Release date: 18 June, 2024Change typeChangesAdded 2 new Low Analytics BIOCsRare SMB session to a remote hostUncommon browser extension loadedAdded a new Informational Analytics BIOCUnusual DB process spawning a shellImproved logic of 8 High Analytics BIOCsCopy a process memory fileEditing ld.so.preload for persistence and injectionMemory dumping with comsvcs.dllMimikatz command-line argumentsSuspicious usage of File Server Remote VSS Protocol (FSRVP)Uncommon remote scheduled task creationUnicode RTL Override CharacterUnprivileged process opened a registry hiveImproved logic of 37 Medium Analytics BIOCsA TCP stream was created directly in a shellA process was executed with a command line obfuscated by Unicode character substitutionAutorun.inf created in root C driveDiscovery of misconfigured certificate templates using LDAPEncoded information using Windows certificate management toolExecutable created to disk by lsass.exeExecutable moved to Windows system folderExecution of the Hydra Linux password brute-force toolFodhelper.exe UAC bypassIndirect command execution using the Program Compatibility AssistantInteractive at.exe privilege escalation methodLSASS dump file written to diskMicrosoft Office Process Spawning a Suspicious One-LinerModification of NTLM restrictions in the RegistryOffice process creates a scheduled task via file accessOffice process spawned with suspicious command-line argumentsPhantom DLL LoadingPossible Microsoft process masqueradingPossible Persistence via group policy Registry keysPossible RDP session hijacking using tscon.exePossible code downloading from a remote host by Regsvr32Possible collection of screen captures with Windows Problem Steps RecorderPossible malicious .NET compilation started by a commonly abused processPowerShell runs suspicious base64-encoded commandsPowerShell suspicious flagsProcdump executed from an atypical directoryRemote WMI process executionRundll32.exe running with no command-line argumentsRundll32.exe spawns conhost.exeSuspicious .NET process loads an MSBuild DLLSuspicious PowerSploit's recon module (PowerView) net function was executedSuspicious PowerSploit's recon module (PowerView) used to search for exposed hostsSuspicious certutil command lineSuspicious disablement of the Windows FirewallSuspicious execution of ODBCConfUncommon SetWindowsHookEx API invocation of a possible keyloggerUnsigned process injecting into a Windows system binary with no command lineImproved logic of 66 Low Analytics BIOCsAbnormal network communication through TOR using an uncommon portAn uncommon service was startedAn unpopular process accessed the microphone on the hostAttempt to execute a command on a remote host using PsExec.exeCached credentials discovery with cmdkeyChange of sudo caching configurationCompressing data using pythonConhost.exe spawned a suspicious child processCopy a user's GnuPG directory with rsyncDownload a script using the python requests moduleElevation to SYSTEM via servicesExecution of dllhost.exe with an empty command lineExtracting credentials from Unix filesImage file execution options (IFEO) registry key setInstallation of a new System-V serviceKeylogging using system commandsKnown service display name with uncommon image-pathKnown service name with an uncommon image-pathLOLBIN process executed with a high integrity levelLinux system firewall was modifiedMasquerading as the Linux crond processMicrosoft Office adds a value to autostart Registry keyMicrosoft Office injects code into a processMicrosoft Office process spawns a commonly abused processOffice process accessed an unusual .LNK filePossible DLL Hijack into a Microsoft processPossible DLL Search Order HijackingPossible network sniffing attempt via tcpdump or tsharkRDP connections enabled remotely via RegistryRare Windows Remote Management (WinRM) HTTP ActivityRare scheduled task createdRare service DLL was added to the registryReading bash command history fileRemote DCOM command executionRemote command execution via wmic.exeRemote service start from an uncommon sourceRundll32.exe executes a rare unsigned moduleSUID/GUID permission discoveryScheduled Task hidden by registry modificationScreensaver process executed from Users or temporary folderScripting engine connected to a rare external hostSensitive browser credential files accessed by a rare non browser processSetuid and Setgid file bit