Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function

Detects inline windows shell commands redirecting output via the ">" symbol to a suspicious location

Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

Detects a suspicious RDP session redirect using tscon.exe

Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution

Detects execution of the Windows Kernel Debugger "kd.exe".

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Detects Bitsadmin connections to domains with uncommon TLDs

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

Detects Obfuscated use of Clip.exe to execute PowerShell

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Detects Obfuscated use of stdin to execute PowerShell

Detects Obfuscated use of Environment Variables to execute PowerShell

Detects Obfuscated Powershell via VAR++ LAUNCHER

Detects Obfuscated Powershell via Stdin in Scripts

Detects Obfuscated Powershell via use Clip.exe in Scripts

Detects Obfuscated Powershell via use MSHTA in Scripts

Detects Obfuscated Powershell via use Rundll32 in Scripts

Detects Commandlet names from well-known PowerShell exploitation frameworks

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Detects PowerShell creating a binary executable or a script file.

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.

Detects potential persistence activity via the registering of a new custom protocole handlers. While legitimate applications register protocole handlers often times during installation. And attacker can abuse this by setting a custom handler to be used as a persistence mechanism.

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.