Indicates sign-in from a malicious IP address based on high failure rates.

Read More

Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.

Read More

Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks.

Read More

Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service

Read More

Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.

Read More

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Read More

Detects execution of the IEExec utility to download payloads

Read More

Detects attempts of decoding encoded Gzip archives via PowerShell.

Read More

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Read More

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Read More

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Read More

Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet

Read More

Detects suspicious ways to download files or content using PowerShell

Read More

Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents

Read More

Detects an executable that isn't dropbox but communicates with the Dropbox API

Read More

Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.

Read More

Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.

Read More

Detects potential C2 communication related to Devil Bait malware

Read More

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

Read More

Detects setting a custom URL for OneDriveStandaloneUpdater.exe to download a file from the Internet without executing any anomalous executables with suspicious arguments. The downloaded file will be in C:\Users\redacted\AppData\Local\Microsoft\OneDrive\StandaloneUpdaterreSignInSettingsConfig.json

Read More

Detects the modification of Outlook security setting to allow unprompted execution of macros.

Read More

Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module

Read More

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport.

Read More

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research reoport.

Read More

Detects suspicious user agent strings used by malware in proxy logs

Read More

Detects office suit applications communicating to target systems on uncommon ports

Read More

Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884

Read More

Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884

Read More

Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884

Read More

Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884

Read More

Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884

Read More

Detects wannacry killswitch domain dns queries

Read More

Detects when GfxDownloadWrapper.exe downloads file from non standard URL

Read More

Detects a suspicious curl process start on Windows and outputs the requested document to a local file

Read More

Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.

Read More

Detects potential C2 communication related to Goofy Guineapig backdoor

Read More

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

Read More

Detects OilRig activity as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report

Read More

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

Read More

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

Read More

Detects potential beaconing activity to domains related to 3CX 3CXDesktopApp compromise

Read More

Detects potential malicious .ICO files download from a compromised 3CXDesktopApp via web requests to the the malicious Github repository

Read More

Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB

Read More

Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB

Read More

Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise

Read More

Detects potential C2 communication related to Small Sieve malware

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects the use of wget to download content to a suspicious directory

Read More

Detects the use of wget to download content in a temporary directory such as "/tmp" or "/var/tmp"

Read More

Detects an a non-browser process interacting with the Telegram API which could indicate use of a covert C2

Read More

Detects suspicious user agent string of APT40 Dropbox tool

Read More

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Read More

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Read More

Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.

Read More

Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.

Read More

Detects attempts to bypass security controls using bitsadmin.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects attempts to bypass security controls using certutil.exe to download malicious code. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects Bitsadmin connections to domains with uncommon TLDs

Read More

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects msiexec used to download a potentially-malicious Raspberry Robin DLL. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects a non-browser process communicating with the Notion API. This could indicate potential use of a covert C2 channel such as "OffensiveNotion C2"

Read More

Detects User Agent strings that end with an equal sign, which can be a sign of base64 encoding.

Read More

Detects suspicious encoded User-Agent strings, as seen used by some malware.

Read More

Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet)

Read More

Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases

Read More

Detects potential RDP connection via Mstsc using a local ".rdp" file

Read More

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Read More

Detects a "winlogon.exe" process that initiate network communications with public IP addresses

Read More

Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access

Read More

Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location

Read More

The PowerShell implementation of DNSCat2 calls nslookup to craft queries. Counting nslookup processes spawned by PowerShell will show hundreds or thousands of instances if PS DNSCat2 is active locally.

Read More

High DNS requests amount from host per short period of time

Read More

High DNS requests amount from host per short period of time

Read More

Extremely high rate of NULL record type DNS requests from host per short period of time. Possible result of iodine tool execution

Read More

Extremely high rate of TXT record type DNS requests from host per short period of time. Possible result of Do-exfiltration tool execution

Read More

Detects DNS-answer with TTL <10.

Read More

Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.

Read More

Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection.

Read More

Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2

Read More

Detects a network connection initiated by the certutil.exe tool. Attackers can abuse the utility in order to download malware or additional payloads.

Read More

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

Read More

Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.

Read More

Detects usage of the "msedge.exe" binary as a LOLBIN to download arbitrary file via the CLI

Read More

Detects Silence EmpireDNSAgent as described in the Group-IP report

Read More

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

Read More

Detects OilRig registry persistence as reported by Nyotron in their March 2018 report

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

Read More

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.

Read More

Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.

Read More

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

Read More

Detects a tscon.exe start as LOCAL SYSTEM

Read More

Detects the use of Tor or Tor-Browser to connect to onion routing networks

Read More

Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.

