car.2013-05-009

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Aug 12, 2024 · attack.defense-evasion attack.t1036.003 car.2013-05-009 ·

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Potential LSASS Process Dump Via Procdump

Aug 12, 2024 · attack.defense-evasion attack.t1036 attack.credential-access attack.t1003.001 car.2013-05-009 ·

Share on:

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Process Memory Dump Via Comsvcs.DLL

Aug 12, 2024 · attack.defense-evasion attack.credential-access attack.t1036 attack.t1003.001 car.2013-05-009 ·

Share on:

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Ps.exe Renamed SysInternals Tool

Aug 12, 2024 · attack.defense-evasion attack.g0035 attack.t1036.003 car.2013-05-009 detection.emerging-threats ·

Share on:

Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report