-
Notifications
You must be signed in to change notification settings - Fork 82
Services
Persistence
Command-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Service binary paths may even be changed to execute cmd commands or scripts.
Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques.
SELECT PathName
GROUP BY PathName
Persistence, Privilege Escalation
Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
SELECT PathName
GROUP BY PathName
Persistence, Privilege Escalation
Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
SELECT PathName
GROUP BY PathName