Exploit Techniques

Applies To: WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

The Exploit Activity table shows the exploit technique detected, as well as the name of the compromised program.

These are the different techniques monitored:

Exploit/Metasploit

Metaploit shellcode signature detection

Exploit/ReflectiveLoader

Reflective executable loading (metasploit, cobalt strike, etc.)

Exploit/RemoteAPCInjection

Remote code injection via APCs

Exploit/DynamicExec

Execution of code in pages without execution permissions (32 bits only)

Exploit/HookBypass

Hook bypass in running functions

Exploit/ShellcodeBehavior

Code execution on MEM_PRIVATE pages that do not correspond to a PEPE

Exploit/ROP1

Execution of memory management APIs when the stack is out of the thread limits

Exploit/IE_GodMode

GodMode technique in Internet Explorer

Exploit/RunPE

Process hollowing techniques/RunPE

Exploit/PsReflectiveLoader1

Powershell - Reflective executable loading (mimikatz, etc)

Exploit/PsReflectiveLoader2

Powershell - Reflective executable loading (mimikatz, etc)

Exploit/NetReflectiveLoader

NET reflective load (Assembly.Load)

Exploit/JS2DOT

JS2DOT technique

Exploit/Covenant

Covenant detection framework

Exploit/DumpLsass

lsass Process Memory Dump

Exploit/APC_Exec

Local code execution via APC

To exclude the detection of a technique for a specific program:

  • On the Exploit Detection page, in the Action section, select Do not detect again for a specific program.