Windows Suspicious Process

Attacker Technique

These detections identify attacker techniques used by malicious actors to perform a variety of tasks on the host’s environment.

Attacker Technique - Find Admin SID Using Find or Findstr Commands

Description

This detection identifies the SID assigned to the default Windows Administrator account, ‘S-1-16-12288’, being passed to ‘find.exe’ or ‘findstr.exe’. This technique is used by malicious actors and penetration testers to identify if they are executing processes with local Administrator privileges.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Blacklist User Accounts

Description

This detection identifies command line activity associated with blacklisted user accounts that Rapid7 has observed during past and/or present campaigns. Some techniques used by malicious actors include common account name reuse. Malicious actors could use the account name and/or password across multiple intrusions.

Recommendation

Investigate the activity to determine if the process events are authorized and expected within the environment. If the process events are not, lock the account executing the processes in question.

Attacker Technique - Hash Dumping With NTDSUtil

Description

This detection identifies the execution of 'NTDSUtil.exe', which is the command utility used when working with the 'NTDS.dit' Active Directory database and the enabled IFM set creation for DCPromo. The Install From Media (IFM) set is a copy of the 'NTDS.dit', and if it is not properly secured or configured, a malicious actor could use the snapshot taken during this process to extract credential data.

Recommendation

Investigate the parent process and process activity to determine if the activity is authorized and expected within the environment. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Create Account With WMIC or NET

Description

This detection identifies a process event for the Windows binaries ’net.exe’ or ’wmic.exe’ containing the ‘/add’ and ‘node’ command line switches.

Recommendation

Investigate the process execution history on the host in question to determine if the account creation is authorized and expected within the client network. If necessary, delete the created user account and reset the password of the user that performed the action.

Attacker Technique - Stop Windows Defender

Description

This detection identifies the use of suspicious process arguments for the Windows program’s ‘cmd.exe’ or ‘PowerShell.exe’, which could be used by malicious actors to issue Service Control commands to stop or delete the Windows Defender Service. Rapid7 has observed malicious actors disabling Windows Defender during process events for some malware variants.

Recommendation

Investigate the process execution history on the host in question to determine the root cause of the suspicious command invocation. If malware is identified during the investigation process, isolate the system and restore it from a validated known, good baseline image.

Attacker Technique - Invisible Service

Description

This detection identifies the use of tools, such as ‘sc.exe’, to create a service named to prevent it from being displayed. By default, a service with a ‘=’ character in the name will not be displayed by various Windows utilities.

Recommendation

Review the service in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - UAC Bypass Using SndVol

Description

This detection identifies the use of ‘SndVol.exe’, which will automatically run with elevated privileges when using a crafted application compatibility shim. A malicious actor could use this auto-elevated binary to bypass the Microsoft Windows User Account Control prompt and inherit its elevated privileges.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - UAC Bypass Using DISMHost

Description

This detection identifies the use of the Windows system binary ‘DISMhost.exe’, which will automatically run with elevated privileges. This binary searches in a user-writable location for a DLL to load. A malicious actor could use this binary to bypass the Microsoft Windows User Account Control prompt and inherit its elevated privileges.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - UAC Bypass Using SystemProperties Windows Binaries

Description

This detection identifies the use of ‘SystemPropertiesAdvanced.exe’, and four other SystemProperties Windows binaries, which will automatically run with elevated privileges. When executed, these binaries search in a user-writable location for a DLL to load. A malicious actor could use these auto-elevated binaries to bypass the Microsoft Windows User Account Control prompt and inherit its elevated privileges.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - UAC Bypass Using SCDLT

Description

This detection identifies the use of the Windows system binary ‘SDCLT.exe’, which will automatically run with elevated privileges. By setting the value of the ‘HKCU:\Software\Classes\ms-settings\shell\open\command\DelegateExecute’ registry key, a malicious actor could cause additional code to run with ‘SDCLT.exe’ that will inherit its elevated privileges.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - UAC Bypass Using Shell\Open\Command Key

Description

This detection identifies when key values in the Windows registry key ‘HKCU\Software\Classes\ms-settings\shell\open\command’ are set. When setting these key values, a malicious actor could cause arbitrary code to execute, which could allow a malicious actor to bypass the Microsoft Windows User Account Control prompt and inherit its elevated privileges.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - UAC Bypass Using WSReset

Description

This detection identifies the use of the Windows system binary ‘wsreset.exe’, which will automatically run with elevated privileges.This Windows system binary searches for a user-writable location in the registry for a command to run. A malicious actor could use this binary to bypass the Microsoft Windows User Account Control prompt and inherit its elevated privileges.

Recommendation

Investigate any child processes of ‘wsreset.exe’ to determine if it is authorized and expected. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Log Deletion Utility

Description

This detection identifies the use of a custom Windows event log detection utility by a malicious actor to delete ranges of the event logs on a local system. Malicious actors could delete event logs to obstruct an investigation of their activities or to enable them to go undetected in the network.

