attack.t1548

Credential Dumping Attempt Via Svchost

Dec 4, 2023 · attack.t1548 ·

Share on:

Detects when a process tries to access the memory of svchost to potentially dump credentials.

Abused Debug Privilege by Arbitrary Parent Processes

Oct 18, 2023 · attack.privilege_escalation attack.t1548 ·

Share on:

Detection of unusual child processes by different system processes

CA Policy Removed by Non Approved Actor

Oct 17, 2023 · attack.defense_evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

CA Policy Updated by Non Approved Actor

Oct 17, 2023 · attack.defense_evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

New CA Policy by Non-approved Actor

Oct 17, 2023 · attack.defense_evasion attack.t1548 ·

Share on:

Monitor and alert on conditional access changes.

UAC Bypass via Windows Firewall Snap-In Hijack

Oct 17, 2023 · attack.privilege_escalation attack.t1548 ·

Share on:

Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in

User Added To Group With CA Policy Modification Access

Oct 17, 2023 · attack.defense_evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on group membership additions of groups that have CA policy modification access

User Removed From Group With CA Policy Modification Access

Oct 17, 2023 · attack.defense_evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on group membership removal of groups that have CA policy modification access

AWS STS AssumeRole Misuse

Oct 12, 2023 · attack.lateral_movement attack.privilege_escalation attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

AWS STS GetSessionToken Misuse

Oct 12, 2023 · attack.lateral_movement attack.privilege_escalation attack.t1548 attack.t1550 attack.t1550.001 ·

Share on:

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

AWS Suspicious SAML Activity

Oct 12, 2023 · attack.initial_access attack.t1078 attack.lateral_movement attack.t1548 attack.privilege_escalation attack.t1550 attack.t1550.001 ·

Share on:

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

COM Hijack via Sdclt

Oct 4, 2023 · attack.privilege_escalation attack.t1546 attack.t1548 ·

Share on:

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Vulnerable Netlogon Secure Channel Connection Allowed

Apr 14, 2023 · attack.privilege_escalation attack.t1548 ·

Share on:

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.

Regedit as Trusted Installer

Feb 21, 2023 · attack.privilege_escalation attack.t1548 ·

Share on:

Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe

SCM Database Privileged Operation

Feb 7, 2023 · attack.privilege_escalation attack.t1548 ·

Share on:

Detects non-system users performing privileged operation os the SCM database

Linux Doas Conf File Creation

Dec 31, 2022 · attack.privilege_escalation attack.t1548 ·

Share on:

Detects the creation of doas.conf file in linux host platform.

Linux Capabilities Discovery

Dec 27, 2022 · attack.collection attack.privilege_escalation attack.t1123 attack.t1548 ·

Share on:

Detects attempts to discover the files with setuid/setgid capability on them. That would allow adversary to escalate their privileges.

Linux Doas Tool Execution

Sep 16, 2022 · attack.privilege_escalation attack.t1548 ·

Share on:

Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does.