attack.t1566.001

ISO or Image Mount Indicator in Recent Files

Aug 28, 2023 · attack.initial_access attack.t1566.001 ·

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Password Protected ZIP File Opened (Email Attachment)

Aug 28, 2023 · attack.defense_evasion attack.initial_access attack.t1027 attack.t1566.001 ·

Share on:

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Windows Registry Trust Record Modification

Jul 13, 2023 · attack.initial_access attack.t1566.001 ·

Share on:

Alerts on trust record modification within the registry, indicating usage of macros

ISO Image Mount

Jun 22, 2023 · attack.initial_access attack.t1566.001 ·

Share on:

Detects the mount of ISO images on an endpoint

ISO File Created Within Temp Folders

Jun 22, 2023 · attack.initial_access attack.t1566.001 ·

Share on:

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

Droppers Exploiting CVE-2017-11882

Jun 20, 2023 · attack.execution attack.t1203 attack.t1204.002 attack.initial_access attack.t1566.001 cve.2017.11882 detection.emerging_threats ·

Share on:

Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe

Exploit for CVE-2017-0261

Jun 20, 2023 · attack.execution attack.t1203 attack.t1204.002 attack.initial_access attack.t1566.001 cve.2017.0261 detection.emerging_threats ·

Share on:

Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262

Exploit for CVE-2017-8759

Jun 20, 2023 · attack.execution attack.t1203 attack.t1204.002 attack.initial_access attack.t1566.001 cve.2017.8759 detection.emerging_threats ·

Share on:

Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759

Office Macro File Download

Apr 18, 2023 · attack.initial_access attack.t1566.001 ·

Share on:

Detects the creation of a new office macro files on the systems via an application (browser, mail client).

HTML Help HH.EXE Suspicious Child Process

Apr 12, 2023 · attack.defense_evasion attack.execution attack.initial_access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001 ·

Share on:

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Suspicious HH.EXE Execution

Apr 12, 2023 · attack.defense_evasion attack.execution attack.initial_access attack.t1047 attack.t1059.001 attack.t1059.003 attack.t1059.005 attack.t1059.007 attack.t1218 attack.t1218.001 attack.t1218.010 attack.t1218.011 attack.t1566 attack.t1566.001 ·

Share on:

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Arbitrary Shell Command Execution Via Settingcontent-Ms

Mar 5, 2023 · attack.t1204 attack.t1566.001 attack.execution attack.initial_access ·

Share on:

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Execution in Outlook Temp Folder

Mar 2, 2023 · attack.initial_access attack.t1566.001 ·

Share on:

Detects a suspicious program execution in Outlook temp folder

Suspicious Double Extension File Execution

Feb 28, 2023 · attack.initial_access attack.t1566.001 ·

Share on:

Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns

Office Macro File Creation

Feb 24, 2023 · attack.initial_access attack.t1566.001 ·

Share on:

Detects the creation of a new office macro files on the systems

Office Macro File Creation From Suspicious Process

Feb 24, 2023 · attack.initial_access attack.t1566.001 ·

Share on:

Detects the creation of a office macro file from a a suspicious process

Suspicious Microsoft OneNote Child Process

Feb 10, 2023 · attack.t1566 attack.t1566.001 attack.initial_access ·

Share on:

Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.

Suspicious HWP Sub Processes

Feb 1, 2023 · attack.initial_access attack.t1566.001 attack.execution attack.t1203 attack.t1059.003 attack.g0032 ·

Share on:

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

Ursnif Malware C2 URL Pattern

Jan 31, 2023 · attack.initial_access attack.t1566.001 attack.execution attack.t1204.002 attack.command_and_control attack.t1071.001 ·

Share on:

Detects Ursnif C2 traffic.

ISO Image Mount

Dec 28, 2022 · attack.initial_access attack.t1566.001 ·

Share on:

Detects the mount of ISO images on an endpoint

Potential Initial Access via DLL Search Order Hijacking

Oct 28, 2022 · attack.t1566 attack.t1566.001 attack.initial_access attack.t1574 attack.t1574.001 attack.defense_evasion ·

Share on:

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.