- Process Creation
Suspicious Execution Location Of Wermgr.EXE
Potential CVE-2023-36874 Exploitation – Fake Wermgr Execution
Network Reconnaissance Activity
Node Process Executions
Nslookup PowerShell Download Cradle – Process Creation
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
Harvesting Of Wifi Credentials Via Netsh.EXE
New Port Forwarding Rule Added Via Netsh.EXX
New Network Trace Capture Started Via Netsh.EXE
Firewall Rule Deleted Via Netsh.EXE
Potential Recon Activity Via Nltest.EXE
Potential Arbitrary Code Execution Via Node.EXE
Wscript Shell Run In CommandLine
Suspicious Cabinet File Execution Via Msdt.EXE
Perl Inline Command Execution
Php Inline Command Execution
Ping Hex IP
PktMon.EXE Execution
Suspicious Plink Port Forwarding
Psr.exe Capture Screenshots
Use of FSharp Interpreters
GfxDownloadWrapper.exe Downloads File from Suspicious URL
Ie4uinit Lolbin Use From Invalid Path
Ilasm Lolbin Use Compile C-Sharp
JSC Convert Javascript To Executable
Launch-VsDevShell.PS1 Proxy Execution
Execute Files with Msdeploy.exe
Replace.exe Usage
Suspicious Runscripthelper.exe
Use of Scriptrunner.exe
Lolbin Defaultpack.exe Use As Proxy
DeviceCredentialDeployment Execution - Proxy
Telegram API Access
Rclone Activity via Proxy - Registry Set
Potential Persistence Via Shim Database In Uncommon Location
Suspicious Shim Database Patching Activity
Potential Persistence Via Shim Database Modification
Potential Registry Persistence Attempt Via Windows Telemetry
Potential Provisioning Registry Key Abuse For Binary Proxy Execution – REG
New BgInfo.EXE Custom DB Path Registry Configuration
New BgInfo.EXE Custom VBScript Registry Configuration
New BgInfo.EXE Custom WMI Query Registry Configuration - Security
Activity By User Without any Characters or Digits
Addition of Domain Trusts
Suspicious Windows ANONYMOUS LOGON Local Account Created
Possible Shadow Credentials Added
Powerview Add-DomainObjectAcl DCSync AD Extend Right
New Deployed Rules
November 5, 2023
No Comments
Account ManagementOutgoing Logon with New CredentialsRottenPotato Like Attack PatternScanner PoC for CVE-2019-0708 RDP RCE Vuln File EventWebDAV Temporary Local File CreationSCR File
