Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Read More

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

Read More

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Read More

Shadow Copies deletion using operating systems utilities via PowerShell

Read More

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Read More

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

Read More

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Read More

Detects PowerShell called from an executable by the version mismatch method

Read More

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Read More

Detects remote PowerShell sessions

Read More

Detects suspicious PowerShell download command

Read More

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

Read More

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More