W3WP Spawning Shell: endpointEndpointrisk_score:562024-09-30version:4
The following analytic identifies instances where a shell (PowerShell.exe or Cmd.exe) is spawned from W3WP.exe, the IIS worker process. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the parent process is W3WP.exe. This activity is significant as it may indicate webshell activity, often associated with exploitation attempts like those by the HAFNIUM Group on Exchange servers. If confirmed malicious, this behavior could allow attackers to execute arbitrary commands, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.
Overwriting Accessibility Binaries: endpointEndpointrisk_score:722024-09-30version:6
The following analytic detects modifications to Windows accessibility binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify changes to these specific files. This activity is significant because adversaries can exploit these binaries to gain unauthorized access or execute commands without logging in. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized system access and further compromise of the environment.
Detect Webshell Exploit Behavior: endpointEndpointrisk_score:802024-11-28version:5
The following analytic identifies the execution of suspicious processes typically associated with webshell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a webshell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data.
CertUtil Download With URLCache and Split Arguments: endpointEndpointrisk_score:902024-12-07version:8
The following analytic detects the use of certutil.exe to download files using the `-urlcache` and `-f` arguments. It leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions that include these specific arguments. This activity is significant because certutil.exe is typically used for certificate services, and its use to download files from remote locations is uncommon and potentially malicious. If confirmed, this behavior could indicate an attempt to download and execute malicious payloads, leading to potential system compromise and unauthorized data access.
Windows Service Created with Suspicious Service Path: endpointEndpointrisk_score:562024-09-30version:7
The following analytic detects the creation of a Windows Service with a binary path located in uncommon directories, using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify services installed outside typical system directories. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment.
BITSAdmin Download File: endpointEndpointrisk_score:492024-09-30version:6
The following analytic detects the use of `bitsadmin.exe` with the `transfer` parameter to download a remote object. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because `bitsadmin.exe` can be exploited to download and execute malicious files without immediate detection. If confirmed malicious, an attacker could use this technique to download and execute payloads, potentially leading to code execution, privilege escalation, or persistent access within the environment. Review parallel and child processes, especially `svchost.exe`, for associated artifacts.
Dump LSASS via comsvcs DLL: endpointEndpointrisk_score:802024-11-28version:6
The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.
Windows Mimikatz Binary Execution: endpointEndpointrisk_score:1002024-11-28version:5
The following analytic identifies the execution of the native mimikatz.exe binary on Windows systems, including instances where the binary is renamed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because Mimikatz is a widely used tool for extracting authentication credentials, posing a severe security risk. If confirmed malicious, this activity could allow attackers to obtain sensitive credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and system compromise.
PowerShell 4104 Hunting: endpointEndpointrisk_score:802024-12-11version:8
The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.
Windows SQL Spawning CertUtil: endpointEndpointrisk_score:902024-12-07version:5
The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment.
