Security Detection Update - 2025-02-20

Some great high fidelity detections right to your app!

New Detections

This update introduces:

New Service Creation Using Sc.EXE

Use of thesc.exeutility typically indicates a manual attempt at creating a service, which is uncommon for most environments. Additionally, this specific event is creating a service for an executable located in the Windows "Users" or "temp" folder, which is suspicious as legitimate services typically reside in system directories like "Program Files" or "Windows\System32".

• Status: Enabled
• Log type requirement: Windows, Sysmon, or Blumira Agent for Windows

Winlogon Registry Tampering: Change to Startup Behavior

The Windows login process can be exploited by attackers through manipulation of Winlogon, the system component that handles user login/logout events and the Ctrl-Alt-Delete security prompt. By modifying specific Registry paths within both HKLM and HKCU directories (underSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon), malicious actors can force the system to run unauthorized programs during user authentication. Several critical Registry locations are particularly susceptible to this type of attack:

• Notify subkey, which controls DLL packages that respond to Winlogon events
• Userinit subkey, which launches user initialization processes at login
• Shell subkey, which determines which interface loads when users log in (typically explorer.exe)

By targeting these Registry locations, attackers can create persistent threats that activate whenever users authenticate to the system. This technique allows malicious code to execute automatically and maintain a presence on the compromised machine.

• Status: Enabled
• Log type requirement: Windows, Sysmon, or Blumira Agent for Windows