Recommendation

Using existing log data or forensics sources, determine what occurred when the logs were deleted. Analyse network appliance and Active Directory logs, and sources from the host, including the Master File Table or AMCache.

Attacker Technique - Domain Discovery With ADFind

Description

This detection identifies the use of the utility ‘adfind.exe’, specifically the process arguments for domain/trust enumeration, and remote system discovery. Rapid7 has observed malicious actors using this legitimate software utility to perform reconnaissance against a target’s Active Directory Domain. A malicious actor could redirect the output of this utility to a file.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Renamed ProcDump

Description

This detection identifies the use of renamed versions of ‘ProcDump.exe’ and ‘ProcDump64.exe’ from Microsoft's SysInternals Suite of utilities. This technique is used by malicious actors and penetration testers to dump the content of memory from specific processes, such as ‘lsass.exe’ to acquire credentials.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Identifying LSASS Process Using FindStr

Description

This detection identifies ‘FindStr.exe’ looking for the value ‘LSASS’. This technique is used by malicious actors and penetration testers to identify which Process ID (PID) belongs to ‘LSASS.exe’ prior to retrieving the memory from that process for credential dumping.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - ProcDump Output Filename For LSASS

Description

This detection identifies the use of the memory dumping utility ‘procdump.exe’ against the Local Security Authority Subsystem Service (LSASS), or ‘lsass.exe’ process. The default name of these files are ‘lsass.exe_YYMMDD_HHMMSS.dmp’ where ‘YYMMDD’ is the date and ‘HHMMSS’ is the time the file was generated. This technique is used by malicious actors and penetration testers to acquire the memory contents of the process and extract credentials from it with tools, such as Mimikatz.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Add Domain Or Enterprise Admin With Net

Description

This detection identifies the ‘net.exe’ or ‘net1.exe’ command with arguments being passed to it to add a user to the ‘Domain Admins’ or ‘Enterprise Admins’ group. This technique is used by malicious actors and penetration testers to escalate the privileges of the target account.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password. Additionally, review the users in privileged groups within Active Directory and remove unexpected or unknown members.

Attacker Technique - Clearing Event Logs With WEvtUtil

Description

This detection identifies the use of the ‘WvUtil.exe’ to clear Windows event logs with the ‘cl’ flag. This technique is used by malicious actors and ransomware, such as Petya, to destroy logs used by investigators.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - PowerShell Download Cradle

Description

This detection identifies the use of PowerShell to download and run a payload hosted on a remote system. This technique is used by malicious actors to stage fileless malware, such as Kovter. Kovter often uses JavaScript payloads and is typically preceded by the ‘MSHTA.exe’ execution.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Assign Mailbox To Another User With PowerShell

Description

This detection identifies the cmdlet 'Get-ManagementRoleAssignment' being passed to 'PowerShell.exe' through the command line. This technique is used by malicious actors to obtain access to privileged user mailboxes for exfiltration.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Export Mailbox With PowerShell

Description

This detection identifies the cmdlet 'Get-MailboxExportRequest' being passed to 'PowerShell.exe' through the command line. This technique is used by malicious actors to export high ranking user mailboxes for exfiltration.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - XSL Script Processing With WMIC

Description

This detection identifies the ‘*.XSL’ (eXtensible Stylesheet Language) scripts being passed locally or from a URL to ‘WMIC.exe’ to bypass application whitelisting. This technique is used by malicious actors and penetration testers to execute these scripts through the ‘WMIC.exe’ binary.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - CertUtil With Flags URLCache and Split

Description

This detection identifies the use of the ‘certutil.exe’ binary with the ‘-split’ and ‘-urlcache’ flags being passed to it. This technique is used by malicious actors to retrieve files hosted on a remote web server and write them to disk.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Exfiltration To Google Drive

Description

This detection identifies the use of ‘www.googleapis.com’ in a system’s command line. This technique is used by malicious actors performing exfiltration with programs, such as ‘curl.exe’, and when passing URLs to programs that cause uploads to Google’s APIs.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Exfiltration Of Data To Dropbox

Description

This detection identifies the use of ‘dropboxapi.com’ in a system’s command line. This technique is used by malicious actors performing exfiltration with programs, such as cURL, and when passing URLs to programs that cause uploads to Dropbox’s APIs.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - URL Passed To BitsAdmin

Description

This detection identifies a URL being passed to the 'bitsadmin.exe' binary to cause a file to download to the endpoint using the Background Intelligent Transfer Service. This technique is used by malicious actors to retrieve malware to a compromised endpoint for execution. It is commonly seen with malicious document-related activity.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Regsvr32 Loads Object From Web Server

Description

This detection identifies URLs or ‘scrobj.dll’ being passed to the binary ‘regsvr32.exe’ to perform an application whitelisting bypass attack, called the ‘SquiblyDoo’ attack. This technique is used by malicious actors and penetration testers to execute code within dynamic link libraries through the ‘regsvr32.exe’ binary.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Data Exfiltration To Box.com

