Briefs

Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.

Adversaries may abuse Windows mandatory profiles by dropping a malicious NTUSER.MAN file containing pre-populated persistence-related registry keys to establish persistence, which can evade traditional registry-based monitoring.

This rule detects registry modifications indicative of privilege escalation and persistence attempts by adversaries abusing port monitors and print processors to execute malicious DLLs with SYSTEM privileges on Windows systems.

This rule detects PowerShell scripts heavily obfuscated with whitespace and special characters, often used to evade static analysis and AMSI, by identifying scripts with low symbol diversity and a high proportion of whitespace and special characters.

Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library, often used by threat actors like APT29 (via WinELOADER) to load malicious payloads under the guise of legitimate applications, leading to defense evasion, persistence, and privilege escalation.

Adversaries may masquerade malicious processes as legitimate Windows Error Reporting processes (WerFault.exe or Wermgr.exe) to evade detection by establishing network connections without arguments, thus blending into normal system activity.

This brief detects PowerShell scripts that reference MiniDumpWriteDump or full-memory minidump types, potentially used to capture process memory from credential-bearing processes like LSASS.

Detects PowerShell scripts using character array reconstruction to hide commands, URLs, or payloads, evading static analysis and AMSI.

This rule detects PowerShell scripts employing string concatenation to evade static analysis and AMSI by fragmenting keywords or URLs at runtime.

This brief details detection of PowerShell scripts leveraging P/Invoke API calls to perform process injection, covering techniques like self-injection, remote thread injection, APC injection, thread-context hijacking, process hollowing, section-map injection, reflective DLL loading, and DLL injection.

PowerShell scripts employing .NET cryptography APIs are used to encrypt data for impact or decrypt payloads for defense evasion.

Adversaries employ token obfuscation techniques within PowerShell commands to evade detection by security tools, leveraging methods such as character insertion, string concatenation, and environment variable manipulation to mask their malicious intent.

Attackers are using PowerShell commands with specific Set-MpPreference parameters to disable Windows Defender's real-time behavior monitoring, a common tactic for malware to evade detection and persist on compromised systems.

Attackers are abusing the legitimate Windows Print.exe utility to copy sensitive files like NTDS.DIT and SAM in order to extract credentials, enabling local or remote credential access.

An adversary disables Privileged Identity Management (PIM) alerts in Azure to evade detection and maintain persistent access with escalated privileges.

This rule identifies the creation of a process impersonating the token of another user logon session on Windows, potentially indicating privilege escalation.

The rule identifies the use of PsExec.exe making a network connection, indicative of potential lateral movement by adversaries executing commands with SYSTEM privileges on Windows systems to disable defenses.

A path traversal vulnerability exists in pygeoapi versions 0.23.0 to 0.23.2 within the STAC FileSystemProvider plugin, allowing unauthenticated access to directories when deployed without a URL-normalizing proxy.

pygeoapi versions 0.23.0 to 0.23.2 contain an unauthenticated server-side request forgery (SSRF) vulnerability where OGC API process execution requests can use the subscriber object to make requests to internal HTTP services, which is resolved in version 0.23.3 by disabling internal requests by default.

pyp2spec before 0.14.1 is vulnerable to code injection by writing PyPI package metadata into generated spec files without escaping RPM macro directives, allowing malicious packages to execute arbitrary commands on the build machine.

Detection of adversaries deleting the Raccine Rules Updater scheduled task via `schtasks.exe` to disable the ransomware protection tool, potentially leading to data encryption and loss.

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files opened by a victim to leak NTLM credentials via forced authentication using rundll32.exe.

An adversary may enable Remote Desktop Protocol (RDP) access by modifying the `fDenyTSConnections` registry key, potentially indicating lateral movement preparation or defense evasion.

Detection of registry modifications related to AppCert DLLs, a persistence mechanism where malicious DLLs are loaded by every process using common API functions.

Modification of the AppInit DLLs registry keys on Windows systems allows attackers to execute code in every process that loads user32.dll, establishing persistence and potentially escalating privileges.

Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.

This rule detects remote file copy attempts to hidden network shares, which may indicate lateral movement or data staging activity, by identifying suspicious file copy operations using command-line tools like cmd.exe and powershell.exe focused on hidden share patterns.

The desktopimgdownldr utility can be abused to download remote files, potentially bypassing standard download restrictions and acting as an alternative to certutil for malware or tool deployment.

Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect, potentially indicating abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.

The creation of scheduled tasks from a remote source via RPC, where the RpcCallClientLocality and ClientProcessId are 0, indicates potential adversary lateral movement within a Windows environment.