attack.t1059.007 | Detection.FYI

JXA In-memory Execution Via OSAScript

Dec 1, 2023 · attack.t1059.002 attack.t1059.007 attack.execution ·
Share on:

Detects possible malicious execution of JXA in-memory via OSAScript

Read More
Csc.EXE Execution Form Potentially Suspicious Parent

Nov 6, 2023 · attack.execution attack.t1059.005 attack.t1059.007 attack.defense_evasion attack.t1218.005 attack.t1027.004 ·
Share on:

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

Read More
WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Oct 28, 2023 · attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript

Read More
Adwind RAT / JRAT

Oct 18, 2023 · attack.execution attack.t1059.005 attack.t1059.007 detection.emerging_threats ·
Share on:

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More
Adwind RAT / JRAT File Artifact

Oct 18, 2023 · attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More
Cscript/Wscript Uncommon Script Extension Execution

Oct 18, 2023 · attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

Read More
Potential SquiblyTwo Technique Execution

Oct 18, 2023 · attack.defense_evasion attack.t1047 attack.t1220 attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Read More
Node Process Executions

Oct 17, 2023 · attack.defense_evasion attack.t1127 attack.t1059.007 ·
Share on:

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

Read More
WScript or CScript Dropper - File

Oct 17, 2023 · attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

Read More
Potential In-Memory Download And Compile Of Payloads

Aug 22, 2023 · attack.command_and_control attack.execution attack.t1059.007 attack.t1105 ·
Share on:

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

Read More
Adwind RAT / JRAT - Registry

Aug 17, 2023 · attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More
HackTool - CACTUSTORCH Remote Thread Creation

May 5, 2023 · attack.defense_evasion attack.execution attack.t1055.012 attack.t1059.005 attack.t1059.007 attack.t1218.005 ·
Share on:

Detects remote thread creation from CACTUSTORCH as described in references.

Read More
HTML Help HH.EXE Suspicious Child Process

Apr 12, 2023 · attack.defense_evasion attack.execution attack.initial_access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001 ·
Share on:

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More
Suspicious HH.EXE Execution

Apr 12, 2023 · attack.defense_evasion attack.execution attack.initial_access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001 ·
Share on:

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More
MSHTA Suspicious Execution 01

Feb 22, 2023 · attack.defense_evasion attack.t1140 attack.t1218.005 attack.execution attack.t1059.007 cve.2020.1599 ·
Share on:

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Read More
Suspicious Installer Package Child Process

Feb 21, 2023 · attack.t1059 attack.t1059.007 attack.t1071 attack.t1071.001 attack.execution attack.command_and_control ·
Share on:

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Read More
HackTool - Koadic Execution

Feb 11, 2023 · attack.execution attack.t1059.003 attack.t1059.005 attack.t1059.007 ·
Share on:

Detects command line parameters used by Koadic hack tool

Read More
WScript or CScript Dropper

Feb 1, 2023 · attack.execution attack.t1059.005 attack.t1059.007 ·
Share on:

Detects wscript/cscript executions of scripts located in user directories

Read More
File Was Not Allowed To Run

Oct 25, 2022 · attack.execution attack.t1204.002 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.006 attack.t1059.007 ·
Share on:

Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.

Read More