@
2.9 KiB
Execution
T1053.002 AT Scheduled Task
Atomics: T1053.002
Detect interactive process execution scheduled by AT command.
TgtProcName = "at.exe" AND TgtProcCmdLine ContainsCIS "/interactive "
T1559.002 Dynamic Data Exchange
Atomics: T1559.002
Latest Office 365 clients weren't executing DDE code but were providing warnings, so my simulations were unsucessful. The T1204.002 detection immediately below should cover processes spawned from Office applications.
T1204.002 Malicious Documents
Atomics: T1204.002
The tests for this technique overlap heavily with T1566.001 Spearphishing Attachment due to similar download and macro detections, so here we're focusing on detecting Office applications launching processes. The below query will cover tests 1, 3 and 4 but test #2 is standalone cscript execution and will be detected with other queries.
(SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe")) OR IndicatorName = "SuspiciousDocument"
T1106 Native API
Atomics: T1106
There aren't any combination of available indicator types to query to find malicious uses of WinAPI for process execution, though this test can be detected through T1027.004 Compile After Delivery
T1059.001 PowerShell
Atomics: T1059.001
T1053.005 Scheduled Task
Atomics: T1053.005
T1569.002 Service Execution
Atomics: T1569.002
T1059.005 Visual Basic
Atomics: T1059.005
T1059.003 Windows Command Shell
Atomics: T1059.003
T1047 Windows Management Instrumentation
Atomics: T1047