==================================================

CREATED: WIN-OUTLOOK-SPAWNING-MSHTA (#2125)

Description

This detector identifies instances of Windows the Microsoft HTML Application Host (mshta.exe) spawning from Microsoft Outlook. Adversaries use this tactic when utilizing COM objects to launch malicious activity from known good system binaries. 

==================================================

CREATED: WIN-OPENWITH-SPAWNING-MSHTA (#2126)

Description

This detector identifies instances of the windows process openwith.exe spawning the Microsoft HTML Application Host. This activity can occur when adversaries cause their victim to execute an encrypted HTA from within their browser process. 

==================================================

CREATED: WIN-VERCLSID-CHILDPROC (#2136)

Description

This detector identifies instances of the Windows COM object verification tool (verclsid.exe) executing with child processes. Adversaries may utilize this process to avoid Application Whitelisting rules that prevent untrusted processes from running. 

ATT&CK Technique T1127

==================================================

CREATED: WIN-CMD-RENAMED-TO-SETHC (#2147)

Description

This detector identifies the replacement of the Windows StickyKeys feature (sethc.exe) with the Command Processor (CMD.exe). At the Windows login screen, actors could trigger sethc.exe to launch a privileged command shell without credentials or internal logging. 

ATT&CK Technique T1015

Did this answer your question?