FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below
DeviceEvents
<manifest schemaversion="4.82" binaryversion="17"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below
DeviceEvents
<manifest schemaversion="4.90" binaryversion="18"> | |
<configuration> | |
<options> | |
<!-- Command-line only options --> | |
<option switch="i" name="Install" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="c" name="Configuration" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="u" name="UnInstall" argument="optional" noconfig="true" exclusive="true" /> | |
<option switch="m" name="Manifest" argument="none" noconfig="true" exclusive="true" /> | |
<option switch="z" name="ClipboardInstance" argument="required" noconfig="true" exclusive="true" /> | |
<option switch="t" name="DebugMode" argument="optional" noconfig="true" /> |
CLSID,ClassName | |
{0000031A-0000-0000-C000-000000000046},CLSID | |
{0000002F-0000-0000-C000-000000000046},CLSID CLSID_RecordInfo | |
{00000100-0000-0010-8000-00AA006D2EA4},CLSID DAO.DBEngine.36 | |
{00000101-0000-0010-8000-00AA006D2EA4},CLSID DAO.PrivateDBEngine.36 | |
{00000103-0000-0010-8000-00AA006D2EA4},CLSID DAO.TableDef.36 | |
{00000104-0000-0010-8000-00AA006D2EA4},CLSID DAO.Field.36 | |
{00000105-0000-0010-8000-00AA006D2EA4},CLSID DAO.Index.36 | |
{00000106-0000-0010-8000-00AA006D2EA4},CLSID DAO.Group.36 | |
{00000107-0000-0010-8000-00AA006D2EA4},CLSID DAO.User.36 |