==================================================

CREATED: WIN-SUSP-SYSTEM-PATHS (#2096)

Description

This detector identifies slight modifications to common Windows system paths.  Malware will attempt to hide itself in legitimate looking directories similar to Windows paths in order to evade detection.

ATT&CK Technique T1038

==================================================

CREATED: WIN-TASKENG-RUNDLL (#2116)

Description

This detector identifies execution of Rundll32 via the Task Scheduler Engine (taskeng.exe).

ATT&CK Technique T1053
ATT&CK Technique T1085

==================================================

CREATED: WIN-DBGHOST-SCRIPT-EXEC (#2186)

Description

This detector identifies instances of the Windows Debugger (dbghost.exe) executing a script via the command line.

ATT&CK Technique T1216

==================================================

CREATED: WIN-MSTSC-RDPTHIEF-FILEMOD (#2187)

Description

This detector identifies instances of the Microsoft RDP client (mstsc.exe) creating or modifying files related to the RDP Thief attack.

ATT&CK Technique T1076
ATT&CK Technique T1003

==================================================

CREATED: WIN-WSCRIPT-SCRIPT-EXEC-APPDATA (#2193)

Description

This detector identifies insances of the Windows Scripting Host (wscript.exe) executing scripts from temporary system directories.

ATT&CK Technique T1064

Did this answer your question?