==================================================

CREATED: WIN-PS-GCI-TIMESTOMP (#1986)

Description

This detector identifies Get-Childitem changing the timestamps of a file. This technique has been utilized to alter timestamps in an effort to masquerade when a malicious binary was written to disk, known as timestomping.

ATT&CK Technique T1099

==================================================

CREATED: NIX-KTHROTLD-IMPERSONATION (#2109)

Description

This detector identifies instances of the kthrotld kernel thread being impersonated.  Adversaries can name their processes after this thread in an attempt to blend in with the compromised machine. 

==================================================

CREATED: WIN-RUNDLL-SCROBJ-LOAD (#2133)

Description

This detector identifies Rundll32 loading Scrobj.dll to execute and bypass security controls.

ATT&CK Technique T1085

==================================================

CREATED: WIN-INFDEFAULTINSTALL-SUSP-MODLOAD (#2134)

Description

This detector identifies suspicious instances of the windows process infdefaultinstall.exe loading modules typically observed with application whitelisting bypass. Adversaries will utilize this technique to retrieve and execute remote payloads.

ATT&CK Technique T1218

Did this answer your question?