Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

Read More

Detects creation of files with names used by different memory dumping tools to create a memory dump of the LSASS process memory, which contains user credentials.

Read More

Detects the creation of recent element file that points to an .ISO, .IMG, .VHD or .VHDX file as often used in phishing attacks. This can be a false positive on server systems but on workstations users should rarely mount .iso or .img files.

Read More

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

Read More

Detects Windows executables that writes files with suspicious extensions

Read More

Detects Windows shells and scripting applications that write files to suspicious folders

Read More

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

Read More

Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.

Read More

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Read More

Detects default RemCom service filename which indicates RemCom service installation and execution

Read More

Files with well-known filenames (parts of credential dump software or files produced by them) creation

Read More

Detects default CSExec service filename which indicates CSExec service installation and execution

Read More

Detects default PsExec service filename which indicates PsExec service installation and execution

Read More

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.

Read More

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Read More

Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.

Read More

Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls

Read More

Detects files written by the different tools that exploit HiveNightmare

Read More

Detects the creation of files with an executable or script extension by an Office application.

Read More

Detects programs on a Windows system that should not write an archive to disk

Read More

Detects programs on a Windows system that should not write executables to disk

Read More

Detects programs on a Windows system that should not write scripts to disk

Read More

Detects creation of Microsoft Office files inside of one of the default startup folders in order to achieve persistence.

Read More

Detects the creation of a file with an uncommon extension in an Office application startup folder

Read More

Detects the creation of a ISO file in the Outlook temp folder or in the Appdata temp folder. Typical of Qakbot TTP from end-July 2022.

Read More

Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.

Read More

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Read More

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Read More

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

Read More

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Read More

Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory

Read More

Detects PowerShell creating a binary executable or a script file.

Read More

Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.

Read More

Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.

Read More

Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.

Read More

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.

Read More

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process

Read More

Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.

Read More

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Read More

Detects Rclone config files being created

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

Read More

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

Read More

Detects the creation of binaries in the WinSxS folder by non-system processes

Read More

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon parent process or directory

Read More

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Read More

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

Read More

Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.

Read More

Detects creation of files with specific name patterns seen used in various tools that export the NTDS.DIT for exfiltration.

Read More

Detects creation of a file named "ntds.dit" (Active Directory Database)

Read More

Detects creation of a file named "ntds.dit" (Active Directory Database) by an uncommon process or a process located in a suspicious directory

Read More

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

Read More

Detects suspicious file based on their extension being created in "C:\PerfLogs". Note that this directory mostly contains ".etl" files

Read More

Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.

Read More

Detects the creation of known offensive powershell scripts used for exploitation

Read More

Detects Rclone config file being created

Read More

Detects the creation of a new office macro files on the systems via an application (browser, mail client).

Read More

Detects default file names outputted by the BloodHound collection tool SharpHound

Read More

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).

Read More

Detects the creation of the default output filename used by the wmiexec tool

Read More

Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild

Read More

Detects the creation of a new office macro files on the systems

Read More

Detects the creation of a office macro file from a a suspicious process

Read More

Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities

Read More

Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).

Read More

Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence

Read More

Detects the creation of a new Outlook form which can contain malicious code

Read More

Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL"

Read More

Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)

Read More

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

Read More

Detects the presence and execution of Inveigh via dropped artefacts

Read More

Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.

Read More

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

Read More

Detects a dump file written by QuarksPwDump password dumper

Read More

Detects default lsass dump filename from SafetyKatz

Read More

Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking

Read More

Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments

Read More

Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".

Read More

Detects the creation of a macro file for Outlook.

Read More

Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents

Read More

Detects the creation of a macro file for Outlook.

Read More

A General detection for files being created in the Windows startup directory. This could be an indicator of persistence.

Read More

A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file.

Read More

Detects a threat actor creating a file named wbemcomn.dll in the C:\Windows\System32\wbem\ directory over the network and loading it for a WMI DLL Hijack scenario.

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects suspicious file creation patterns found in logs when CrackMapExec is used

Read More

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

Read More

Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)

Read More

Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache

Read More

Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color" as seen in the blog referenced below

Read More

Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file

Read More

Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file

Read More

Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"

Read More

Detects the creation of files that look like exports of the local SAM (Security Account Manager)

Read More

Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder

Read More

Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension

Read More

Detects suspicious file type dropped by an Exchange component in IIS

Read More

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

Read More

Detects the creation of tasks from processes executed from suspicious locations

Read More

Detects when a file with a suspicious extension is created in the startup folder

Read More

Detects the creation of log files during a TeamViewer remote session

Read More

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Read More

Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)

Read More

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

Read More

Detects the pattern of a UAC bypass using Windows Event Viewer

Read More

Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique

Read More

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

Read More

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

Read More

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

Read More

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Read More

Detects creation of a file named "wpbbin" in the "%systemroot%\system32" directory. Which could be indicative of UEFI based persistence method

Read More

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Read More

Detects WerFault creating a dump file with a name that indicates that the dump file could be an LSASS process memory, which contains user credentials

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

TeamViewer_Desktop.exe is create during install

Read More

Ransomware create txt file in the user Desktop

Read More

Detects the creation of an executable by another executable

Read More

Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.

Read More

Detects a phishing attack which expands a ZIP file containing a malicious shortcut. If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder. Additionally, the file name of the malicious shortcut in Startup folder contains {0AFACED1-E828-11D1-9187-B532F1E9575D} meaning the folder shortcut operation.

Read More

Detects files dropped by Winnti as described in RedMimicry Winnti playbook

Read More

Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\

Read More

Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process

Read More

Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Read More

Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network

Read More

Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process.

Read More

Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.

Read More

Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.

Read More

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

Read More

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Read More

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

Read More

Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)

Read More

Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking

Read More

Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content

Read More

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Read More

Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder

Read More

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded

Read More

Detects Octopus Scanner Malware.

Read More

Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.

Read More

Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.

Read More

Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.

Read More

Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder

Read More

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

Read More

Possible webshell file creation on a static web site

Read More

Detects file writes of WMI script event consumer

Read More

Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks.

Read More

Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum

Read More

Detects processes creating temp files related to PCRE.NET package

Read More