Description

This detection identifies various utilities uploading data to Box.com’s hosts, ‘upload.box.com’ and ‘api.box.com’. This technique is used by malicious actors to exfiltrate data from a target to this particular cloud storage provider.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - ProcDump Used Against LSASS

Description

This detection identifies the use of the memory dumping utility ‘procdump.exe’ against the Local Security Authority Subsystem Service (LSASS), or ‘lsass.exe’ process. This technique is used by malicious actors and penetration testers to acquire the memory contents of the process and extract credentials from it with tools, such as Mimikatz.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Enumerating Domain Or Enterprise Admins With Net Command

Description

This detection identifies the use of the ‘net.exe’ or ‘net1.exe’ command to enumerate users that are members of the ‘Domain Admins’ or ‘Enterprise Admins’ groups. This technique is used by malicious actors and penetration testers to identify which accounts have the highest level of privilege in a domain.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Array Reverse Obfuscation Passed To PowerShell

Description

This detection identifies the string ‘[Array]::Reverse’ being passed to ‘PowerShell.exe’ in various obfuscated forms. This technique is used by malicious actors to obfuscate the script being passed to ‘PowerShell.exe’ which bypasses some types of simple blocks or detections that may fire on the contents of the script.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Export SAM or SECURITY Registry Hive With Reg

Description

This detection identifies the export of the 'SECURITY' or 'SAM' registry hives through the 'reg.exe' binary. This technique is used by malicious actors and penetration testers to obtain hashes or credentials stored in the Windows registry.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - CertUtil With Decode Flag

Description

This detection identifies the use of the ‘certutil.exe’ binary with the ‘-decode’ flag being passed to it. This technique is used by malicious actors to decode files that were encoded in the Base64 format.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - PowerShell Registry Cradle

Description

This detection identifies the use of PowerShell to read and run a script stored in the Windows Registry. This technique is used by malicious actors to maintain persistence for fileless malware.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Ping Command And URL Passed To CertUtil

Description

This detection identifies the ‘-ping’ argument and a URL being passed to ‘CertUtil.exe’. This technique is used by malicious actors and penetration testers to retrieve files from a remote location, then execute them.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Technique - Download and Execute Passed To PowerShell

Description

This detection identifies the use of specific methods to download and execute a file hosted on a remote server being passed to 'PowerShell.exe'. This technique is used by malicious actors to retrieve and execute malware on a target’s endpoint, through the use of macros embedded within malicious documents.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool

These detections identify attacker tools such as programs and executable files used by malicious actors.

Attacker Tool - MSOffice-Crypt

Description

This detection identifies the execution of the tool 'msoffice-crypt.exe'. This tool is used by malicious actors to encrypt the contents of files generated by Microsoft Office applications to ransom the encrypted file contents.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - PowerView

Description

This detection identifies module names for PowerView being passed to ‘PowerShell.exe’. PowerView is used by malicious actors and penetration testers to identify servers or Domain Controllers.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - CHAOS Remote Access Tool (RAT)

Description

This detection identifies the use of CHAOS RAT by malicious actors or penetration testers to maintain access to a compromised endpoint. CHAOS RAT is an open source project, which has features, such as keylogging, screenshotting, file transfer to and from the host, and persistence mechanisms that allow it to remain active through a reboot. It also supports common Operating Systems, such as Microsoft Windows, Linux, and MacOS.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - PowerUPSQL Function Name

Description

This detection identifies common function names from the PowerUPSQL at ‘https://github.com/NetSPI/PowerUpSQL’. PowerUpSQL includes functions that support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions, such as Operating System command execution.

Recommendation

Review the process and file in question and verify that the activity is allowed. If it is not, lock the account and delete the PowerShell scripts.

Attacker Tool - Koadic WMI Event Filter and Consumer Binding

Description

This detection identifies a WMI event filter to consumer binding with the name equal to ‘K0adic’ within ‘wmic.exe’ process events. This activity is consistent with the presence of the Koadic backdoor frameworks WMI persistence mechanism in a default configuration.

