attack.t1204

Suspicious Execution via macOS Script Editor

Nov 2, 2023 · attack.t1566 attack.t1566.002 attack.initial_access attack.t1059 attack.t1059.002 attack.t1204 attack.t1204.001 attack.execution attack.persistence attack.t1553 attack.defense_evasion ·

Share on:

Detects when the macOS Script Editor utility spawns an unusual child process.

Antivirus Hacktool Detection

Oct 18, 2023 · attack.execution attack.t1204 ·

Share on:

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool

Potentially Suspicious WebDAV LNK Execution

Oct 18, 2023 · attack.execution attack.t1059.001 attack.t1204 ·

Share on:

Detects possible execution via LNK file accessed on a WebDAV server.

Arbitrary Shell Command Execution Via Settingcontent-Ms

Oct 17, 2023 · attack.t1204 attack.t1566.001 attack.execution attack.initial_access ·

Share on:

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Payload Decoded and Decrypted via Built-in Utilities

Oct 17, 2023 · attack.t1059 attack.t1204 attack.execution attack.t1140 attack.defense_evasion attack.s0482 attack.s0402 ·

Share on:

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

Suspicious WebDAV LNK Execution

Aug 5, 2023 · attack.execution attack.t1059.001 attack.t1204 ·

Share on:

Detects possible execution via LNK file accessed on a WebDAV server.

DarkSide Ransomware Pattern

Jun 20, 2023 · attack.execution attack.t1204 detection.emerging_threats ·

Share on:

Detects DarkSide Ransomware and helpers

Potential Snatch Ransomware Activity

Jun 20, 2023 · attack.execution attack.t1204 detection.emerging_threats ·

Share on:

Detects specific process characteristics of Snatch ransomware word document droppers

PrinterNightmare Mimikatz Driver Name

Jun 15, 2023 · attack.execution attack.t1204 cve.2021.1675 cve.2021.34527 ·

Share on:

Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527

Suspicious User-Initiated Process Execution on External Drive (Old)

Dec 28, 2022 · attack.s0650 attack.s0483 attack.execution attack.t1059 attack.t1204 attack.t1204.002 ·

Share on:

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Suspicious User-Initiated Process Execution on External Drive (Sysmon)

Dec 28, 2022 · attack.s0650 attack.s0483 attack.execution attack.t1059 attack.t1204 attack.t1204.002 ·

Share on:

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Suspicious Command Line Indicating BlackCat Execution

Dec 6, 2022 · attack.execution attack.t1059 attack.t1204 ·

Share on:

Detects process execution with the --access-token flag accompanied by a 64-character alphanumeric string in the space-delimited command-line arguments..

Suspicious Command Line Indicating BlackCat Execution with Get UUID Option

Dec 6, 2022 · attack.execution attack.t1059 attack.t1204 ·

Share on:

Detects process execution with the --access-token flag accompanied by a child process with a 'get uuid' option.