==================================================

CREATED: WIN-COBALTSTRIKE-CLICONFIG (#2306)

Description

This detector identifies the use of rundll32.exe to spawn cliconfg.exe by Cobalt Strike when an adversary uses the default settings of the tool.

ATT&CK Technique T1085

==================================================

CREATED: WIN-SYSTEM-BINARY-SUSP-NAME (#2307)

Description

This detector identifies suspicious process names which may be attempting to masquerade as a legitimate process.

==================================================

CREATED: WIN-SVCHOST-SPAWN-MSHTA (#2308)

Description

This detector identifies instances of the Windows Service Host process (svchost.exe) spawning instances of the Microsoft HTML Application Host (mshta.exe).

ATT&CK Technique T1170

==================================================

CREATED: WIN-FILEMOD-WINBIOPLUGINS (#2309)

Description

This detector identifies instances of binaries writing to the WinBioPlugIns directory under system32.  This activity is commonly observed with the BIOLOAD malware.

ATT&CK Technique T1038

==================================================

CREATED: WIN-POSSIBLE-CRYSIS-RANSOMWARE-FILEMOD (#2322)

Description

This detector identifies filemods matching the extension pattern commonly associated with Crysis ransomware. This detector firing indicates that encryption of impacted file is taking place by the offending process.

ATT&CK Technique T1486

==================================================

CREATED: LINUX-CF-SETUID-SETGID-RECON (#2324)

Description

This detector identifies searches for binaries with a SetUID or SetGID flag
set.

ATT&CK Technique T1083
ATT&CK Technique T1166

==================================================

CREATED: LINUX-CF-NCAT (#2325)

Description

Detects the use of ncat (https://nmap.org/ncat/), the version of netcat
from the Nmap Project.

ATT&CK Technique T1071

==================================================

CREATED: LINUX-CF-SOCAT (#2326)

Description

This detector identifies the use of socat, a tool that can be used
to create a bind shell, reverse shell, port forward, and more.

ATT&CK Technique T1090

==================================================

CREATED: LINUX-CF-3PROXY (#2327)

Description

This detector identifies the use of 3proxy, which can be utilized as a
proxy server or port forwarder for pivoting.

ATT&CK Technique T1090

==================================================

CREATED: LINUX-CF-PLINK (#2328)

Description

This detector identifies the use of plink, which can be utilized as a
proxy server or port forwarder for pivoting.

ATT&CK Technique T1090

==================================================

CREATED: LINUX-CF-JOHN-RIPPER (#2329)

Description

This detector identifies use of John The Ripper, a password cracker.

ATT&CK Technique T1110
ATT&CK Technique T1081
ATT&CK Technique T1003

==================================================

CREATED: LINUX-CF-NMAP (#2330)

Description

This detector identifies the use of nmap.

ATT&CK Technique T1018
ATT&CK Technique T1046

==================================================

CREATED: LINUX-CF-NC (#2331)

Description

This detector identifies the use of nc/netcat.

ATT&CK Technique T1105

==================================================

CREATED: LINUX-CF-DD-ERASE (#2332)

Description

This detector identifies the use of dd to erase an aspect of the drive,
whether it be the entire disk, partitions, or the master boot record.

ATT&CK Technique T1488
ATT&CK Technique T1487
ATT&CK Technique T1485

Did this answer your question?