CREATED: WIN-OUTLOOK-SPAWNING-MSHTA (#2125)
This detector identifies instances of Windows the Microsoft HTML Application Host (mshta.exe) spawning from Microsoft Outlook. Adversaries use this tactic when utilizing COM objects to launch malicious activity from known good system binaries.
CREATED: WIN-OPENWITH-SPAWNING-MSHTA (#2126)
This detector identifies instances of the windows process openwith.exe spawning the Microsoft HTML Application Host. This activity can occur when adversaries cause their victim to execute an encrypted HTA from within their browser process.
CREATED: WIN-VERCLSID-CHILDPROC (#2136)
This detector identifies instances of the Windows COM object verification tool (verclsid.exe) executing with child processes. Adversaries may utilize this process to avoid Application Whitelisting rules that prevent untrusted processes from running.
ATT&CK Technique T1127
CREATED: WIN-CMD-RENAMED-TO-SETHC (#2147)
This detector identifies the replacement of the Windows StickyKeys feature (
sethc.exe) with the Command Processor (
CMD.exe). At the Windows login screen, actors could trigger
sethc.exe to launch a privileged command shell without credentials or internal logging.
ATT&CK Technique T1015