Vendor

McAfee

4 briefs RSS

Potential Evasion via Windows Filtering Platform Blocking Security Software

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

Windows Filtering Platform +2 defense-evasion windows-filtering-platform endpoint-security

2r 2t 7h ago

high advisory

Suspicious Registry Hive Access via RegBack

2 rules 1 TTP

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

Endpoint Defense +6 credential-access regback windows

2r 1t Jul 2, 2024

high advisory

Windows Service Security Descriptor Tampering via sc.exe

2 rules 2 TTPs

Adversaries may modify service security descriptors to deny access to specific groups, potentially escalating privileges and hindering security services, by using sc.exe to set new deny ACEs (Access Control Entries) on Windows services.

Splunk Enterprise +2 defense-evasion privilege-escalation windows

2r 2t Jan 3, 2024

medium advisory

LSASS Loading Suspicious DLL

2 rules 2 TTPs 9 IOCs

Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.

Windows credential-access lsass dll-injection

2r 2t 9i Jan 3, 2024