==================================================

CREATED: WIN-RUNDLL-INVOKE-COM-PROGID (#2135)

Description

This detector indentifies instances of the rundll32.exe executing COM objects by their Program ID.  Adversaries may utilize this technique when performing COM hijacking and surreptitiously executing payloads. 

==================================================

CREATED: WIN-REGASM-CLR-MODLOAD (#2137)

Description

This detector identifies Regasm loading the C-Language Runtime dll (clr.dll) and the wminet_utils dll. Adversaries may utilize this technique execute payloads which can bypass application whitelisting.

ATT&CK Technique T1121

==================================================

CREATED: WIN-PROCDUMP-RENAMED (#2138)

Description

This detector identifies suspicious usage of the Windows Sysinternals Tool ProcDump. ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. Adversaries can rename procdump to avoid detection methods which rely solely on process name to dump the memory space of processes like lsass.exe to extract credentials. 

ATT&CK Technique T1003

==================================================

CREATED: WIN-CMSTP-LOAD-SCROBJ (#2139)

Description

This detector identifes CMSTP.exe loading scrobj.dll upon execution. Adversaries can utilize scrobj.dll with cmstp as a User Account Control bypass technique.

ATT&CK Technique T1191

==================================================

CREATED: WIN-CMSTP-CHILDPROC (#2140)

Description

This detector identifies CMSTP with a child process. Adversaries can pass a configuration file to CMSTP to launch arbitrary code.

ATT&CK Technique T1191

Did this answer your question?