attack.t1562

Sysmon Crash
Apr 14, 2023 · attack.defense_evasion attack.t1562 ·
Share on:
Detects application popup reporting a failure of the Sysmon service

Read More
Terminate Linux Process Via Kill
Mar 20, 2023 · attack.defense_evasion attack.t1562 ·
Share on:
Detects usage of command line tools such as "kill", "pkill" or "killall" to terminate or signal a running process.

Read More
Filter Driver Unloaded Via Fltmc.EXE
Mar 14, 2023 · attack.defense_evasion attack.t1070 attack.t1562 attack.t1562.002 ·
Share on:
Detect filter driver unloading activity via fltmc.exe

Read More
Potential Suspicious Activity Using SeCEdit
Mar 5, 2023 · attack.discovery attack.persistence attack.defense_evasion attack.credential_access attack.privilege_escalation attack.t1562.002 attack.t1547.001 attack.t1505.005 attack.t1556.002 attack.t1562 attack.t1574.007 attack.t1564.002 attack.t1546.008 attack.t1546.007 attack.t1547.014 attack.t1547.010 attack.t1547.002 attack.t1557 attack.t1082 ·
Share on:
Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Read More
Write Protect For Storage Disabled
Mar 5, 2023 · attack.defense_evasion attack.t1562 ·
Share on:
Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.

Read More
ETW Logging Tamper In .NET Processes
Feb 21, 2023 · attack.defense_evasion attack.t1562 ·
Share on:
Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More
Sysmon Driver Unloaded Via Fltmc.EXE
Feb 16, 2023 · attack.defense_evasion attack.t1070 attack.t1562 attack.t1562.002 ·
Share on:
Detects possible Sysmon filter driver unloaded via fltmc.exe

Read More
Windows Firewall Disabled via PowerShell
Feb 13, 2023 · attack.defense_evasion attack.t1562 ·
Share on:
Detects attempts to disable the Windows Firewall using PowerShell

Read More
Removal Of Index Value to Hide Schedule Task - Registry
Feb 9, 2023 · attack.defense_evasion attack.t1562 ·
Share on:
Detects when the "index" value of a scheduled task is removed or deleted from the registry. Which effectively hides it from any tooling such as "schtasks /query"

Read More
Removal Of SD Value to Hide Schedule Task - Registry
Feb 9, 2023 · attack.defense_evasion attack.t1562 ·
Share on:
Remove SD (Security Descriptor) value in \Schedule\TaskCache\Tree registry hive to hide schedule task. This technique is used by Tarrask malware

Read More
ETW Logging Disabled For rpcrt4.dll
Feb 1, 2023 · attack.defense_evasion attack.t1112 attack.t1562 ·
Share on:
Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll

Read More
ETW Logging Disabled For SCM
Feb 1, 2023 · attack.defense_evasion attack.t1112 attack.t1562 ·
Share on:
Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM)

Read More
Hide Schedule Task Via Index Value Tamper
Feb 1, 2023 · attack.defense_evasion attack.t1562 ·
Share on:
Detects when the "index" value of a scheduled task is modified from the registry Which effectively hides it from any tooling such as "schtasks /query" (Read the referenced link for more information about the effects of this technique)

Read More
Windows Defender Exclusions Added - PowerShell
Jan 4, 2023 · attack.defense_evasion attack.t1562 attack.execution attack.t1059 ·
Share on:
Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Read More
ETW Logging Disabled In .NET Processes - Registry
Dec 20, 2022 · attack.defense_evasion attack.t1112 attack.t1562 ·
Share on:
Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More
ETW Logging Disabled In .NET Processes - Sysmon Registry
Dec 9, 2022 · attack.defense_evasion attack.t1112 attack.t1562 ·
Share on:
Potential adversaries stopping ETW providers recording loaded .NET assemblies.

Read More
AWS SecurityHub Findings Evasion
Oct 25, 2022 · attack.defense_evasion attack.t1562 ·
Share on:
Detects the modification of the findings on SecurityHub.

Read More
Azure Kubernetes Events Deleted
Oct 25, 2022 · attack.defense_evasion attack.t1562 attack.t1562.001 ·
Share on:
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.

Read More
Google Cloud Firewall Modified or Deleted
Oct 9, 2022 · attack.defense_evasion attack.t1562 ·
Share on:
Detects when a firewall rule is modified or deleted in Google Cloud Platform (GCP).

Read More