attack.t1566.001

Disk Image Mounting Via Hdiutil - MacOS

May 20, 2025 · attack.initial-access attack.collection attack.t1566.001 attack.t1560.001 ·

Detects the execution of the hdiutil utility in order to mount disk images.

Arbitrary Shell Command Execution Via Settingcontent-Ms

Aug 12, 2024 · attack.t1204 attack.t1566.001 attack.execution attack.initial-access ·

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Droppers Exploiting CVE-2017-11882

Aug 12, 2024 · attack.execution attack.t1203 attack.t1204.002 attack.initial-access attack.t1566.001 cve.2017-11882 detection.emerging-threats ·

Share on:

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

Exploit for CVE-2017-0261

Aug 12, 2024 · attack.execution attack.t1203 attack.t1204.002 attack.initial-access attack.t1566.001 cve.2017-0261 detection.emerging-threats ·

Share on:

Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262

Exploit for CVE-2017-8759

Aug 12, 2024 · attack.execution attack.t1203 attack.t1204.002 attack.initial-access attack.t1566.001 cve.2017-8759 detection.emerging-threats ·

Share on:

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

HTML Help HH.EXE Suspicious Child Process

Aug 12, 2024 · attack.defense-evasion attack.execution attack.initial-access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001 ·

Share on:

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

ISO File Created Within Temp Folders

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·

Share on:

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

ISO Image Mounted

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·

Share on:

Detects the mount of an ISO image on an endpoint

ISO or Image Mount Indicator in Recent Files

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·

Share on:

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Office Macro File Creation

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·

Share on:

Detects the creation of a new office macro files on the systems

Office Macro File Creation From Suspicious Process

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·

Share on:

Detects the creation of a office macro file from a a suspicious process

Office Macro File Download

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·

Share on:

Detects the creation of a new office macro files on the systems via an application (browser, mail client).

Password Protected ZIP File Opened (Email Attachment)

Aug 12, 2024 · attack.defense-evasion attack.initial-access attack.t1027 attack.t1566.001 ·

Share on:

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Potential Initial Access via DLL Search Order Hijacking

Aug 12, 2024 · attack.t1566 attack.t1566.001 attack.initial-access attack.t1574 attack.t1574.001 attack.defense-evasion ·

Share on:

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Suspicious Double Extension File Execution

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·

Share on:

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

Suspicious Execution From Outlook Temporary Folder

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·

Share on:

Detects a suspicious program execution in Outlook temp folder

Suspicious HH.EXE Execution

Aug 12, 2024 · attack.defense-evasion attack.execution attack.initial-access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001 ·

Share on:

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Suspicious HWP Sub Processes

Aug 12, 2024 · attack.initial-access attack.t1566.001 attack.execution attack.t1203 attack.t1059.003 attack.g0032 ·

Share on:

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

Suspicious Microsoft OneNote Child Process

Aug 12, 2024 · attack.t1566 attack.t1566.001 attack.initial-access ·

Share on:

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

Ursnif Malware C2 URL Pattern

Aug 12, 2024 · attack.initial-access attack.t1566.001 attack.execution attack.t1204.002 attack.command-and-control attack.t1071.001 ·

Share on:

Detects Ursnif C2 traffic.

Windows Registry Trust Record Modification

Aug 12, 2024 · attack.initial-access attack.t1566.001 ·

Share on:

Alerts on trust record modification within the registry, indicating usage of macros