Detects the download of suspicious file type from a well-known file and paste sharing domain
Detects the creation of a named file stream with the imphash of a well-known hack tool
Detects the download of suspicious file type from URLs with IP
Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash
Detects potential suspicious winget package installation from a suspicious source.
Exports the target Registry key and hides it in the specified alternate data stream.