWNING-POWERSHELL (#1405)

Description

This detector identifies abuse of the Windows Print Spooler to escalate privileges and spawn PowerShell from the Windows Print Spooler ('spoolsv.exe') process.

ATT&CK Technique T1053

==================================================

CREATED: WIN-SPOOLSV-SPAWNING-MSHTA (#1407)

Description

This detector identifies abuse of the Windows Print Spooler to escalate privileges and spawn the Microsoft HTML Application Host ('mshta.exe') from the Windows Print Spooler ('spoolsv.exe') process.

ATT&CK Technique T1053
ATT&CK Technique T1170

==================================================

CREATED: WIN-POWERSHELL-MOD-DRIVERSTORE (#1408)

Description

This detector identifies the use of PowerShell to modify Windows system libraries within the driver store. This behavior has been observed during the execution of ALPC privilege escalation exploits.

ATT&CK Technique T1086

==================================================

CREATED: NIX-PKILL-MINER-PREP (#1409)

Description

This detector identifies use of pkill to stop common cryptominer processes. This tactic is used by adversaries within cryptominer shell scripts to ensure their miner is the only one executing.

ATT&CK Technique T1059

==================================================

CREATED: ANY-LOPHTCRACK-AGENT (#1411)

Description

This detector identifies the L0phtcrack Agent using a digital signature. This tool is commonly used for password audits and credential theft.

ATT&CK Technique T1003

==================================================

CREATED: WIN-TASKENG-MALWARE-SVCHOST (#1412)

Description

This detector identifies a chain of execution associated with malware, where the Task Scheduler Engine (taskeng.exe) launches a malicious binary, which executes the Service Host process(svchost.exe).

ATT&CK Technique T1053

Did this answer your question?