Product

Elastic Endpoint Security

5 briefs RSS

GenAI Tools Accessing Sensitive Files for Credential Access and Persistence

This threat brief details the detection of GenAI tools accessing sensitive files containing credentials, SSH keys, browser data, and shell configurations, indicating potential credential harvesting and persistence attempts by attackers leveraging GenAI agents.

Elastic Endpoint Security genai credential-access persistence collection

2r 4t 2d ago

high advisory

AMSI Enable Registry Key Modification for Defense Evasion

2 rules 1 TTP

Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.

Microsoft Defender XDR +4 defense-evasion amsi registry windows

2r 1t Jan 27, 2024

medium advisory

PowerShell Script with Encryption/Decryption Capabilities

2 rules 3 TTPs

PowerShell scripts employing .NET cryptography APIs are used to encrypt data for impact or decrypt payloads for defense evasion.

Elastic Endpoint Security +1 powershell encryption defense-evasion windows

2r 3t Jan 3, 2024

medium advisory

Persistence via WMI Event Subscription

2 rules 2 TTPs

Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.

Microsoft Defender XDR +7 persistence execution windows wmi

2r 2t Jan 3, 2024

high advisory

Detection of Kali Linux Installation or Usage via Windows Subsystem for Linux (WSL)

2 rules 1 TTP

Adversaries may attempt to install or use Kali Linux via Windows Subsystem for Linux (WSL) to avoid detection, potentially enabling them to perform malicious activities within a Windows environment while blending in with legitimate WSL usage.

Windows Subsystem for Linux +4 defense-evasion windows wsl kalilinux

2r 1t Jan 2, 2024