==================================================

CREATED: WIN-CURL-EXTERNAL-NETCONN-SUSP-SITES (#2141)

Description

This detector identifies instances of Windows cURL establishing network connections to specific "paste sites" or content providers, such as Pastebin and GitHub.

ATT&CK Technique T1059

==================================================

CREATED: WIN-OFFICE-ARCHIVE-WRITE (#2191)

Description

This detector identifies Microsoft Office products writing an archive to disk. Adversaries can craft a maldoc to deliver a malicious archive to a host.

ATT&CK Technique T1192

==================================================

CREATED: WIN-AUTOIT-LNK-CREATE (#2195)

Description

This detector looks for AutoIT creating an abnormal amount of link files. This behavior has been observed from worms that utilize AutoIt.

ATT&CK Technique T1064
ATT&CK Technique T1023

==================================================

CREATED: WIN-SODINOKIBI-RANSOMWARE (#2214)

Description

This detector identifies activity associated with directly with the Sodinokibi Ransomware.

==================================================

CREATED: PRODUCT-KUAIZIP (#2216)

Description

This detector identifies executions of programs that are part of the Kuaizip product, these programs are classified as Adware in the Generic category. Known to distribute various types of adware.

==================================================

CREATED: PRODUCT-MARSHMALLOW-SWEET (#2217)

Description

This detector identifies executions of programs that are part of the MarshmallowSweet product, these programs are classified as Adware in the Generic category. Known to distribute various types of adware.

==================================================

CREATED: PRODUCT-BITCOMET (#2219)

Description

This detector identifies executions of programs that are part of the Bitcomet product, these programs are classified as P2P in the Torrent category. A Peer-to-Peer application which could lead to the installation of unwanted software.

==================================================

CREATED: WIN-SHELL-SPAWNING-INSTALLUTIL-CLR-MODLOAD (#2238)

Description

This detector identifies a shell spawning the Microsoft Installer tool InstallUtil.exe with a modload of the Common Language Runtime clr.dll. Adversaries can bypass application whitelisting containing a full scripting engine utilizing clr.dll to execute malicious code.

ATT&CK Technique T1118
ATT&CK Technique T1218

==================================================

CREATED: WIN-MSHTA-MODLOAD-SYSTEM-NI-DLL (#2246)

Description

This detector identifies the Microsoft HTML Application (mshta.exe) loading the .Net system.ni.dll. This DLL is loaded when interacting with processes and is commonly seen with dotnet2jscript payloads.

ATT&CK Technique T1064
ATT&CK Technique T1220
ATT&CK Technique T1055

==================================================

CREATED: WIN-WMIC-MODLOAD-SYSTEM-NI-DLL (#2247)

Description

This detector identifies the Windows Management Instrumentation Command-line(wmic.exe) loading the .Net system.ni.dll. This DLL is loaded when interacting with processes and is commonly seen with executions of dotnet2jscript executions.

ATT&CK Technique T1064
ATT&CK Technique T1220
ATT&CK Technique T1055

==================================================

CREATED: WIN-EXEC-CONFIG-SYSPROF-FOLDER (#2253)

Description

This detector identifies binaries executing from the Windows directory \windows\system32\config\systemprofile\.

ATT&CK Technique T1063

==================================================

CREATED: WIN-DEVTOOLS-SUSP-CLI (#2268)

Description

This detector identifies instances of a Visual Studio component executing an arbitrary binary.

ATT&CK Technique T1127

==================================================

CREATED: WIN-DEVTOOLS-EXEC-SUSP-BIN (#2269)

Description

This detector identifies instances of a Visual Studio developer component executing suspicious processes.

ATT&CK Technique T1127

==================================================

CREATED: WIN-MSIEXEC-Z-SWITCH-CHILDPROC (#2272)

Description

This detector identifies the Microsoft Windows Installer (msiexec.exe) spawning a child process when unregistering a module. Adversaries can abuse the Import Address Table of msiexec.exe by intercepting API calls and creating a process.

ATT&CK Technique T1218
ATT&CK Technique T1179

==================================================

CREATED: WIN-POSSIBLE-SCRIPT-DROPPER (#2275)

Description

This detector identifies instances of scripts executing from directories commonly observed with malware droppers.

ATT&CK Technique T1064

==================================================

CREATED: WIN-FSI-SCRIPTING (#2287)

Description

This detector identifies the F# interpreter launching a F# script. Adversaries can leverage F# for additional post exploitation.

ATT&CK Technique T1064

==================================================

CREATED: WIN-NGROK-REVERSE-TUNNEL (#2288)

Description

This detector identifies Ngrok reverse tunnels. Ngrok can be used to create a persistent reverse tunnel backdoor capable of proxying any protocol through standard HTTP tunnels.

ATT&CK Technique T1090
ATT&CK Technique T1021

==================================================

CREATED: WIN-FSI-SUSP-PARENT (#2289)

Description

This detector identifies the F# interpreter (fsi.exe) spawning from a suspicious parent process. Adversaries can leverage FSI to masquerade their actions and utilize the .Net framework for further post exploitation.

ATT&CK Technique T1064

==================================================

CREATED: WIN-POWERSHELL-UNICORN (#2295)

Description

This detector identifies common strings within PowerShell Unicorn usage. Adversaries will leverage PowerShell Unicorn to obfuscate their payloads to evade detection.

ATT&CK Technique T1064
ATT&CK Technique T1086
ATT&CK Technique T1140

Did this answer your question?