==================================================

CREATED: WIN-EQUATION-EDITOR-NETCONN (#1428)

Description

This detector identifies instances of the Microsoft Office Equation Editor (eqnedt32.exe) establishing external network connections. This behavior occurs during exploitation of Microsoft Office to deliver malware.

ATT&CK Technique T1203

==================================================

CREATED: WIN-RUNDLL32-METERPRETER-PRIVESC (#1427)

Description

This detector identifies instances of the Windows DLL Host (rundll32.exe) executing with command line options indicating privilege escalation from a Metasploit Meterpreter shell.

ATT&CK Technique T1050

==================================================

CREATED: WIN-SYSKEY-SAMFILE-LOCKOUT (#1424)

Description

This detector identifies instances of the Windows System Key Protection utility (syskey.exe) changing a password to lock out the local system SAM file. This technique is observed during technical support scams and ransom attempts.

ATT&CK Technique T1204

Did this answer your question?