Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

Read More

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

Read More

Detects the creation of system DLLs that are usually not present on the system (or at least not in system directories). Usually this technique is used to achieve DLL hijacking.

Read More

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

Read More

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Read More

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Read More

Detects DLL sideloading activity seen used by Diamond Sleet APT

Read More

Hunts known SVR-specific DLL names.

Read More

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Read More

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

Read More

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

Read More

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

Read More

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

Read More

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Read More

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

Read More

Detects potential DLL sideloading of "7za.dll"

Read More

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Read More

Detects potential DLL sideloading of "appverifUI.dll"

Read More

Detects potential DLL sideloading of "AVKkid.dll"

Read More

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Read More

Detects potential DLL sideloading of "CCleanerDU.dll"

Read More

Detects potential DLL sideloading of "CCleanerReactivator.dll"

Read More

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Read More

Detects DLL sideloading of "dbgcore.dll"

Read More

Detects potential DLL sideloading of "dbghelp.dll"

Read More

Detects potential DLL sideloading of "DbgModel.dll"

Read More

Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

Read More

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Read More

Detects potential DLL sideloading of "MpSvc.dll".

Read More

Detects potential DLL sideloading of "mscorsvc.dll".

Read More

Detects DLL sideloading of system DLLs that are not present on the system by default (at least not in system directories). Usually this technique is used to achieve UAC bypass or privilege escalation.

Read More

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Read More

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Read More

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Read More

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

Read More

Detects potential DLL sideloading of "EACore.dll"

Read More

Detects potential DLL sideloading of "edputil.dll"

Read More

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Read More

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

Read More

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Read More

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Read More

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Read More

Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location

Read More

Detects potential DLL sideloading of Python DLL files.

Read More

Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.

Read More

Detects potential DLL sideloading of rcdll.dll

Read More

Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.

Read More

Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.

Read More

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

Read More

Detects potential DLL sideloading of "ShellDispatch.dll"

Read More

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Read More

Detects potential DLL sideloading of "SolidPDFCreator.dll"

Read More

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

Read More

Detects potential DLL sideloading of "vivaldi_elf.dll"

Read More

Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.

Read More

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

Read More

Detects potential DLL sideloading of "wwlib.dll"

Read More

Detects potentially suspicious child processes of KeyScrambler.exe

Read More

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

Read More

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

Read More

Detects loading and execution of an unsigned thor scanner binary.

Read More

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

Read More

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

Read More

Attempts to load dismcore.dll after dropping it

Read More

Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

Read More

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Detects unsigned module load by ClickOnce application.

Read More

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Read More

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

Read More

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

Read More

Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities

Read More

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Read More

Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".

Read More

Detects suspicious Windows Defender Application Control (WDAC) policy file creation from abnormal processes that could be abused by attacker to block EDR/AV components while allowing their own malicious code to run on the system.

Read More

Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.

Read More

Detects suspicious new RUN key element pointing to an executable in a suspicious folder

Read More

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

Read More

Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.

Read More

Detects potential PowerShell commands or code within registry run keys

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories

Read More

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

Read More

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

Read More

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

Read More

Detects suspicious use of XORDump process memory dumping utility

Read More

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Read More

Detects usage of the SysInternals Procdump utility

Read More

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

Read More

Detects suspicious ways to use the "DumpMinitool.exe" binary

Read More

Detects user permission data export attempt.

Read More

Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells

Read More

Detects the export of a crital Registry key to a file.

Read More

Detects the export of the target Registry key to a file.

Read More

Detects the use of SharpUp, a tool for local privilege escalation

Read More

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Read More

Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.

Read More

Detects certain command line parameters often used during reconnaissance activity via web shells

Read More

Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system

Read More

Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.

Read More

Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More

Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Read More

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values

Read More

Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Read More

Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs

Read More

Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.

Read More

Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.

Read More

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Read More

Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. This rule flags suspicious use of such padding observed in real-world attacks.

Read More

Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.

Read More

Detects the execution of the nscurl utility in order to download files.

Read More

Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.

