Command Line Execution with Suspicious URL and AppData Strings
Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Read MoreDetects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
Read MoreHackTool - RedMimicry Winnti Playbook Execution
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Read Moredetects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Read MoreSuspicious HWP Sub Processes
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Read MoreAdversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
Read MoreFile Was Not Allowed To Run
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.
Read MoreDetects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
Read More