![]() ![]() This technique is used by malicious actors and penetration testers to escalate the privileges of the target account. This detection identifies the ‘net.exe’ or ‘net1.exe’ command with arguments being passed to it to add a user to the ‘Domain Admins’ or ‘Enterprise Admins’ group. RecommendationĪttacker Technique - Add Domain Or Enterprise Admin With Net Description These accessibility tools are replaced by malicious actors with other known, good binaries so they can be used to gain access to systems without authenticating. This detection identifies binaries being launched by various accessibility tools, such as ‘sethc.exe’, ‘utilman.exe’, ‘magnify.exe’, ‘osk.exe’, and ‘narrator.exe’. RecommendationĪttacker Technique - Accessibility Tool Launching Process Description This detection identifies ‘cmd.exe’ or ‘powershell.exe’ being launched by various accessibility tools, such as ‘sethc.exe’, ‘utilman.exe’, ‘magnify.exe’, ‘osk.exe’, and ‘narrator.exe’. MITRE ATT&CK TechniquesĪttacker Technique - Accessibility Tool Launching CMD or PowerShell Description If necessary, rebuild the host from a known, good source and have the user change their password. Recommendationĭetermine if the process being launched is expected or otherwise benign behavior. This technique is used by malicious actors to deliver encrypted binaries to the endpoint prior to execution. This detection identifies the use of the ‘7za.exe’ compression utility to extract contents from an encrypted archive using a password. Attacker - Extraction Of 7zip Archive With Password Description These detections identify suspicious activity from process start records collected by the Insight Agent from Windows endpoints. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |