Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Read MorePotential Suspicious Activity Using SeCEdit
Mar 5, 2023 · attack.discovery attack.persistence attack.defense_evasion attack.credential_access attack.privilege_escalation attack.t1562.002 attack.t1547.001 attack.t1505.005 attack.t1556.002 attack.t1562 attack.t1574.007 attack.t1564.002 attack.t1546.008 attack.t1546.007 attack.t1547.014 attack.t1547.010 attack.t1547.002 attack.t1557 attack.t1082 ·Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
Read MoreUses PowerShell to install/copy a a file into a system directory such as "System32" or "SysWOW64"
Read More