==================================================

CREATED: WIN-BIN-INJECT-EXPLORER (#2033)

Description

This detector identifies processes executing from a user's appdata\roaming directory and injecting into explorer.exe to launch scripts for search order hijacking.

ATT&CK Technique T1038
ATT&CK Technique T1055

==================================================

CREATED: WIN-AMSI-SUSPECT-PATH (#2121)

Description

This detector identifies execution of AMSI (Antimalware Scan Interface) (amsi.dll) from abnormal locations. 

ATT&CK Technique T1089

==================================================

CREATED: WIN-POWERPOINT-SPAWNING-RUNAS (#2129)

Description

This detector identifies Microsoft Powerpoint spawning the Windows process runas.exe.  Adversaries may utilize this technique to evade process ancestry detection methods.  

ATT&CK Technique T1134

==================================================

CREATED: WIN-VISIO-SPAWNING-RUNAS (#2130)

Description

This detector identifies Microsoft Visio spawning the Windows process runas.exe.  Adversaries may utilize this technique to evade process ancestry detection methods. 

ATT&CK Technique T1134

==================================================

CREATED: WIN-MSPUBLISHER-SPAWNING-RUNAS (#2131)

Description

This detector identifies Microsoft Publisher spawning the Windows process runas.exe.  Adversaries may utilize this technique to evade process ancestry detection methods. 

ATT&CK Technique T1134

==================================================

CREATED: WIN-CURL-WRITE-BIN (#2142)

Description

This detector identifies Windows cURL writing an executable to disk. Adversaries commonly utilize cURL to download binaries via the command line.

ATT&CK Technique T1059

==================================================

CREATED: WIN-REGMOD-CLSID-SCRIPTLETURL (#2148)

Description

This detector identifies possible COM object hijacks where an abnormal registry key is created that executes an externally hosted payload.

ATT&CK Technique T1122

==================================================

CREATED: WIN-SVCHOST-DEFRAGSVC-NETCONN (#2150)

Description

This detector identifies instances of the Windows Service Host establishing external network connections after launching a suspicious service associated with known malicious activity. 

ATT&CK Technique T1035

==================================================

CREATED: WIN-RUNDLL32-SYSSETUP-SUSP-MODLOAD (#2151)

Description

This detector identifies suspicious instances of the windows process rundll32.exe executing with certain command line arguments and loading modules typically observed with application whitelisting bypass. Adversaries will utilize this technique to retrieve and execute remote payloads. 

ATT&CK Technique T1085
ATT&CK Technique T1129

==================================================

CREATED: WIN-CMD-RENAMED-TO-UTILMAN (#2152)

Description

This detector identifies the replacement of the Windows Utility Manager (utilman.exe) with the Command Processor (CMD.exe). At the Windows login screen, actors could trigger utilman.exe to launch a privileged command shell without credentials or internal logging. 

ATT&CK Technique T1015

==================================================

CREATED: WIN-POSSIBLE-SHARPCHROME-BIN (#2155)

Description

This detector identifies running instances of the Sharpchrome credential theft tool. 

ATT&CK Technique T1503

==================================================

CREATED: WIN-POSSIBLE-SHARPDPAPI-BIN (#2156)

Description

This detector identifies running instances of the SharpDPAPI credential theft tool. 

ATT&CK Technique T1003

==================================================

CREATED: WIN-POSSIBLE-RUBEUS-BIN (#2157)

Description

This detector identifies running instances of the Rubeus credential theft tool.

ATT&CK Technique T1097
ATT&CK Technique T1208
ATT&CK Technique T1075

==================================================

CREATED: WIN-COMPILED-POWERSHELL-BASE64-METHOD (#2160)

Description

This detector identifies when PowerShell framework DLLs are loaded into processes other than PowerShell and execute with a command line consistent with the use of .NET base64 methods. This activity is often used by attackers to obfuscate the use of malicious code on an endpoint.

ATT&CK Technique T1086

Did this answer your question?