Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.

Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

Clear command history in network OS which is used for defense evasion

Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

Detects the registration of a new ODBC driver.

Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.

Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.

Detect suspicious LDAP request from non-Windows application

Detects the image load of vss_ps.dll by uncommon executables

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Detects an Antivirus alert in a highly relevant file path or with a relevant file name

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Detects when an application acquires a certificate private key

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Detects when the password policy is enumerated.

Detects suspicious user agent string of APT40 Dropbox tool

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Detects download of certain file types from hosts in suspicious TLDs

Detects executable downloads from suspicious remote systems

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Detects the download of a file with a potentially suspicious extension from a .zip top level domain.

Detects file names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials

Detects the download of suspicious file type from a well-known file and paste sharing domain

Detects potential DLL sideloading of "wwlib.dll"

Detects the download of suspicious file type from a well-known file and paste sharing domain

Detects process access to LSASS memory with suspicious access flags

Detects suspicious child processes of Wscript/Cscript

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution

Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration

Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Detects execution of LiveKD based on PE metadata or image name

Detects execution of "rundll32" with potential obfuscated ordinal calls

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task