Read More

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

Read More

Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID

Read More

Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors

Read More

Detects network connections to Cloudflared tunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.

Read More

Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.

Read More

Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.

Read More

Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE). This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".

Read More

Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.

Read More

Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.

Read More

Detects programs that connect to known malware callback ports based on threat intelligence reports.

Read More

Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.

Read More

Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.

Read More

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Read More

Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.

Read More

Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.

Read More

Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.

Read More

Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.

Read More

Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.

Read More

Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value. UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users. When "UACDisableNotify" is set to 1, UAC prompts are suppressed.

Read More

Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value. The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts. When "PromptOnSecureDesktop" is set to 0, UAC prompts are displayed on the user's current desktop instead of the secure desktop. This reduces the level of security because it potentially exposes the prompts to manipulation by malicious software.

Read More

Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.

Read More

Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.

Read More

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Read More

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0". Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Read More

Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.

Read More

Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.

Read More

Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.

Read More

Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.

Read More

Detects buffer overflow attempts in Unix system log files

Read More

Detects when a user attached a Lambda layer to an existing Lambda function. A malicious Lambda layer could execute arbitrary code in the context of the function's IAM role. This would give an adversary access to resources that the function has access to.

Read More

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Read More

Detects PowerShell creating a binary executable or a script file.

Read More

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Read More

Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.

Read More

Detects the execution of whoami.exe with suspicious parent processes.

Read More

Detect suspicious parent processes of well-known Windows processes

Read More

Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.

Read More

Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Read More

Detects use of AnyDesk

Read More

Detects Bumblebee WmiPrvSE parent process manipulation

Read More

Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.

Read More

Detects the execution of a specific OneLiner to Invoke PowerShell commands.

Read More

Detects the deletion of scheduled tasks related to Windows Defender.

Read More

Rule to detect registry modifications to enable WDigest using powershell over the commandline.

Read More

Rule to detect registry modifications to enable WDigest using powershell script modules.

Read More

Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host

Read More

Detects the registry modification to enable restricted admin mode using reg.exe

Read More

These commands were used to create a WebShell by exploiting ProxyShell vulnerabilities

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More

Detecting the command FlawedGrace is using for the purpose of injecting into it the spawned process, in this case the cmd.exe process.

Read More

Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.

Read More

Use of Invoke-ShareFinder detected via PowerShell logging

Read More

Use of Invoke-ShareFinder detected via PowerShell Script Block logging

Read More

Detects script execution using MSDOS 8.3 File names

Read More

Detects the use of lazagne using command line execution.

Read More

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Read More

Detects a Mshta executing code from the registry

Read More

Detects use of custom scripts i.e. BAT files.

Read More

Detection of potential us of SMB to transfer DLL's into the C$ folder of hosts unique to Qbot malware for purposes of lateral movement.

Read More

Detection of potential us of SMB to transfer DLL's into the ProgramData folder of hosts for purposes of lateral movement.

Read More

Detects the process creation from Scheduled Task with REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line

Read More

Detects the creation of Scheduled Task with REGSVR32 (regsvr32.exe) and C$ in the image path field

Read More

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Read More

Detects use of SplashTop

Read More

Detects use of SplashTop

Read More

Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.

Read More

Detects suspicious commands created from sqlservr process.

Read More

Detecting the use of dir command to inspect directories on the remote host.

Read More

Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.

Read More

Detects the start, reload or restart of a service.

Read More

Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.

Read More

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

Read More

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Read More

Detects the setting of a custom protocol handler with the name "rogue". Seen being created by Forest Blizzard APT as reported by MSFT.

Read More

Detects the setting of the DLL that handles the custom protocol handler. Seen being created by Forest Blizzard APT as reported by MSFT.

Read More

Detects the creation of JavaScript files inside of the DriverStore directory. Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.

Read More

Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used. This may indicate an attacker attempting to leverage credentials they have obtained.

Read More

Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"

Read More

Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT

Read More

Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.

Read More

Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.

Read More

Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.

Read More

Detects "RegAsm.exe" initiating a network connection to public IP adresses

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More