Recommendation

Investigate the parent or child process of the ‘wmic.exe’ process to determine if the activity is authorized and expected within the environment. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - DomainPasswordSpray

Description

This detection identifies the use of the tool DomainPasswordSpray by a malicious actor in the environment. DomainPasswordSpray is a PowerShell-based tool used by malicious actors and penetration testers to perform password spray attacks. This open source tool is available on GitHub at ‘https://github.com/dafthack/DomainPasswordSpray’.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - Bloodhound

Description

This detection identifies the use of the tool Bloodhound by a malicious actor or penetration tester in the environment. Bloodhound is used to map Active Directory environments and could assist a malicious actor with lateral movement.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - Hashcat

Description

This detection identifies the use of the tool hashcat, which is used by malicious actors and penetration testers to dump credentials and recover passwords.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - Mimikatz Command token::elevate lsadump

Description

This detection identifies the use of the tool Mimikatz by a malicious actor or penetration tester. Mimikatz uses the command ‘token::elevate’, which impersonates the SYSTEM-level token to find and use the Domain Administrator’s token on the host. The command ‘lsadump’ uses several methods to retrieve and dump the credentials. This tool and technique are used by malicious actors and penetration testers to acquire additional credentials from a target.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - PowerShell Parameters DumpCreds or DumpCerts For Mimikatz

Description

This detection identifies the use of the parameters ‘DumpCreds’ or ‘DumpCerts’, which are passed to the PowerShell version of Mimikatz, ‘Invoke-Mimikatz.ps1’. These parameters dump credentials out of the ‘LSASS.exe’ process and export all private certificates respectively. This tool and technique are used by malicious actors and penetration testers to acquire additional credentials and certificates from a target.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - Windows Credential Editor Changing Users Password

Description

This detection identifies the structure of commands executed while running the Windows Credential Editor program. These commands allow a malicious actor to change the password of a user on the endpoint and take over the user’s account.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - Invoke-Inveigh PowerShell Function

Description

This detection identifies the ‘Invoke-Inveigh’ function being called from ‘Inveigh.ps1’ as it is passed to ‘PowerShell.exe’. This tool is a packet sniffer written in .net and used by malicious actors to spoof responses to multiple naming services to perform Man-in-the-Middle attacks. This technique is used by malicious actors and penetration testers in conjunction with a PowerShell download cradle.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - Mimipenguin

Description

This detection identifies the use of the tool Mimipenguin by a malicious actor or penetration tester in the environment. Mimipenguin dumps the login password from the current Linux desktop user. This technique is used by malicious actors and penetration testers to take advantage of cleartext credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - Ammyy Admin

Description

This detection identifies the Remote Access Tool (RAT) 'Ammyy Admin' being executed. This tool is often used by malicious actors after a compromise to interact with the compromised endpoint.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - MimiKatz RegASM

Description

This detection identifies the use of the tool Mimikatz by a malicious actor or penetration tester in the environment, specifically for ‘regasm.exe’. Mimikatz uses the command ‘sekurlsa’, which extracts passwords, keys, pin codes, and tickets from the memory of the ‘LSASS.exe’ process. This technique is used by malicious actors and penetration testers to acquire additional credentials from a target user.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - MimiKatz Command sekurlsa In Command Line

Description

This detection identifies the use of the tool Mimikatz by a malicious actor or penetration tester in the environment. Mimikatz uses the command ‘sekurlsa’, which extracts passwords, keys, pin codes, and tickets from the memory of the ‘LSASS.exe’ process. This technique is used by malicious actors and penetration testers to acquire additional credentials from a target user.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - Windows Credential Editor

Description

This detection identifies the execution of file names associated with the Windows Credential Editor utility. This tool is used by malicious actors and penetration testers to modify a user's credentials.

Recommendation

Review the process execution history for the host to find any other attacker related activity.Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Attacker Tool - Impacket

Description

This detection identifies the use of commands structured consistent with the tool Impacket. In particular, output files with names containing '__output'. Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket is used by malicious actors and penetration testers to perform remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document

These detections identify techniques used by malicious actors to compromise environments through the delivery of malicious documents.

Malicious Document - Excel SLK File Launching Process

Description

This detection identifies Microsoft Excel opening Symbolic Link Files (SLK) that have a .SLK extension. SLFs are similar to Windows Shortcuts, but more closely related to symlinks used in Unix systems. These files can be used by malicious actors to deliver malicious documents to users.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - Office Spawning MSBuild

Description

This detection identifies Microsoft Office processes spawning ‘MSBuild.exe’, which is the result of various droppers or downloaders using ‘MSBuild.exe’ to compile and execute arbitrary code. This technique is used by malicious actors to subvert antivirus and other defensive countermeasures. The executed file is visible within the command line parameters of the process start event.

Recommendation

Acquire additional process artifacts and identify the root cause of the suspicious process invocation. The source could be a malicious document sent by a malicious actor to the user by email. Investigate the user's inbox to identify any malicious emails, and determine if any other users received the email. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - Microsoft Publisher Spawns MSHTA

Description

This detection identifies suspicious processes spawned by Microsoft Office applications, which could indicate that a malicious actor is using a malicious document. These malicious documents leverage macros, which are small Visual Basic for Applications (VBA) scripts embedded inside of Microsoft Office documents, such as Word, PowerPoint, and Excel. Macros run commands using built-in Windows utilities to download malware and compromise the system. Other methods to execute malicious code in an Office document include using Dynamic Data Exchange objects or exploiting software vulnerabilities. Malicious actors use phishing emails to send malicious documents.

