Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts

Read More

Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.

Read More

Detects certain command line parameters often used during reconnaissance activity via web shells

Read More

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Read More

Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege

Read More

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

Read More

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

Read More

Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry

Read More

Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges

Read More

Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand

Read More

Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level

Read More

Detects potential RDP Session Hijacking activity on Windows systems

Read More

A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.

Read More

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

Read More

ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.

Read More

Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation

Read More

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Read More

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Read More

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Read More

Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)

Read More

Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)

Read More

Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)

Read More

Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)

Read More

Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)

Read More

Detects the "IDiagnosticProfileUAC" UAC bypass technique

Read More

Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)

Read More

Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)

Read More

Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)

Read More

Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)

Read More

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Read More

Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config

Read More

Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.

Read More

Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.

Read More

Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack

Read More

Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.

Read More

Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.

Read More

Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects wscript/cscript executions of scripts located in user directories

Read More

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.

Read More

Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.

Read More

Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.

Read More

Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.

Read More

Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)

Read More

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.

Read More

Detects the use of CoercedPotato, a tool for privilege escalation

Read More

Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine

Read More

Detects the execution GMER tool based on image and hash fields.

Read More

Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same

Read More

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Read More

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

Read More

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Read More

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

Read More

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Read More

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

Read More

Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata

Read More

Detects the use of Windows Credential Editor (WCE)

Read More

Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed

Read More

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

Read More

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Read More

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Read More

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Read More

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Read More

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

Read More

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Read More

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

Read More

Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')

Read More

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Read More

Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.

Read More

Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings

Read More

Detects execution of renamed version of PAExec. Often used by attackers

Read More

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

Read More

Detects commandline arguments for executing a child process via dotnet-trace.exe

Read More

Detects the execution of the "cloudflared" binary from a non standard location.

Read More

Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.

Read More

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Read More

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Read More

Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.

Read More

Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.

Read More

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

Read More

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

Read More

Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.

Read More

Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.

Read More

Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.

Read More

Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.

Read More

Detects the execution of a renamed "cloudflared" binary.

Read More

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Read More

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

Read More

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

Read More

Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.

Read More

Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe

Read More

Detects potentially suspicious file download from file sharing domains using curl.exe

Read More

Detects potentially suspicious file downloads from file sharing domains using wget.exe

Read More

Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.

Read More

Detects possible search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". This string is used as an anchor to look for the start of the JWT token used by microsoft office and similar apps.

Read More

Detects usage of winget to add new potentially suspicious download sources

Read More

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Read More

Detects usage of "msedge_proxy.exe" to download arbitrary files

Read More

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Read More

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Read More

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.

Read More

Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.

Read More

Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.

Read More

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"

Read More

Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.

Read More

Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.

Read More

Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.

Read More

Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.

Read More

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension

Read More

Detects suspicious parent process for cmd.exe

Read More

Detects the execution of whoami.exe with suspicious parent processes.

Read More

Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors

Read More

Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.

Read More

Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.

Read More

Detects the use of the Dinject PowerShell cradle based on the specific flags

Read More

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Read More

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.

Read More

Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Read More

Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse

Read More

Detects when a user downloads a file from an IP based URL using CertOC.exe

Read More

Detects file downloads directly from IP address URL using curl.exe

Read More

Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line

Read More

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

Read More

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Read More

Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"

Read More

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Read More

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Read More

Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Read More

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Read More

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

Read More

Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

Read More

Detects the installation of VsCode tunnel (code-tunnel) as a service.

Read More

Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.

Read More

Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.

Read More

Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.

Read More

Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Read More

Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning

Read More

Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Read More

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

Read More

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Read More

Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.

Read More

Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.

Read More

Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.

Read More

Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.

Read More

Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.

Read More

Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory

Read More

Detect usage of the "ssh.exe" binary as a proxy to launch other programs.

Read More

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Read More

Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.

Read More

Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships

Read More

Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.

Read More

Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".

Read More

Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities

Read More

Detects usage of bitsadmin downloading a file from a suspicious domain

Read More

Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.

Read More

Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.

Read More

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.

Read More

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Read More

Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.

Read More

Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Detection of unusual child processes by different system processes

Read More

Attackers can use print.exe for remote file copy

Read More

Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database.

Read More

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

Read More

Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.

Read More

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Read More

Detects usage of winget to add new additional download sources

Read More

Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not

Read More

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Read More

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.

Read More

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Read More

Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.

Read More

Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.

Read More

Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"

Read More

Detects the removal or uninstallation of an application via "Wmic.EXE".

Read More

Detects calls to the "terminate" function via wmic in order to kill an application

Read More

Detects execution of the Notepad++ updater (gup) to launch other commands or executables

Read More

Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.

Read More

Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.

Read More

Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.

Read More

Detects usage of "MSOHTMED" to download arbitrary files

Read More

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Read More

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

Read More

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Read More

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Read More

Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

Read More

Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.

Read More

Detects audio capture via PowerShell Cmdlet.

Read More

Detect attacker collecting audio via SoundRecorder application.

Read More

Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Read More

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

Read More

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Read More

Detects encoded base64 MZ header in the commandline

Read More

Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.

Read More

Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.

Read More

Detects execution of Chromium based browser in headless mode

Read More

Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks

Read More

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

Read More

Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.

Read More

Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.

Read More