Tag
Service Reconnaissance via WMIC.exe
2 rules 1 TTPAdversaries use WMIC.exe to enumerate running services on remote devices, potentially identifying valuable targets or misconfigured systems.
Detection of Python One-Liners with Base64 Decoding
2 rules 2 TTPsThis brief outlines a method to detect malicious use of Python one-liners employing base64 decoding to execute obfuscated payloads, a common tactic for evading traditional security measures.
Suspicious Script Interpreter Execution from Environment Variable Folders
2 rules 1 TTPAdversaries may execute script interpreters such as cscript, wscript, mshta, or powershell from suspicious directories accessible via environment variables to evade detection and execute malicious scripts.
Service Startup Type Modification via WMIC
2 rules 2 TTPsAdversaries use the Windows Management Instrumentation Command-line (WMIC) utility to modify the startup type of services, setting them to 'Manual' or 'Disabled' to impair defenses or disrupt system operations.
Detection of Important Scheduled Task Deletion or Disablement
2 rules 1 TTPAdversaries delete or disable critical scheduled tasks, such as those related to system restore, Windows Defender, BitLocker, Windows Backup, or Windows Update, to disrupt operations and potentially conduct data destructive activities.
PowerShell Loading .NET Assemblies via Reflection
2 rules 1 TTPThis analytic detects PowerShell scripts leveraging .NET reflection to load assemblies into memory, a technique commonly used by threat actors to bypass defenses and execute malicious code.
Suspicious CSC.exe Parent Process
3 rules 3 TTPsThe Csc.exe (C# compiler) process is being launched by unusual parent processes or from suspicious locations, indicating potential malware execution or defense evasion.