==================================================

CREATED: WIN-MULT-CLS-EXEC (#2008)

Description

Adversaries utilize multiple instances of cls strung together to evade command-line based detection methods.

ATT&CK Technique T1027

==================================================

CREATED: WIN-REGASM-NO-CLI (#2010)

Description

This detector identifies instances of the Windows process regasm.exe executing without command line arguments.

ATT&CK Technique T1121

==================================================

CREATED: WIN-BROWSERS-SPAWN-WMIC (#2015)

Description

This detector identifies instances of web browsers spawning the Windows Management Instrumentation utility (wmic.exe).

ATT&CK Technique T1047

==================================================

CREATED: WIN-REMOTE-EXEC-DBGSRV (#2023)

Description

This detector identifies the execution of a debug process server dbgsrv.exe. Adversaries may leverage it to execute shellcode in processes on a remote system.

ATT&CK Technique T1127

Did this answer your question?