In #ADFS, attackers can manipulate the service process Microsoft.IdentityServer.ServiceHost.exe to execute payloads for persistence activity.
A possible #threathunting thesis is to detect anomaly child process execution under the AD FS service host process.
⚡️ Supercharge your ability to discover whether an Indicator of Compromise is present in your network.
Join Erik Goldman on February 14th to learn how Hunters’ new IOC Search is setting a new standard for investigation tools.
https://t.co/jjvw7KFozK
Hunting and detecting malicious #OneNote notebook executions!
Detecting direct child process execution of abused binaries under the OneNote host process (onenote.exe) can cause FPs due to control policies that involve running existing scripts from disk or public shares.