Detects Rundll32.exe process creations with non-standard file types denoted by excluding the common file types from the command-=line selection. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects attempts to bypass security controls using bitsadmin.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects attempts to bypass security controls using certutil.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects Regsvr32 execution from Excel, a technique associated with Emotet. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects execution of JavaScript (.js) files located in the AppData folder. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects execution from Impacket's smbexec.py. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects execution from Impacket's wmiexec.py. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects potential LSASS abuse based on unusual parent-child process lineage patterns. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspicious cross-process events where LSASS is accessed. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects registry modifications to CurrentVersion\Run key, associated with AdSearch. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects file creations by cscript in the startup folder, associated with AdSearch. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects command line pattern indicating the use of Cobalt Strike GetSystem feature. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects named pipe creation indicating Cobalt Strike beacon implant issuing commands via SMB named pipe. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects a possible Cobalt Strike UAC bypass attempt using cliconfg.exe, the SQL Server Client Configuration Utility. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects command line strings which indicate potential attempts to bypass controls. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects IIS worker process spawning command shell. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects common BloodHound parameters in command line strings. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects registry key creation matching default Impacket default naming convention. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of explorer.exe spawning cmd.exe along with corresponding start and exit commands that we commonly observe in conjunction with a wide variety of malicious activity. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects files written to an Admin Share. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects search for setuid or setgid binaries. This rule looks specifically for execution of the find binary searching for executables with the setuid or setgid bit set. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects execution from Impacket's atexec.py. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects files written to user downloads folder or appdata folder, associated with Mark-of-the-Web Bypass. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of LSASS running under any non-privileged user context, which can indicate abuse. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects .kirbi files created, commonly associated with Mimikatz. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects presence of common Mimikatz module names in command line strings. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects MS Office applications spawning WMI processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects possible DLL Search Order hijacking using Avast antivirus wsc_proxy application. This technique is associated with PlugX. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects msiexec used to download a potentially-malicious Raspberry Robin DLL. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects Gamarue DLL filename in command line strings. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Read More

Detects the execution of powershell.exe with base64 Option. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the execution of powershell.exe with command lines that include variations of the -encodedcommand argument. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of PowerShell accessing any other processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects powershell command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes running without command lines, which can indicate process injection. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes executing from an Admin Share. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects non-powershell.exe processes executing with command lines that are usually associated with powershell. This is an example for demonstration purposes only. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects process creation from wscript or cscript interpreters with commands occuring on mounted drive letters. Defenders should check whether these processes have child processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the DllRegisterServer export function implemented with Rundll32. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes that seem to be rundll32.exe along with a command line containing the term MiniDump. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of Rundll32 being spawned by unusual or suspicious parent processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of Rundll32 without a command line spawning child processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspect command line strings in CMD processes spawned by services.exe. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects domain trust enumeration with nltest.exe, a procedure associated with SocGholish. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects wscript spawning CMD which in turn runs whoami, with the output of the command directed to a file. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects notepad making network connections, a potential process injection signal. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the execution of powershell.exe with suspicious cmdlets or options. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects powershell processes renamed to notepad.exe. This is a narrow example for demonstration purposes only. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects attempts to establish persistence using schtasks and command shell. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects Windows scripting host executing JavaScript files with MS-DOS shortname formatting, a technique associated with Gootloader. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the wmic reconnaissance activity. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects wmic shadow copy deletion activity. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the wmic process with suspicious options. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects WMI-related suspicious powershell cmdlets. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the WMI provider host spawning suspicious processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the wmic process module loads potentially to perform application control bypasses. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects .lnk files created by Powershell in the startup folder. Associated with (but not unique to) Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspicious Powershell script load contents associated with Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.

Read More