Document toolboxDocument toolbox

Alert Pack: Execution (MITRE Att&ck Tactic: TA0002)

Purpose

This alert pack brings our SecOps-related content to our non-SecOps customers and helps jump-start threat coverage. This pack contains a multitude of detections that alert when an attacker is trying to execute malicious scripts and malware. These tactics are often the most impactful for your environment. The attackers could be running keylogging scripts, downloading malware, and so forth.

These are all types of attacks that are trying to keep your system down or steal information. These alerts provide your team with actionable information as soon as the attackers attempt these tactics.

Security Operations application

SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.

SecOpsAzureAutomationRunbookCreatedOrMofidied

SecOpsWinWmiScriptExecution

SecOpsWinScheduledTaskCreation

SecOpsAzureVMCmdEXE

SecOpsWinWmiExecVbsScript

SecOpsWinSchtasksForcedReboot

SecOpsAzureAutomationWebhookCreated

SecOpsWinWmiProcessCallCreate

SecOpsWinSchtasksRemoteSystem

SecOpsO365PowerShellActivity

SecOpsWinWmiLaunchingShell

 

 

What is Execution?

Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

 

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.