manipulationStored credentials exported using credwiz.exeSuspicious Certutil AD CS contactSuspicious DotNet log file createdSuspicious Print System Remote Protocol usage by a processSuspicious container orchestration jobSuspicious process modified RC script fileSuspicious process modified an SSH authorized_keys fileSuspicious sshpass command executionSuspicious systemd timer activitySvchost.exe loads a rare unsigned moduleThe Linux system firewall was disabledUncommon PowerShell commands used to create or alter scheduled task parametersUncommon access to Microsoft Teams credential filesUncommon creation or access operation of sensitive shadow copyUncommon local scheduled task creation via schtasks.exeUncommon msiexec execution of an arbitrary file from a remote locationUnusual AWS credentials creationUnusual AWS user added to groupUnusual compressed file password protectionWindows Event Log was cleared using wevtutil.exeWindows event logs were cleared with PowerShellWmiPrvSe.exe Rare Child Command LineWsmprovhost.exe Rare Child ProcessImproved logic of 7 Low Analytics AlertsFailed ConnectionsLarge Upload (Generic)Large Upload (HTTPS)Multiple Rare LOLBIN Process Executions by UserMultiple discovery commandsMultiple discovery commands on a Windows host by the same processOutlook files accessed by an unsigned processImproved logic of 55 Informational Analytics BIOCsA LOLBIN was copied to a different locationA compressed file was exfiltrated over SSHA non-browser process accessed a website UIA process connected to a rare external hostA service was disabledAdding execution privilegesAn uncommon file added to startup-related Registry keysAn uncommon file was created in the startup folderBrowser Extension InstalledBrowser bookmark files accessed by a rare non-browser processCommand execution via wmiexecCreation or modification of the default command executed when opening an applicationDiscovery of host users via WMICIndicator blockingInjection into rundll32.exeLOLBAS executable injects into another processLOLBIN created a PSScriptPolicyTest PowerShell script fileLocal account discoveryModification of PAMMsiexec execution of an executable from an uncommon remote locationPermission Groups discovery commandsPossible DLL Side-LoadingPossible Email collection using Outlook RPCPossible binary padding using ddPossible data obfuscationPsExec was executed with a suspicious command linePython HTTP server startedRare AppID usage to a rare destinationRare LOLBIN Process Execution by UserRare Unix process divided files by sizeRare connection to external IP address or host by an application using RMI-IIOP or LDAP protocolRare process execution by userRare process execution in organizationRemote PsExec-like command executionRun downloaded script using pipeService execution via sc.exeSpace after filenameSuspicious AMSI decode attemptSuspicious User Login to Domain ControllerSuspicious active setup registeredSuspicious container runtime connection from within a Kubernetes PodSuspicious curl user agentSuspicious process executed with a high integrity levelSuspicious proxy environment variable settingSuspicious usage of Microsoft's Active Directory PowerShell module remote discovery cmdletTampering with Internet Explorer Protected Mode configurationTampering with the Windows User Account Controls (UAC) configurationUncommon communication to an instant messaging serverUncommon kernel module loadUncommon net group or localgroup executionUncommon network tunnel creationUnusual access to the AD Sync credential filesUnusual access to the Windows Internal Database on an ADFS serverUnusual use of a 'SysInternals' toolVM Detection attempt on LinuxImproved logic of 8 Informational Analytics AlertsExternal Login Password SprayMassive file activity abnormal to processMultiple Rare Process Executions in OrganizationMultiple discovery commands on a Linux host by the same processMultiple discovery-like commandsPort ScanPossible data exfiltration over a USB storage deviceSuspicious container reconnaissance activity in a Kubernetes podChanged metadata of a Medium Analytics BIOCCommonly abused AutoIT script connects to an external domainChanged metadata of 2 Low Analytics BIOCsNew addition to Windows Defender exclusion listSuspicious data encryptionChanged metadata of an Informational Analytics BIOCCommonly abused AutoIT script drops an executable file to disk