Vendor

SolarWinds

3 briefs RSS

Account Discovery Command via SYSTEM Account

The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.

Elastic Defend +5 discovery privilege-escalation windows

3r 3t Jan 9, 2024

medium advisory

Suspicious SolarWinds Child Process Execution

2 rules 2 TTPs

Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.

Elastic Defend +3 supply-chain execution solarwinds

2r 2t Jan 3, 2024

medium advisory

SolarWinds Process Disabling Services via Registry Modification

2 rules 3 TTPs

A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.

Microsoft Defender XDR +1 solarwinds defense-evasion registry-modification supply-chain

2r 3t Jan 3, 2024