CREATED: OSX-REMOVE-QUARANTINE-ATTRIBUTES (#1413)
This detector identifies the use of
xattr to remove the quarantine extended attribute from files. The quarantine extended attribute is applied on files from external sources such as the internet. Removal of this attribute by malware will evade alerting the user via a gatekeeper popup request.
ATT&CK Technique T1044
CREATED: WIN-APPCMD-DISABLE-LOGGING (#1423)
This detector identifies instances of the Windows IIS command line configuration tool (
appcmd.exe) disabling HTTP logging. This tactic is observed during defense evasion tactics.
ATT&CK Technique T1089
CREATED: WIN-ADEXPLORER-SNAPSHOT (#1435)
This detector identifies Sysinternals ADExplorer creating a snapshot of Active Directory. This technique is a precursor to offline credential theft attacks.
ATT&CK Technique T1003