Windows Credentials from Password Stores Chrome Login Data Access: endpointEndpointrisk_score:492024-11-28version:5
The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment.
Windows Credentials from Password Stores Chrome Extension Access: endpointEndpointrisk_score:252024-11-28version:4
The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.
Windows Credentials from Password Stores Chrome LocalState Access: endpointEndpointrisk_score:252024-11-28version:5
The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data.
Process Creating LNK file in Suspicious Location: networkEndpointrisk_score:632024-09-30version:8
The following analytic detects a process creating a `.lnk` file in suspicious locations such as `C:\User*` or `*\Local\Temp\*`. It leverages filesystem and process activity data from the Endpoint data model to identify this behavior. This activity is significant because creating `.lnk` files in these directories is a common tactic used by spear phishing tools to establish persistence or execute malicious payloads. If confirmed malicious, this could allow an attacker to maintain persistence, execute arbitrary code, or further compromise the system.
Suspicious Process File Path: endpointEndpointrisk_score:352024-11-28version:5
The following analytic identifies processes running from file paths not typically associated with legitimate software. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific process paths within the Endpoint data model. This activity is significant because adversaries often use unconventional file paths to execute malicious code without requiring administrative privileges. If confirmed malicious, this behavior could indicate an attempt to bypass security controls, leading to unauthorized software execution, potential system compromise, and further malicious activities within the environment.
Detect Outlook exe writing a zip file: networkEndpointrisk_score:252024-11-28version:8
The following analytic identifies the execution of `outlook.exe` writing a `.zip` file to the disk. It leverages data from the Endpoint data model, specifically monitoring process and filesystem activities. This behavior is significant as it may indicate the use of Outlook to deliver malicious payloads or exfiltrate data via compressed files. If confirmed malicious, this activity could lead to unauthorized data access, data exfiltration, or the delivery of malware, potentially compromising the security of the affected system and network.
Executables Or Script Creation In Suspicious Path: endpointEndpointrisk_score:202024-11-28version:5
The following analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is significant as adversaries often use these paths to evade detection and maintain persistence. If confirmed malicious, this behavior could allow attackers to execute unauthorized code, escalate privileges, or persist within the environment, posing a significant security threat.
WinEvent Windows Task Scheduler Event Action Started: endpointEndpointrisk_score:802024-10-24version:5
The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment.
Windows Files and Dirs Access Rights Modification Via Icacls: endpointEndpointrisk_score:492024-12-06version:4
The following analytic identifies the modification of security permissions on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions. This activity is significant as it is commonly used by Advanced Persistent Threats (APTs) and coinminer scripts to evade detection and maintain control over compromised systems. If confirmed malicious, this behavior could allow attackers to hinder investigation, impede remediation efforts, and maintain persistent access to the compromised environment.
Scheduled Task Deleted Or Created via CMD: endpointEndpointrisk_score:562024-09-30version:8
The following analytic identifies the creation or deletion of scheduled tasks using the schtasks.exe utility with the -create or -delete flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it can indicate unauthorized system manipulation or malicious intent, often associated with threat actors like Dragonfly and incidents such as the SUNBURST attack. If confirmed malicious, this activity could allow attackers to execute code, escalate privileges, or persist within the environment, posing a significant security risk.
Windows ISO LNK File Creation: endpointEndpointrisk_score:402024-10-17version:4
The following analytic detects the creation of .iso.lnk files in the %USER%\AppData\Local\Temp\<random folder name>\ path, indicating that an ISO file has been mounted and accessed. This detection leverages the Endpoint.Filesystem data model, specifically monitoring file creation events in the Windows Recent folder. This activity is significant as it may indicate the delivery and execution of potentially malicious payloads via ISO files. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further system compromise.
Suspicious Process Executed From Container File: endpointEndpointrisk_score:162024-09-30version:3
The following analytic identifies a suspicious process executed from within common container/archive file types such as ZIP, ISO, IMG, and others. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is a common technique used by adversaries to execute scripts or evade defenses. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.
Registry Keys Used For Persistence: endpointEndpointrisk_score:762024-12-03version:12
The following analytic identifies modifications to registry keys commonly used for persistence mechanisms. It leverages data from endpoint detection sources like Sysmon or Carbon Black, focusing on specific registry paths known to initiate applications or services during system startup. This activity is significant as unauthorized changes to these keys can indicate attempts to maintain persistence or execute malicious actions upon system boot. If confirmed malicious, this could allow attackers to achieve persistent access, execute arbitrary code, or maintain control over compromised systems, posing a severe threat to system integrity and security.
Windows Powershell RemoteSigned File: endpointEndpointrisk_score:252024-09-30version:3
The following analytic identifies the use of the "remotesigned" execution policy for PowerShell scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing "remotesigned" and "-File". This activity is significant because the "remotesigned" policy allows locally created scripts to run without restrictions, posing a potential security risk. If confirmed malicious, an attacker could execute unauthorized scripts, leading to code execution, privilege escalation, or persistence within the environment.
