Managed Sentinel – Alert 222
|Alert Name||MITRE Execution Tactic Processes Detected|
|Description||This alert detectes processes matching the exe-s described in the MITRE Att&ck Matrix Execution Tactic - https://attack.mitre.org/tactics/TA0002/|
|Threat Indicator||Unauthorized Access|
|MITRE ATT&CK Tactics||Execution|
|Recommendations||1. Run a full AV/AM scan on the reported host system|
2. Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.
3. Consider using application whitelisting configured to block execution of some executables listed in this MITRE attack if it is not required for a given system or network to prevent potential misuse by adversaries.
4. Audit and/or block unnecessary command-line interpreters by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.
5. Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.
6. Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.