Recommendation

Review the URL passed to ‘mshta.exe’ to identify if it is from a trusted source., Review the firewall and web proxy logs from this endpoint to identify any malware retrieval from remote systems. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - Microsoft Publisher Spawns PowerShell

Description

This detection identifies suspicious processes spawned by Microsoft Office applications, which could indicate that a malicious actor is using a malicious document. These malicious documents leverage macros, which are small Visual Basic for Applications (VBA) scripts embedded inside of Microsoft Office documents, such as Word, PowerPoint, and Excel. Macros run commands using built-in Windows utilities to download malware and compromise the system. Other methods to execute malicious code in an Office document include using Dynamic Data Exchange objects or exploiting software vulnerabilities. Malicious actors use phishing emails to send malicious documents.

Recommendation

Review the command passed to PowerShell to determine if it is malicious activity. A malicious actor could pass commands to PowerShell obfuscated or encoded using compression tools, such as Base64 or gzip. Review the firewall and web proxy logs from this endpoint to identify any malware retrieval from remote systems.

Malicious Document - Acrobat Reader Spawns Word To Open DOCM File

Description

This detection identifies Adobe Reader spawning Microsoft Word to open a file with a ‘.docm’ extension. This file extension is used for files containing macros. This technique is used by malicious actors to compromise endpoints by executing commands delivered by malicious documents.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - Word Spawns Executable From Users Directory

Description

This detection identifies processes being launched by Microsoft Word from the user’s directory. This technique is used by malicious actors to use malicious documents to drop malware into the target’s directory, then have Microsoft Word execute them.

Recommendation

Determine if the process being launched is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - Download And Execute With Background Intelligent Transfer Service

Description

This detection identifies the use of the Background Intelligent Transfer Service (BITS), ‘bitsadmin.exe’, to retrieve and execute a file. This technique is used by malicious actors with malicious documents to drop and execute payloads on the target’s endpoint.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - Lnk File Spawns Cmd, CScript, PowerShell, WMIC or WScript

Description

This detection identifies malicious ‘*.lnk’ files spawning script and command-executing binaries. This technique is used by malicious actors to deliver malicious email attachments to users to execute scripts.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - BITSADMIN PowerShell from Command Line

Description

This detection identifies the use of the Background Intelligent Transfer Service (BITS), ‘bitsadmin.exe’, and ‘PowerShell.exe’ to retrieve and execute a file. This technique is used by malicious actors in malicious documents, which are delivered by email to compromise the target’s endpoint.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - MS Office Equation Editor Exploit

Description

This detection identifies any process being launched by the Microsoft Equation Editor utility, ‘eqnedt32.exe’, which a malicious actor could exploit to execute code. This technique is used by malicious actors to deliver malicious documents by email to compromise the target’s endpoint.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - HH Spawns MSHTA

Description

This detection identifies ‘mshta.exe’ being spawned by ‘hh.exe’, which opens Microsoft Compiled HTML ‘.chm’. These files are sent from malicious actors to targets to run commands using built-in Windows utilities, such as ‘MSHTA.exe’, which executes scripts or downloads malware to the endpoint.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - Regsvr32 Spawned By Word Or MSPub

Description

This detection identifies 'regsvr32.exe' being spawned by 'word.exe' or 'mspub.exe', which could be caused by malicious actors sending documents as email attachments to targets. These malicious documents could contain or retrieve malware from other systems to be executed on the target’s endpoint.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Malicious Document - Microsoft Word Spawns MSHTA

Description

This detection identifies suspicious processes spawned by Microsoft Office applications, which could indicate that a malicious actor is using a malicious document. These malicious documents leverage macros, which are small Visual Basic for Applications (VBA) scripts embedded inside of Microsoft Office documents, such as Word, PowerPoint, and Excel. Macros run commands using built-in Windows utilities to download malware and compromise the system. Other methods to execute malicious code in an Office document include using Dynamic Data Exchange objects or exploiting software vulnerabilities. Malicious actors use phishing emails to send malicious documents.

Recommendation

Review the URL passed to 'mshta.exe' to determine if it is from a trusted source., Review the firewall and web proxy logs from this endpoint to identify any malware retrieval from remote systems.

Malicious Document - Microsoft Word Spawns PowerShell

Description

This detection identifies suspicious processes spawned by Microsoft Office applications, which could indicate that a malicious actor is using a malicious document. These malicious documents leverage macros, which are small Visual Basic for Applications (VBA) scripts embedded inside of Microsoft Office documents, such as PowerPoint, Excel and Word. Macros run commands using built-in Windows utilities, such as PowerShell, to download malware and compromise the system. Other methods to execute malicious code in an Office document include using Dynamic Data Exchange objects or exploiting software vulnerabilities. Malicious actors use phishing emails to send malicious documents.

Recommendation

Review the command passed to PowerShell to determine if it is malicious activity. A malicious actor could pass commands to PowerShell obfuscated or encoded using compression tools, such as Base64 or gzip. Review the firewall and web proxy logs from this endpoint to identify any malware retrieval from remote systems.

