McAfee

Talos has begun tracking phone numbers in emails as indicators of compromise, revealing insights into their reuse in scam campaigns where attackers use API-driven VoIP services for cost-effective operations, rotating phone number blocks to evade security filters, and maximizing reach by recycling numbers across diverse lures.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

Adversaries may modify service security descriptors to deny access to specific groups, potentially escalating privileges and hindering security services, by using sc.exe to set new deny ACEs (Access Control Entries) on Windows services.

Detection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.

Attackers can modify the Windows registry via AppLocker to block the execution of security software, potentially disabling defenses and allowing further malicious activities.

Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.