# [HIGH] Snyk AppRisk Pro: A holistic approach to application risk management **Source:** Snyk **Published:** 2024-05-01 **Article:** https://snyk.io/blog/empower-application-risk-management-with-snyk-apprisk/ ## Threat Profile Snyk Blog In this article Written by Daniel Berman May 1, 2024 0 mins read We're thrilled to announce the availability of Snyk AppRisk Pro — our latest application security posture management (ASPM) offering designed to help enterprises manage and scale their application security programs with Snyk !  Snyk AppRisk Pro ships with a range of innovative, ecosystem-driven capabilities alongside new analytics tools, providing comprehensive application risk management with Snyk. These capabilities am… ## Indicators of Compromise (high-fidelity only) - _No high-fidelity IOCs in the RSS summary._ If the source publishes a technical write-up with defanged IOCs in the body, those would be picked up automatically on the next pipeline run. ## MITRE ATT&CK Techniques - **T1059.001** — PowerShell - **T1059.005** — Visual Basic - **T1218** — System Binary Proxy Execution ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Office app spawning script/LOLBin child process `UC_OFFICE_CHILD` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","mspub.exe","visio.exe") AND Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","wmic.exe","bitsadmin.exe","certutil.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","mspub.exe","visio.exe") | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","wmic.exe","bitsadmin.exe","certutil.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ## Why this matters Severity classified as **HIGH** based on: 1 use case(s) fired, 3 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.