==================================================

CREATED: WIN-VMNAT-DLL-HIJACK (#2095)

Description

This detector identifies instances of the VMware NAT Service (vmnat.exe) loading suspicious DLLs into memory as a form of search order hijacking.

ATT&CK Technique T1038

==================================================

CREATED: EXECUTION-ROOT-RUN-DIR (#2103)

Description

This detector identifies the execution of binaries located in in the root of the /var/run and /run folders.

ATT&CK Technique T1074

==================================================

CREATED: WIN-METRO-APPS-PERSISTENCE (#2105)

Description

This detector identifies the modification of built-in Window's applications registry debug keys that can be abused for persistence. Adversaries will add a binary or command as an argument to the debug key as a means of persistence.

ATT&CK Technique T1060

==================================================

CREATED: WIN-WINWORD-SPAWNING-RUNAS (#2110)

Description

This detector identifies instances on Microsoft Word spawning the Windows process runas.exe.  Adversaries may utilize this technique to evade process ancestry detection methods.

ATT&CK Technique T1134

==================================================

CREATED: NIX-LINKED-PRELOAD (#2111)

Description

This detector identifies instances of the ln command creating symbolic links for the ld.so.preload file.  This technique is abused by adversaries to disguise their code injection. 

ATT&CK Technique T1023

==================================================

CREATED: WIN-CMSTP-INF (#2113)

Description

This detector identifies the Microsoft Connection Manager Profile Installer (cmstp.exe) installing a service profile. Adversaries can weaponize a .inf file to execute arbitrary code and bypass app-locker.

ATT&CK Technique T1191

==================================================

CREATED: WIN-WMIC-ADD-AV-EXCLUSION (#2114)

Description

This detector identifies when the Windows Management Instruction utility (wmic.exe ) adds exclusions to a local AV product. Malware will utilize this technique to prevent AV solutions from scanning itself. 

ATT&CK Technique T1089
ATT&CK Technique T1047

==================================================

CREATED: WIN-RUNDLL-ADVPACK-SUSP-MODLOAD (#2123)

Description

This detector identifies suspicious instances of the windows process rundll32.exe executing with certain command line arguments and loading modules typically observed with application whitelisting bypass. Adversaries will utilize this technique to retrieve and execute remote payloads.  

ATT&CK Technique T1085
ATT&CK Technique T1191

==================================================

CREATED: NIX-PRIVILEGE-ESCALATION-SUDO-U (#2124)

Description

This detector identifies sudo with the following command lines: sudo -u#-1 or sudo -u#4294967295, which indicates the exploitation of CVE-2019-14287. 

ATT&CK Technique T1166
ATT&CK Technique T1169

Did this answer your question?