attack.t1087

HackTool - winPEAS Execution

Dec 4, 2023 · attack.privilege_escalation attack.t1082 attack.t1087 attack.t1046 ·

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

PUA - Seatbelt Execution

Dec 1, 2023 · attack.discovery attack.t1526 attack.t1087 attack.t1083 ·

Share on:

Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters

Suspicious Use of PsLogList

Dec 1, 2023 · attack.discovery attack.t1087 attack.t1087.001 attack.t1087.002 ·

Share on:

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

Chopper Webshell Process Pattern

Nov 10, 2023 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087 ·

Share on:

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

Webshell Detection With Command Line Keywords

Nov 10, 2023 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087 ·

Share on:

Detects certain command line parameters often used during reconnaissance activity via web shells

Webshell Hacking Activity Patterns

Nov 10, 2023 · attack.persistence attack.t1505.003 attack.t1018 attack.t1033 attack.t1087 ·

Share on:

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

Potential Pikabot Discovery Activity - Suspicious Process Created By Rundll32.EXE

Nov 6, 2023 · attack.discovery attack.t1016 attack.t1049 attack.t1087 detection.emerging_threats ·

Share on:

Detects the execution of rundll32 that leads to system discovery activity, such as incl. network, user info and domain groups. The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).