==================================================

CREATED: LINUX-CF-ADDUSER (#2178)

This detector identifies when a new Linux user is added with root privileges.

ATT&CK Technique T1136

==================================================

CREATED: PRODUCT-OARAGE (#2294)

This detector identifies executions of programs that are part of the Oarage product, these programs are classified as Adware in the Generic category. Known to distribute various types of adware.

==================================================

CREATED: WIN-SYSTEM-BINARY-SUSP-NAME (#2307)

This detector identifies suspicious process names which may be attempting to masquerade as a legitimate process.

==================================================

CREATED: WIN-RUNDLL-COMSVCS-MINIDUMP (#2316)

This detector identifies instances of the Windows DLL launching utility Rundll32.exe dumping process memory using a built-in code library.

ATT&CK Technique T1003
ATT&CK Technique T1085

==================================================

CREATED: WIN-WINWORD-SPAWNING-MICROSCMGMT (#2334)

This detector identifies instances of Microsoft Word spawning the Java binary microscmgmt.exe. This activity is closely related to successful exploitation of CVE-2015-1641.

ATT&CK Technique T1203

==================================================

CREATED: WIN-FIND-LSASS-SEARCH (#2335)

This detector identifies the Windows binary find.exe searching for the string "lsass". This activity is typically observed when adversaries attempt to find the process ID of a running instance of lsass.exe.

ATT&CK Technique T1057

==================================================

CREATED: WIN-ICARDAGT-HAS-NETCONN (#2336)

This detector identifies instances of the Windows CardSpace User Interface Agent process (icardagt.exe) executing with network connections.

ATT&CK Technique T1093

==================================================

CREATED: WIN-POSSIBLE-SNAKE-RANSOMWARE-FILEMOD (#2344)

This detector identifies filemods matching the extension pattern associated with EKANS or Snake ransomware. The extension pattern is adding 5 random characters to the end of the existing extension.

ATT&CK Technique T1486

==================================================

CREATED: LINUX-CF-PHP-SPAWNING-SHELL (#2355)

This detector identifies a network-active PHP process spawning a shell,
which could be indicative of webserver exploitation, a webshell, or a backdoor.

ATT&CK Technique T1100
ATT&CK Technique T1059

Did this answer your question?