Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious

Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)

Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

Detects execution of "reg.exe" to disable security services such as Windows Defender.

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Detects when attackers or tools disable Windows Defender functionalities via the windows registry

Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.

Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet

Detects potentially suspicious child processes spawned by PowerShell

Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.

Detects usage of crontab to list the tasks of the user

Detects the use of wget to download content to a suspicious directory

Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.

Detects the use of grep to identify information about the operating system architecture. Often combined beforehand with the execution of "uname" or "cat /proc/cpuinfo"

Detects the use of grep to discover specific files created by the GobRAT malware

Detects a potentially suspicious execution of a process located in the '/tmp/' folder

Detects the creation of shell scripts under the "profile.d" path.

Detects execution of shells from a parent process located in a temporary (/tmp) directory

Detects execution of binaries located in potentially suspicious locations via "nohup"

Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Detects loading of Amsi.dll by uncommon processes

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Detects processes loading modules related to PCRE.NET package

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class

Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's "load powershell" extension.

Detects PowerShell core DLL being loaded by an Office Product

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

Detects usage of bitsadmin downloading a file to a suspicious target folder

Detects usage of bitsadmin downloading a file with a suspicious extension

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded

Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.

Detects potentially suspicious child processes of "GoogleUpdate.exe"

Detects changes of sensitive and critical files. Monitors files that you don't expect to change without planning on Linux system.

Detects when a DNS zone transfer failed.

Detects the addition of a rule to the Windows Firewall exception list where the application resides in a suspicious folder

Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.

Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.

Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.

Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.

Detects execution of regsvr32 where the DLL is located in a highly suspicious locations

Detects potentially suspicious child processes of "regsvr32.exe".

Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.

Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.