MSBuild Suspicious Spawned By Script Process: endpointEndpoint2025-04-16version:7
The following analytic detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe). This behavior is often associated with malware or adversaries executing malicious MSBuild processes via scripts on compromised hosts. The detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where MSBuild is a child of script hosts. This activity is significant as it may indicate an attempt to execute malicious code. If confirmed malicious, it could lead to unauthorized code execution, potentially compromising the host and allowing further malicious activities.
Suspicious wevtutil Usage: endpointEndpoint2025-04-16version:12
The following analytic detects the usage of wevtutil.exe with parameters for clearing event logs such as Application, Security, Setup, Trace, or System. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because clearing event logs can be an attempt to cover tracks after malicious actions, hindering forensic investigations. If confirmed malicious, this behavior could allow an attacker to erase evidence of their activities, making it difficult to trace their actions and understand the full scope of the compromise.
Certutil exe certificate extraction: endpointEndpoint2025-04-16version:10
The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS. If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network.
Dump LSASS via procdump: endpointEndpoint2025-04-16version:12
The following analytic detects the use of procdump.exe to dump the LSASS process, specifically looking for the -mm and -ma command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant because dumping LSASS can expose sensitive credentials, posing a severe security risk. If confirmed malicious, an attacker could obtain credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and further compromise of the environment.
Suspicious MSBuild Rename: endpointEndpoint2025-04-16version:10
The following analytic detects the execution of renamed instances of msbuild.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because msbuild.exe is a legitimate tool often abused by attackers to execute malicious code while evading detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.
CertUtil Download With URLCache and Split Arguments: endpointEndpoint2025-04-16version:12
The following analytic detects the use of certutil.exe to download files using the `-urlcache` and `-f` arguments. It leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions that include these specific arguments. This activity is significant because certutil.exe is typically used for certificate services, and its use to download files from remote locations is uncommon and potentially malicious. If confirmed, this behavior could indicate an attempt to download and execute malicious payloads, leading to potential system compromise and unauthorized data access.
Windows CertUtil Download With URL Argument: endpointEndpoint2025-04-16version:5
The following analytic detects the use of `certutil.exe` to download files using the `-URL` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system.
CertUtil Download With VerifyCtl and Split Arguments: endpointEndpoint2025-04-16version:12
The following analytic detects the use of `certutil.exe` to download files using the `-VerifyCtl` and `-f` arguments. This behavior is identified by monitoring command-line executions for these specific arguments via Endpoint Detection and Response (EDR) telemetry. This activity is significant because `certutil.exe` is a legitimate tool often abused by attackers to download and execute malicious payloads. If confirmed malicious, this could allow an attacker to download and execute arbitrary files, potentially leading to code execution, data exfiltration, or further compromise of the system.
BCDEdit Failure Recovery Modification: endpointEndpoint2025-04-16version:9
The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as "recoveryenabled" and "no". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation.
Suspicious MSBuild Spawn: endpointEndpoint2025-04-16version:8
The following analytic identifies instances where wmiprvse.exe spawns msbuild.exe, which is unusual and indicative of potential misuse of a COM object. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process relationships and command-line executions. This activity is significant because msbuild.exe is typically spawned by devenv.exe during legitimate Visual Studio use, not by wmiprvse.exe. If confirmed malicious, this behavior could indicate an attacker executing arbitrary code or scripts, potentially leading to system compromise or further malicious activities.
Deleting Shadow Copies: endpointEndpoint2025-04-16version:13
The following analytic detects the deletion of shadow copies using the vssadmin.exe or wmic.exe utilities. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because deleting shadow copies is a common tactic used by attackers to prevent recovery and hide their tracks. If confirmed malicious, this action could hinder incident response efforts and allow attackers to maintain persistence and cover their activities, making it crucial for security teams to investigate promptly.
Windows Steal Authentication Certificates CertUtil Backup: endpointEndpoint2025-04-16version:8
The following analytic detects CertUtil.exe performing a backup of the Certificate Store. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line executions involving CertUtil with backup parameters. This activity is significant because it may indicate an attempt to steal authentication certificates, which are critical for secure communications. If confirmed malicious, an attacker could use the stolen certificates to impersonate users, decrypt sensitive data, or gain unauthorized access to systems, leading to severe security breaches.
CertUtil With Decode Argument: endpointEndpoint2025-04-16version:9
The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration.
WBAdmin Delete System Backups: endpointEndpoint2025-04-16version:7
The following analytic detects the execution of wbadmin.exe with flags that delete backup files, specifically targeting catalog or system state backups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by ransomware to prevent recovery by deleting system backups. If confirmed malicious, this action could severely hinder recovery efforts, leading to prolonged downtime and potential data loss.
Windows SQL Spawning CertUtil: endpointEndpoint2025-04-16version:10
The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment.
DLLHost with no Command Line Arguments with Network: endpointEndpoint2025-04-16version:10
The following analytic detects instances of DLLHost.exe running without command line arguments while establishing a network connection. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process execution and network activity data. It is significant because DLLHost.exe typically runs with specific arguments, and its absence can indicate malicious activity, such as Cobalt Strike usage. If confirmed malicious, this activity could allow attackers to execute code, move laterally, or exfiltrate data, posing a severe threat to the network's security.
Suspicious msbuild path: endpointEndpoint2025-04-16version:9
The following analytic detects the execution of msbuild.exe from a non-standard path. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that deviate from typical msbuild.exe locations. This activity is significant because msbuild.exe is commonly abused by attackers to execute malicious code, and running it from an unusual path can indicate an attempt to evade detection. If confirmed malicious, this behavior could allow an attacker to execute arbitrary code, potentially leading to system compromise and further malicious activities.
