# [HIGH] Trend Micro launches Cloud One Open Source Security powered by Snyk **Source:** Snyk **Published:** 2021-05-10 **Article:** https://snyk.io/blog/trend-micro-launches-cloud-one-open-source-security-powered-by-snyk/ ## Threat Profile Snyk Blog In this article Written by Geva Solomonovich May 10, 2021 0 mins read Last summer, we announced our plan to expand our partnership with Trend Micro to provide security operations teams visibility and tracking of vulnerabilities and license risks in open source components. The long-standing partnership already includes container image security scanning that leverages Snyk’s proprietary vulnerability database. With the new co-developed solution, Trend Micro Cloud One - Open Source Secur… ## Indicators of Compromise (high-fidelity only) - _No high-fidelity IOCs in the RSS summary._ If the source publishes a technical write-up with defanged IOCs in the body, those would be picked up automatically on the next pipeline run. ## MITRE ATT&CK Techniques - **T1543.003** — Windows Service ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Service install for persistence — sc.exe / new service registry write `UC_SERVICE_PERSIST` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="sc.exe" AND Processes.process="*create*" AND (Processes.process="*\Users\*" OR Processes.process="*\AppData\*" OR Processes.process="*\ProgramData\*" OR Processes.process="*\Temp\*") by Processes.dest, Processes.user, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` | append [| tstats `summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services\\*" AND Registry.registry_value_name="ImagePath" AND (Registry.registry_value_data="*\Users\*" OR Registry.registry_value_data="*\AppData\*" OR Registry.registry_value_data="*\Temp\*") by Registry.dest, Registry.registry_path, Registry.registry_value_data, Registry.user | `drop_dm_object_name(Registry)`] ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName =~ "sc.exe" and ProcessCommandLine has "create" | where ProcessCommandLine matches regex @"(?i)(\Users\|\AppData\|\ProgramData\|\Temp\)" | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName ``` ## Why this matters Severity classified as **HIGH** based on: 1 use case(s) fired, 1 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.