==================================================

CREATED: WIN-SHARPVIEW-EXECUTION (#2104)

Description

This detector identifies behavior consistent with the post exploitation framework SharpView. SharpView is a port of PowerView, PowerSploit module written in C#/.NET assembly.

ATT&CK Technique T1064
ATT&CK Technique T1087
ATT&CK Technique T1135
ATT&CK Technique T1482

==================================================

CREATED: NIX-EXIM-EXPLOIT (#2112)

Description

This detector identifies a Remote Code Execution vulnerability against a Unix Exim mail server. When exploited, this vulnerability results in a malicious child process of exim. 

ATT&CK Technique T1190

==================================================

CREATED: WIN-SYSPROP-CMD-DRIDEX (#2115)

Description

This detector identifies various systemproperties binaries spawning the Windows Command Processor (cmd.exe). Utilizing these binaries to launch instances of cmd.exe is consistent with activity seen with the Dridex malware family.

ATT&CK Technique T1038
ATT&CK Technique T1055

==================================================

CREATED: WIN-NODE-SHELL (#2127)

Description

This detector identifies node.exe launching a JavaScript file and making network connections. Adversaries can leverage node.exe as a proxy and or establish network connectivity.

ATT&CK Technique T1064
ATT&CK Technique T1090

==================================================

CREATED: WIN-WINDIVERT-DLL (#2132)

Description

This detector identifies PowerShell creating or loading the WinDivert DLL. WinDivert can be used to implement user-mode packet filters, packet sniffers, firewalls, NAT, VPNs, tunneling applications, etc.

ATT&CK Technique T1040
ATT&CK Technique T1090

==================================================

CREATED: WIN-POSSIBLE-RUBEUS-CLI (#2144)

Description

This detector identifies the use of Rubeus, a C# exploit toolset for Kerberos abuse by identifying command line elements common to Rubeus execution.

ATT&CK Technique T1097

==================================================

CREATED: WIN-SVCHOST-UNMANAGED-POSH (#2153)

Description

This detector identifies instances of the Windows Service Host loading DLLs associated with unmanaged PowerShell.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-VBC-NETCONN (#2158)

Description

This detector identifies instances of the Visual Basic Compiler (vbc.exe) establishing external network connections.

ATT&CK Technique T1127

==================================================

CREATED: OSX-CS-CONTAINMENT-BYPASS-PFCTL (#2159)

Description

This detector identifies pfctl removing all active Packet Filter rules on a host. CrowdStrike implements network containment on macOS using pf (Packet Filter). This allows granular control over network traffic in a similar manner to iptables or the Windows Firewall. Adversaries can break containment on MacOS by issuing this command- pfctl -F all.

ATT&CK Technique T1089

==================================================

CREATED: NIX-SHELL-OUT-OPENSSL-DECRYPT (#2161)

Description

This detector identifies NIX shells executing OpenSSL as a subprocess to decrypt payloads. Adversaries can utilize OpenSSL as an obfuscation technique to bypass common command line detection methods.

ATT&CK Technique T1027

==================================================

CREATED: WIN-EXPLORER-UNMANAGED-POSH (#2163)

Description

This detector identifies instances of the Windows Explorer loading Windows PowerShell binaries.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-SERVICES-UNMANAGED-POSH (#2164)

Description

This detector identifies instances of the Windows Service Control Manager loading Windows PowerShell binaries. Adversaries can utilize leverage the PowerShell binaries outside of a normal PowerShell session to evade common detection techniques.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-LSM-UNMANAGED-POSH (#2165)

Description

This detector identifies instances of the Windows Local Session Manager Service loading Windows PowerShell binaries.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-LSASS-UNMANAGED-POSH (#2166)

Description

This detector identifies instances of the Windows Local Security Authority Subsystem Service loading Windows PowerShell binaries.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-USERINIT-UNMANAGED-POSH (#2167)

Description

This detector identifies instances of the Windows Userinit process loading Windows PowerShell binaries.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-SMSS-UNMANAGED-POSH (#2168)

Description

This detector identifies instances of the Session Manager Subsystem loading Windows PowerShell binaries. Adversaries can levarage SMSS to launch PowerShell commands to evade common detection methods.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-TASKHOST-UNMANAGED-POSH (#2169)

Description

This detector identifies instances of the Windows Taskhost process loading Windows PowerShell binaries.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-WININIT-UNMANAGED-POSH (#2170)

Description

This detector identifies instances of the Windows Initialization Process loading Windows PowerShell binaries.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-NTOSKRNL-UNMANAGED-POSH (#2171)

Description

This detector identifies instances of the Windows NT Operating System Kernel loading Windows PowerShell binaries.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-CSRSS-UNMANAGED-POSH (#2172)

Description

This detector identifies instances of the Windows Client Server Runtime Process loading Windows PowerShell binaries.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-DLLHOST-UNMANAGED-POSH (#2173)

Description

This detector identifies instances of the COM Surrogate (dllhost.exe) loading Windows PowerShell binaries.

ATT&CK Technique T1035
ATT&CK Technique T1086

==================================================

CREATED: WIN-VBC-SHTML-STEXT (#2174)

Description

This detector identifies instances of the Visual Basic Compiler (vbc.exe) executing with command line arguments typically observed with malicious activity. 

ATT&CK Technique T1127

==================================================

CREATED: WIN-COMPILED-POWERSHELL-ENCODEDCOMMAND-SWITCH (#2176)

Description

This detector identifies when PowerShell framework DLLs are loaded into processes other than PowerShell and execute with a commandline containing the *encodedCommand* switch. This activity is often used by attackers to obfuscate the use of malicious code on an endpoint. 

ATT&CK Technique T1086

==================================================

CREATED: LINUX-POSSIBLE-MESSAGETAP (#2181)

Description

This detector identifies processes loading libpcap and writing suspect files to disk consistent with the behavior of MESSAGETAP malware.

ATT&CK Technique T1040
ATT&CK Technique T1119

==================================================

CREATED: WIN-WMIPRVSE-EXPLORER (#2188)

Description

This detector identifies the WMI Provider Host (wmiprvse.exe) spawning an instance of Windows Explorer. Adversaries can utilize wmiprvse.exe to spawn instances of explorer to write malicious binaries.      

ATT&CK Technique T1047

==================================================

CREATED: WIN-MPCMDRUN-REMOVE-DEF (#2189)

Description

This detector identifies the Microsoft command line utility for interacting with Windows Defender removing Anti-Virus definitions. Adversaries can remove Anti-Virus definitions to evade common detection methodologies.

ATT&CK Technique T1089

==================================================

CREATED: WIN-QBOT-PS-VAR-WINUPDATE (#2206)

Description

This detector identifies the usage of PowerShell assigning an environment variable to a malicious binary and immediately executing the defined variable.

ATT&CK Technique T1036

==================================================

CREATED: WIN-AUTOIT-EXT-NETCONN (#2210)

Description

This detector identifies AutoIT making external network connections. Adversaries have utilized AutoIT to establish network connections due to the limited visibility that organizations have into the execution of AutoIT.

ATT&CK Technique T1064

Did this answer your question?