attack.t1547

Startup/Logon Script Added to Group Policy Object

Sep 6, 2024 · attack.privilege-escalation attack.t1484.001 attack.t1547 ·

Share on:

Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.

Atbroker Registry Change

Aug 12, 2024 · attack.defense-evasion attack.t1218 attack.persistence attack.t1547 ·

Share on:

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Potential RipZip Attack on Startup Folder

Aug 12, 2024 · attack.persistence attack.t1547 ·

Share on:

Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.

Registry Persistence Mechanisms in Recycle Bin

Aug 12, 2024 · attack.persistence attack.t1547 ·

Share on:

Detects persistence registry keys for Recycle Bin

Suspicious Driver Install by pnputil.exe

Aug 12, 2024 · attack.persistence attack.t1547 ·

Share on:

Detects when a possible suspicious driver is being installed via pnputil.exe lolbin

Suspicious GrpConv Execution

Aug 12, 2024 · attack.persistence attack.t1547 ·

Share on:

Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors

WINEKEY Registry Modification

Aug 12, 2024 · attack.persistence attack.t1547 ·

Share on:

Detects potential malicious modification of run keys by winekey or team9 backdoor

Non-depmod Process Modifying modules.dep

Mar 26, 2024 · attack.persistence attack.privilege_escalation attack.t1547 attack.t1547.006 ·

Share on:

Detects unusual process modifying the modules.dep file. The modules.dep and modules.dep.bin files should only be modified by the depmod utility. Part of the RedCanary 2024 Threat Detection Report.

PowerShell Startup Folder Persistence

Mar 26, 2024 · attack.persistence attack.privilege_escalation attack.t1547 attack.t1547.001 ·

Share on:

Yellow Cockatoo Windows Startup folder for persistence. Not unique to Yellow Cockatoo, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL. Part of the RedCanary 2024 Threat Detection Report.

Shells Modifying Files in Known Linux Kernel Modules Directories

Mar 26, 2024 · attack.persistence attack.privilege_escalation attack.t1547 attack.t1547.006 ·

Share on:

Detects configuration files being written to specific directories that are searched when looking for loadable Linux Kernel Modules (LKM). Part of the RedCanary 2024 Threat Detection Report.

Systemd Loading a Linux Kernel Module Using insmod

Mar 26, 2024 · attack.persistence attack.privilege_escalation attack.t1547 attack.t1547.006 ·

Share on:

Detects the systemd process running commands that would load a Linux Kernel Modules. Part of the RedCanary 2024 Threat Detection Report.

Systemd Loading a Linux Kernel Module Using modprobe

Mar 26, 2024 · attack.persistence attack.privilege_escalation attack.t1547 attack.t1547.006 ·

Share on:

Detects the systemd process loading a Linux Kernel Modules using modprobe. Part of the RedCanary 2024 Threat Detection Report.

Suspicious Fsutil Execution Allowing Remote Connections

Dec 6, 2022 · attack.persistence attack.t1547 ·

Share on:

Detects the use of fsutil to permit additional types of symbolic links on a computer. These can be used to enable ransomware to follow shortcusts to find all files it wants to encrypt.