Malicious Document - MSHTA Retrieves From Remote Server

Description

This detection identifies the use of ‘mshta.exe’ to retrieve a file hosted on a remote web server. ‘mshta.exe’ is a built-in Windows utility a malicious actor uses to execute an HTML application or ‘.hta’ files. Malicious actors send malicious documents that use ‘mshta.exe’ to execute VBScript or JavaScript, and to download additional payloads.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process

These detections identify suspicious processes run in the environment as well as spawned by executable files.

Suspicious Process - DNS Spawns Process

Description

This detection identifies processes spawned by ‘dns.exe’ from Microsoft’s Domain Name System (DNS) server binary. This technique is used by malicious actors to perform remote command execution.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Process Spawned By SAPStartSrv

Description

This detection identifies processes spawned by 'sapstartsrv.exe' from SAP's NetWeaver. Malicious actors could use this to create web application accounts on vulnerable systems and execute commands under the context of a privileged user.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Explorer Spawns Process From Command Line

Description

This detection identifies processes spawned by ‘explorer.exe’ from within ‘cmd.exe’. This technique is used by malicious actors to evade detections based on parent/child process relationships.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - WMI Queries Passed To PowerShell

Description

This detection identifies Windows Management Instrumentation (WMI) queries being passed to 'PowerShell.exe' and the command output to a file being redirected. This technique is used by malicious actors to gather information about the target endpoint to return to the command and control server.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Expand Archive In ProgramData Directory

Description

This detection identifies the use of 'expand.exe' against compressed archives located in the 'ProgramData' directory. Rapid7 has observed malicious actors using this utility in these directories when decompressing archives containing tools and malware. Malicious actors perform this activity after compromising a web application.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Remote File Location Download And Execution Passed To Python

Description

This detection identifies the location of a remotely hosted file being passed and a method of it being executed from the command line to Python. This technique is used by malicious actors to retrieve and execute code after successfully exploiting web and database services.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - CertUtil With Flags Verifyctl and Split

Description

This detection identifies the use of ‘certutil.exe’ with the flags ‘-verifyctl’ and ‘-split’ being passed to the Windows command line certificate services tool. This technique is used by malicious actors to download additional payloads. A malicious actor could use a built-in tool in a non-standard way to avoid detection.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - PowerShell Sort-Object Get-Random

Description

This detection identifies the use of encoded PowerShell payloads in Base64, and the reordering of the encoded string using the ‘Sort-Object’ and ‘Get-Random’ cmdlets. At runtime, the string is passed to the ‘Sort-Object’ function, which sorts the objects according to a pre-seeded random number generator. The resulting output is the valid Base64.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Zoho ManageEngine Spawns Child

Description

This detection identifies an exploitation for CVE-2020-10189, which is a remote code execution vulnerability in Zoho ManageEngine Desktop Central. This vulnerability allows a malicious actor to execute remote code for affected versions through the deserialization of untrusted data in 'getChartlmage' in the FileStorage class.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Ryuk Wake-on-Lan Feature

Description

This detection identifies the process command line argument '8 LAN', which is used by malicious actors in multiple variants of the Ryuk malware. When the malware is executed, it will spawn subprocesses with the argument '8 LAN'. When this argument is used, the malware scans the device's ARP table and verifies if the entries are part of the RFC1918 address space.

Recommendation

Investigate the parent and child process chains for suspicious activity to identify if malware is deployed on any affected systems. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Mass Copy

Description

This detection identifies hundreds of copy commands on one endpoint within a few minutes to remote systems. This technique is used by malicious actors to copy ransomware payloads to multiple systems within a target’s environment.

Recommendation

Review the file being copied to validate if it is malicious. If it is, remove it from all locations, and identify and lock accounts being used to copy the files. If necessary, rebuild the hosts from a known, good source and have the users change their passwords.

Suspicious Process - EseNtUtl Repair

Description

This detection identifies the use of ‘esentutl.exe’ with the ‘/p’ flag. This command repairs the extensible storage engine's database, NTDS.dit, and dump it to the specified file. This technique is used by malicious actors to obtain a copy of the password hashes on the compromised system.

Recommendation

Review the file location in the command line and validate that the activity performed by the user is intended and allowed. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - PATHTOVBS Environment Variable Present

Description

This detection identifies the use of the environment variable name by a malicious actor while deploying TrickBot/CobaltStrike. The environment variable points to the location on the file system that contains Visual Basic Script (VBS), which is used by malicious actors to execute malware on the compromised host.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - PowerShell SAPS

Description

This detection identifies the string ‘SAPS’ being passed to PowerShell. ‘SAPS’ is an alias for the PowerShell Start-Process Cmdlet. This attack vector is used by malicious actors, but not common.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Scripting Engine With WordPress Uploads Directory In Command Line

Description

This detection identifies the WordPress uploads directory being passed to common Windows scripting engines. WordPress is a Content Management System (CMS), that a malicious actor could exploit to host malware. A malicious actor could then retrieve the malware through exploited endpoints. This allows a malicious actor to host the malware on reputable websites, and allows them to bypass reputation-based web filtering.

