EXPLORE DETECTIONS

Suspicious Rundll32 Setupapi.dll Activity

setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.

T1218.011

Suspicious Runscripthelper.exe

Detects execution of powershell scripts via Runscripthelper.exe

T1059T1202

Suspicious Scan Loop Network

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system

T1059T1018

Suspicious Scheduled Task Creation

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Suspicious Scheduled Task Creation Involving Temp Folder

Detects the creation of scheduled tasks that involves a temporary folder and runs only once

Suspicious Scheduled Task Creation via Masqueraded XML File

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

T1036.005T1053.005

Suspicious Scheduled Task Name As GUID

Detects creation of a scheduled task with a GUID like name

Suspicious Scheduled Task Update

Detects update to a scheduled task event that contain suspicious keywords.

Suspicious Scheduled Task Write to System32 Tasks

Detects the creation of tasks from processes executed from suspicious locations

T1053

Suspicious Schtasks Execution AppData Folder

Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local

T1053.005T1059.001

Suspicious Schtasks Schedule Type With High Privileges

Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type

Suspicious Schtasks Schedule Types

Detects scheduled task creations or modification on a suspicious schedule type

Suspicious ScreenSave Change by Reg.exe

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

T1546.002

Suspicious Screensaver Binary File Creation

T1546.002

Suspicious Scripting in a WMI Consumer

Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers

T1059.005

Suspicious Serv-U Process Pattern

Detects a suspicious process pattern which could be a sign of an exploited Serv-U service

T1555

Suspicious Service Binary Directory

Detects a service binary running in a suspicious directory

T1202

Suspicious Service DACL Modification Via Set-Service Cmdlet

Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable

T1543.003

Suspicious Service DACL Modification Via Set-Service Cmdlet - PS

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

T1574.011

Suspicious Service Installation

Detects suspicious service installation commands

T1543.003

Suspicious Service Installation Script

Detects suspicious service installation scripts

T1543.003

Suspicious Service Installed

Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU)

T1562.001