==================================================

CREATED: WIN-CIPHER-EXECUTION (#2058)

Description

This detector identifies when either wscript.exe or irftp.exe executes from an abnormal file path. This activity is commonly observed with search order hijack attacks. 

ATT&CK Technique T1038

==================================================

CREATED: LINUX-SHM-DIR-EXECUTION (#2099)

Description

This detector identifies the execution of binaries located in shared memory (SHM) on Linux.

ATT&CK Technique T1074

==================================================

CREATED: WIN-MSHTA-NON-HTA (#2100)

Description

This detector identifies Mshta being passed a suspicious argument. Adversaries can craft other file extensions to execute malicious code such as lnk files.

ATT&CK Technique T1170

==================================================

CREATED: EXECUTION-ROOT-VAR-TMP-DIR (#2102)

Description

This detector identifies the execution of binaries located in the root of the /var/tmp directory.

ATT&CK Technique T1074

==================================================

CREATED: WIN-CMSTP-SILENT-INSTALL (#2106)

Description

This detector identifies the Microsoft Connection Manager Profile Installer (cmstp.exe) silently installing a service profile. Adversaries can weaponize a .inf file to execute arbitrary code and bypass app-locker.

ATT&CK Technique T1191

Did this answer your question?