Recommendation

Review the process and URL to determine if it is malware, and rebuild the affected endpoint from a known, good baseline. Lock the user’s account and have them reset their password.

Suspicious Process - MSBuild Spawns IExplore

Description

This detection identifies the ‘MSBuild.exe’ processes spawning ‘IExplore.exe’, which is the result of various droppers or downloaders using MSBuild to spawn a child process of IExplore, allocate memory within the newly spawned process, inject arbitrary code into the IExplore process, and modify the process memory and control flow for malicious purposes.

Recommendation

Acquire additional process artifacts and identify the root cause of the suspicious process. The source could be a document sent by a malicious actor to the user by email. Investigate the user's inbox to identify any malicious emails, and determine if any other users have received the email. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Child Of SVCHost With Flags -k TSGateway

Description

This detection identifies the child processes of ‘svchost.exe’ with the ‘-k tsgateway’ arguments being passed to it through the command line. This process could indicate that a malicious actor is exploiting the remote code execution vulnerability in Windows Remote Desktop Gateway (RD Gateway), which is tracked as CVE-2020-0609 in MITRE’s Common Vulnerabilities and Exposures system.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Encoded GZIP Magic Bytes Passed To PowerShell

Description

This detection identifies Base64-encoded GZIP magic bytes, ‘H4sI’, being passed to ‘PowerShell.exe’. This process is used by malicious actors through multiple post-exploitation frameworks, such as Cobalt Strike and Metasploit.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - GetObject Passed To MSHTA

Description

This detection identifies the use of ‘mshta.exe’ with the command line parameters ‘vbscript:GetObject’. ‘mshta.exe’ is a utility designed to run HTML application files and help files with the extensions ‘.hta’ and ‘.hlp’ respectively. A malicious actor could use the capabilities of this utility to execute malicious scripts. This utility is also used by malicious actors in the PoshC2 post-exploitation framework to execute scripts hosted on a remote web server controlled by a malicious actor.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Delete File Shadow Copies With PowerShell

Description

This detection identifies the use of ‘PowerShell.exe’ to delete any shadow copies of files on disk. This technique is used by malicious actors during a ransomware attack to destroy backup copies of files on a system to increase the likelihood of a target paying to retrieve their data. Other legitimate software may use this to minimize disk usage.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - DownloadFile and Expand-Archive Passed To PowerShell

Description

This detection identifies the use of ‘PowerShell.exe’ with ‘.DownloadFile’ and ‘Expand-Archive’ passed to it via the command line. Rapid7 has observed malicious actors using this technique to retrieve malware from external locations by sending malicious documents to targets.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Word Spawns ForFiles

Description

This detection identifies ‘ForFiles.exe' being spawned as a child process of 'Word.exe'. Malicious actors send malicious documents to targets that retrieve and execute malware from external locations when opened.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Excel Spawns ForFiles

Description

This detection identifies ‘ForFiles.exe' being spawned as a child process of ‘Excel.exe'. This technique is used by malicious actors to send malicious documents to targets that retrieve and execute malware from external locations when opened.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - ForFiles Spawns Process From Users Directory

Description

This detection identifies if ‘ForFiles.exe’ is the parent process of any executable in the user’s directory. This technique is used by malicious actors to use malicious documents for exploitation.

Recommendation

Review the process in question. If it is malicious, quarantine the asset, lock the user's account, and reset the credentials.

Suspicious Process - ShadowCopy Delete Passed To WMIC

Description

This detection identifies the use of ‘WMIC.exe’ with ‘shadowcopy delete’ passed to it to delete any shadow copies of files on disk. This technique is used by a malicious actor performing a ransomware attack to destroy backup copies of files on a system to increase the likelihood of a target paying to retrieve their data.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - value.toString Passed To PowerShell

Description

This detection identifies ‘value.toString’ being passed to ‘PowerShell.exe’ in the command line. This technique is used by malicious actors to obfuscate and increase the likelihood of the script executing on an endpoint.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Kovter Command Line Progress

Description

This detection identifies the execution of system environment variables that are used to display the installation progress during a drop of the fileless malware Kovter. Malicious actors use scripting engines, such as ‘mshta.exe’, ‘PowerShell.exe,’ and ‘WScript.exe’ with obfuscated strings stored in the registry for multiple purposes, including ad fraud and ransomware.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - WScript.Shell Passed To MSHTA

Description

This detection identifies the ‘WScript.Shell’ being passed to ‘mshta.exe’. This technique is used by malicious actors to execute scripts, and is associated with the Kovter family of fileless malware.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - SC Stop Security Related Service

