Managed Sentinel – Alert 222

Alert IDMS-A222
Alert NameMITRE Execution Tactic Processes Detected
DescriptionThis alert detectes processes matching the exe-s described in the MITRE Att&ck Matrix Execution Tactic - https://attack.mitre.org/tactics/TA0002/
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsExecution
Log sourcesWindows
False Positives
Recommendations1. Run a full AV/AM scan on the reported host system
2. Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.
3. Consider using application whitelisting configured to block execution of some executables listed in this MITRE attack if it is not required for a given system or network to prevent potential misuse by adversaries.
4. Audit and/or block unnecessary command-line interpreters by using application whitelisting tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.
5. Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.
6. Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.