==================================================

CREATED: WIN-MSBUILD-RENAMED (#1972)

Description

This detector identifies renamed instances of the Microsoft Build utility (msbuild.exe). This technique is used by adversaries to compile and execute arbitrary code while evading defenses.

ATT&CK Technique T1127
ATT&CK Technique T1036

==================================================

CREATED: WIN-WMI-EVENTING (#1999)

Description

This detector identifies certain strings found in command lines used to create WMI Event objects. Adversaries use WMI Event objects for persistence in Windows systems.

ATT&CK Technique T1047
ATT&CK Technique T1084

Did this answer your question?