Description

This detection identifies the use of ‘sc.exe’ to stop security-related services. This technique is used by malicious actors to disable services that could stop malware, patch a target system, or run antivirus updates. This activity is used with ransomware-related malware families.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Delete Catalog Passed To WBAdmin

Description

This detection identifies the command ‘delete catalog’ being passed to the Windows Backup Administrative utility, ‘wbadmin.exe’. This command destroys the catalog of backups created by the Windows Server Backup snap-in. This technique is used by malicious actors deploying ransomware to increase the likelihood of a target paying the ransom.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Boot Configuration Data Editor Activity

Description

This detection identifies the use of the Boot Configuration Data Editor, ‘BCEdit.exe’, to disable the automatic startup repair for the disk. This technique is used by malicious actors to stop the Operating System from repairing itself, and is a form of ransomware.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - PowerShell Uncommon Upper And Lower Case Combinations

Description

This detection identifies ‘PowerShell.exe’ being called with suspicious combinations of upper and lower case characters. Malicious actors use this technique embedded within malicious documents. When the document is opened, it will spawn PowerShell as ‘poWErSHeLl.exe’ or in another similar form that users do not enter.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - PowerShell Spawns WScript Running File Out Of Temp Folder

Description

This detection identifies ‘PowerShell.exe’ spawning ‘WScript.exe’, which reads a file from a temporary directory. This technique is used by malicious actors to drop banking trojans.

Recommendation

Review the process in question. If it is malicious, quarantine the asset, lock the user's account, and reset the credentials.

Suspicious Process - VerClsID Spawns Scripting Engine

Description

This detection identifies verclid.exe spawning common scripting engines, such as ‘PowerShell.exe’ and ‘wscript.exe’. This technique is used by malicious actors to obfuscate the script embedded within a malicious document. For this process, ‘winword.exe’ launches ‘verclsid.exe’, which will invoke a scripting engine or command shell.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Volume Shadow Service Delete Shadow Copies

Description

This detection identifies the use of ‘vssadmin.exe’ to delete shadow file copies. This technique is used by malicious actors to remove backup copies of files immediately prior to the execution of ransomware to increase the likelihood of a target paying the ransom. This activity can also be a result of standard optimization for virtualized systems.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - MSHTA Spawns PowerShell

Description

This detection identifies the ‘mshta.exe’ application spawning ‘PowerShell.exe’. This technique was first used by the Kovter malware family, and is able to run Javascript and Visual Basic (VB) on the command line.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - Set-Variable and Start-Process Passed To PowerShell

Description

This detection identifies ‘Set-Variable’ and ‘Start-Process’ being passed to ‘PowerShell.exe’ in the command line. ‘Set-Variable’ is specified multiple times containing pieces of longer strings that are reassembled and executed. This technique is used by malicious actors to obfuscate the PowerShell script embedded in a malicious document, which increases the likelihood of the script being executed on a target’s endpoint.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - PowerShell Disable Computer Restore

Description

This detection identifies the ‘disable-computerrestore’ being passed to ‘PowerShell.exe’ in the command line. This technique is used by malicious actors to remove backup copies of files immediately prior to the execution of ransomware to increase the likelihood of a target paying the ransom.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - PowerShell Download Cradles

Description

This detection identifies download cradles being passed to ‘PowerShell.exe’ in the command line. Download cradles include various methods malicious actors use to execute PowerShell to retrieve items from remote web and DNS servers. This technique is used by malicious actors in malicious documents and interactively with target systems.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Process - PowerShell Spawns Binary In Users\Public\Documents

Description

This detection identifies ‘PowerShell.exe’ spawning any process when the process binary is located in the ‘Users\Public\Documents’ directory. Malicious actors use this writable directory to save and execute malware retrieved by downloaders.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Bitcoin Miner

These detections identify Bitcoin miners through protocols and processes used in the environment.

Bitcoin Miner - Stratum Protocol In Command Line

Description

This detection identifies Bitcoin miners by using the stratum mining protocol being passed as the ‘stratum+tcp’ argument to the binary. Bitcoin miners are dropped by malicious actors to monetize the resources of exploited endpoints.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

BitCoin Miner - MinerD Process Name

Description

This detection identifies the use of processes named ‘MinerD.exe’, which indicates the presence of cryptocurrency miners.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Bitcoin Miner - User And Password X Flags In Command Line

Description

This detection identifies Bitcoin miners by the ‘user’, ‘password’, and ‘x’ arguments being passed to the binary. Bitcoin miners are dropped by malicious actors to monetize the resources of exploited endpoints.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Bitcoin Miner - Cryptonight Algorithm In Command Line

Description

This detection identifies Bitcoin miners by using the stratum mining protocol being passed as the ‘cryptonight’ argument to the binary. Bitcoin miners are dropped by malicious actors to monetize the resources of exploited endpoints.

Recommendation

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.