Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates files with suspicious file types, indicating that they may be executables, script files, or otherwise unusual.

Read More

Detects powershell process used to find and shut down local Hyper-V VMs using the Stop-VM cmdlet, as documented in the 2024 Morphisec report on Cicada3301 ransomware.

Read More

Detects the use of the iisreset.exe utility to stop IIS web services. This is used to prevent users from accessing IIS web resources, thereby releasing/preventing locks which could inhibit ransomware-related encryption.

Read More

Detects the execution of CMSTP that is used install fake Connection Manager Profiles via contains via .INF files that resign on a temp location on disk and contains instructions for how the Connection Manager should install the profile. The .INF files could contain malicious code under the section RunPreSetupCommandsSection which is the commands to run before setup.

Read More

Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed, it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory.

Read More

Detects execution of side-loaded executable via the update.exe, part microsoft teams' application binary.

Read More

Wermgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection.

Read More