Read More

Detects code execution via the Windows Update client (wuauclt)

Read More

Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic

Read More

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Read More

Well-known DNS Exfiltration tools execution

Read More

Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays

Read More

Detects suspicious msiexec process starts with web addresses as parameter

Read More

Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line

Read More

Detects the use of 3proxy, a tiny free proxy server

Read More

Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.

Read More

Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)

Read More

Detects SILENTTRINITY stager dll loading activity

Read More

Detects SILENTTRINITY stager use via PE metadata

Read More

Detects the presence and execution of Inveigh via dropped artefacts

Read More

Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule

Read More

Detects usage of the Sharp Chisel via the commandline arguments

Read More

Detects usage of the Chisel tunneling tool via the commandline arguments

Read More

Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.

Read More

Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Read More

Detects the use of IOX - a tool for port forwarding and intranet proxy purposes

Read More

Detects the creation of a macro file for Outlook.

Read More

Detects the creation of a macro file for Outlook.

Read More

Detects the use of NPS, a port forwarding and intranet penetration proxy server

Read More

Execution of plink to perform data exfiltration and tunneling

Read More

Detects suspicious Plink tunnel port forwarding to a local port

Read More

Detects exeuctable names or flags used by Htran or Htran-like tools (e.g. NATBypass)

Read More

Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.

Read More

Detects suspicious SSH tunnel port forwarding to a local port

Read More

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Read More

Detects a highly relevant Antivirus alert that reports an exploitation framework

Read More

Detects suspicious user agent strings used in APT malware in proxy logs

Read More

Detects Baby Shark C2 Framework communication patterns

Read More

Detects Bitsadmin connections to IP addresses instead of FQDN names

Read More

Detects HTTP requests used by Chafer malware

Read More

Detects suspicious DNS queries known from Cobalt Strike beacons

Read More

Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike

Read More

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Read More

Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors

Read More

Detects suspicious user agent strings used by crypto miners in proxy logs

Read More

Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server

Read More

Detects user agent and URI paths used by empire agents

Read More

Detects suspicious empty user agent strings in proxy logs

Read More

Detects communication to C2 servers mentioned in the operational notes of the ShadowBroker leak of EquationGroup C2 tools

Read More

Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs

Read More

Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

Read More

Detects usage of the "type" command to download/upload data from WebDAV server

Read More

Execution of ssh.exe to perform data exfiltration and tunneling through RDP

Read More

Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity

Read More

Detects DNS resolution of an .onion address related to Tor routing networks

Read More

Detects direct access to raw pastes in different paste services often used by malware in their second stages to download malicious code in encrypted or encoded form

Read More

Detects svchost hosting RDP termsvcs communicating to target systems on TCP port 80 or 443

Read More

Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)

Read More

Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files

Read More

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Read More

Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons

Read More

Detects a suspicious curl process start on linux with set useragent options

Read More

Detects suspicious DNS queries using base64 encoding

Read More

Detects when a user downloads file by using CertOC.exe

Read More

Detects programs with network connections running in suspicious files system locations

Read More

Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity

Read More

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)

Read More

Detects suspicious malformed user agent strings in proxy logs

Read More

Detects the creation of log files during a TeamViewer remote session

Read More

Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind

Read More

Detects Turla ComRAT patterns

Read More

Detects Windows PowerShell Web Access

Read More

Detects WebDav DownloadCradle

Read More

Detects Malleable (OCSP) Profile with Typo (OSCP) in URL

Read More

Detects Malleable Amazon Profile

Read More

Detects Malleable OneDrive Profile

Read More

Detects Ursnif C2 traffic.

Read More

Detects download of Ursnif malware done by dropper documents.

Read More

Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Use IMEWDBLD.exe (built-in to windows) to download a file

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

TeamViewer_Desktop.exe is create during install

Read More

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

Read More

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.

Read More

Detects DNS queries to an ".onion" address related to Tor routing networks

Read More

Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger.

Read More

Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

AppInstaller.exe is spawned by the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

Read More

Detects use of AnyDesk

Read More

Detects use of custom scripts i.e. BAT files.

Read More

Detects use of SplashTop

Read More

Detects use of SplashTop

Read More

Various protocols maybe used to put data on the device for exfil or infil

Read More

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Read More

Detects artefacts associated with activity group GALLIUM - Microsoft Threat Intelligence Center indicators released in December 2019.

Read More

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network

Read More

Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389

Read More

Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs'

Read More

Detects use of the copy utility to deploy executable files from a remote share to a temp directory, such as the procedure performed by Vice Ransomware gang.

Read More

Detects usage of BITSAdmin to download malicious code. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects usage of certutil to download malicious code. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Execution of well known tools for data exfiltration and tunneling

Read More

Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.

Read More

Detects the use of Replace.exe which can be used to replace file with another file

Read More

Download and compress a remote file and store it in a cab file on local machine.

Read More