Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Some great high fidelity detections right to your app!
This update introduces:
Use of thesc.exeutility typically indicates a manual attempt at creating a service, which is uncommon for most environments. Additionally, this specific event is creating a service for an executable located in the Windows "Users" or "temp" folder, which is suspicious as legitimate services typically reside in system directories like "Program Files" or "Windows\System32".
The Windows login process can be exploited by attackers through manipulation of Winlogon, the system component that handles user login/logout events and the Ctrl-Alt-Delete security prompt. By modifying specific Registry paths within both HKLM and HKCU directories (underSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon), malicious actors can force the system to run unauthorized programs during user authentication. Several critical Registry locations are particularly susceptible to this type of attack:
Notify subkey, which controls DLL packages that respond to Winlogon eventsUserinit subkey, which launches user initialization processes at loginShell subkey, which determines which interface loads when users log in (typically explorer.exe)By targeting these Registry locations, attackers can create persistent threats that activate whenever users authenticate to the system. This technique allows malicious code to execute automatically and maintain a presence on the compromised machine.