Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.

Read More

It is not unusual for adversaries, including ones who peddle ransomware, to use BITSAdmin to download arbitrary files from the internet in an effort to evade application blocklisting. The following analytic will look for the execution of bitsadmin.exe with command options that suggest a file is being downloaded. Part of the RedCanary 2024 Threat Detection Report.

Read More

Just like certutil, certreq can also be abused by adversaries to download and upload data. The following analytic will look for the execution of certreq.exe with command options that suggest a file is being downloaded. Part of the RedCanary 2024 Threat Detection Report.

Read More

Adversaries often bypass security controls by using the Windows Certificate Utility (certutil.exe) to download malicious code. In general, they leverage certutil.exe along with the -split command-line option. Part of the RedCanary 2024 Threat Detection Report.

Read More

It is unusual for these processes to attempt network connections with an empty command line, which can indicate malicious command and control (C2) activity. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects use of custom scripts i.e. BAT files.

Read More

Will detect the presence of known SSH client and SSH server strings that have been used for SSH tunneling.

Read More

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More

Detects attempts to bypass security controls using bitsadmin.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects attempts to bypass security controls using certutil.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects msiexec used to download a potentially-malicious Raspberry Robin DLL. Part of the RedCanary 2023 Threat Detection Report.

Read More

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

Read More

High DNS requests amount from host per short period of time

Read More

High DNS requests amount from host per short period of time

Read More

Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution

Read More

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

Read More

Detects DNS-answer with TTL <10.

Read More

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

Read More

Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.

Read More

Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects use of AnyDesk

Read More

Detects use of SplashTop

Read More

Detects use of SplashTop

Read More

Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.

Read More

Detects usage of BITSAdmin to download malicious code. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects usage of certutil to download malicious code. Inspired by the 2022 Red Canary Threat Detection report.

Read More