==================================================

CREATED: WIN-MSIEXEC-Z-SWITCH-WITHOUT-MSIEXEC-PARENT (#2273)

Description

This detector identifies the Microsoft Windows Installer (msiexec.exe) without a parent process of msiexec.exe and with a command line switch of /z. Adversaries can abuse the Import Address Table of msiexec.exe by intercepting API calls and spawn processes or inject into other processes.

ATT&CK Technique T1218
ATT&CK Technique T1179
ATT&CK Technique T1055

==================================================

CREATED: WIN-MSIEXEC-Y-SWITCH-WITHOUT-MSIEXEC-PARENT (#2274)

Description

This detector identifes the Microsoft Windows Installer (msiexec.exe) without a parent process of msiexec.exe and with a command line switch of /y. Adversaries can abuse the Import Address Table of msiexec.exe by intercepting API calls and spawn processes or inject into other processes.

ATT&CK Technique T1218
ATT&CK Technique T1179
ATT&CK Technique T1055

==================================================

CREATED: WIN-DEFEND-DISABLE-SYS-SETTINGS-ADMIN-FLOW (#2285)

Description

This detector identifies the System Settings Admin Flows utility (SystemSettingsAdminFlows.exe) disabling Windows Defender. Adversaries have been leveraging SystemSettingsAdminFlows.exe before deploying Ransomware.

ATT&CK Technique T1089

==================================================

CREATED: WIN-REGMOD-ENABLE-ROAMING-FOLDER-HOME-PAGES (#2292)

Description

This detector identifies a registry modification to Outlook\Security\EnableRoamingFolderHomepages. Adversaries can modify this Registry key to roll back the patches for Outlook CVE-2017-11774 which can be used for code execution or persistence.

ATT&CK Technique T1112

Did this answer your question?