Living-Off-the-Land

Detection of PowerShell execution initiated via Crowdstrike Real Time Response (RTR) 'runscript' command, potentially indicating malicious actors leveraging compromised Crowdstrike Dashboard access to execute commands on remote hosts using encoded commands.

The analytic identifies instances where wmiprvse.exe spawns msbuild.exe, an unusual process relationship indicative of potential COM object misuse and unauthorized code execution on Windows systems.

Detection of msbuild.exe execution from a non-standard path, indicating potential attempts to evade detection and execute malicious code.

The use of Microsoft Workflow Compiler (microsoft.workflow.compiler.exe), a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319, can indicate malicious intent such as code execution or persistence mechanisms, potentially leading to unauthorized access.

Detection of the renaming of microsoft.workflow.compiler.exe, a technique used by attackers to evade security controls and potentially execute arbitrary code for privilege escalation or persistence.

Detection of netsh.exe execution by unusual processes indicative of potential malicious activity, including persistence and network configuration changes by threat actors.