Detects the deletion of scheduled tasks related to Windows Defender.

Read More

Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host

Read More

Detects the registry modification to enable restricted admin mode using reg.exe

Read More

Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.

Read More

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a onenote attachment and then on the malicious link inside the .one file, it exports and executes the malicious embedded script from specific directories.

Read More

Detects attempts to disable AMSI in the commandline. It is possible to bypass AMSI by disabling it before loading the main payload.

Read More

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

Read More

Detects the subvert execution of malicious payloads using vsdiagnostics.exe. VSDiagnostics.exe is an executable part of the Microsoft Visual Studio. Threat actors can use the start to start a new session in combination with the /launch and /launchargs parameters to execute a malicious payload on disk.

Read More

DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. Adversaries will often supply the same DLL to rundll32.exe as well. Executing the DllRegisterServer export function with rundll32.exe is tradecraft that’s unique to adversary behavior and is rarely seen in legitimate scenarios. We’ve observed this behavior in threats including Qbot, Ursnif, and Zloader, to name a few examples. Part of the RedCanary 2024 Threat Detection Report.

Read More

If you’re looking to detect malicious use of Base64 encoding, consider monitoring for the execution of processes like powershell.exe or cmd.exe along with command lines containing parameters like ToBase64String and FromBase64String. The following simple pseudo-analytic might help you find malicious obfuscation. Part of the RedCanary 2024 Threat Detection Report.

Read More

Adversaries bypass controls using the Windows Command Shell in a plethora of ways, but you can detect the one we see most often with a simple combination of process execution and a corresponding command line. Part of the RedCanary 2024 Threat Detection Report.

Read More

Fortunately for defenders, Gamarue is detectable with endpoint telemetry. The majority of Gamarue activity we see involves rundll32.exe executing with unusual command lines that include long filenames with repeating characters and random function names. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detecting obfuscation in the command shell is relatively straightforward, but there are a lot of variations to consider when you’re developing detection coverage. Of course, the process you’re looking for will always be cmd.exe, but the corresponding command line can contain a variety of suspicious characters. The trick is finding the thresholds where the inclusion of obfuscation characters go from normal to anomalous (but benign) to suspicious enough to warrant alerting. The following pseudo-detection logic offers a good starting point for developing detection coverage for obfuscation in the command line. Part of the RedCanary 2024 Threat Detection Report.

Read More

This analytic looks for the execution of a process that seems to be powershell.exe along with a corresponding command line containing the term base64. Base64 encoding isn’t inherently suspicious, but it’s worth looking out for in a lot of environments, and the following pseudo-detection logic can help detect a wide variety of malicious activity. Part of the RedCanary 2024 Threat Detection Report.

Read More

This detection analytic looks for the execution of powershell.exe with command lines that include variations of the -encodedcommand argument; PowerShell will recognize and accept anything from -e onward, and it will show up outside of the encoded bits. Part of the RedCanary 2024 Threat Detection Report.

Read More

This analytic looks for the execution of a process that seems to be powershell.exe along with a corresponding command line containing the term base64. Base64 encoding isn’t inherently suspicious, but it’s worth looking out for in a lot of environments, and the following pseudo-detection logic can help detect a wide variety of malicious activity. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the loading of suspicious .NET methods, seen in PowerShell script load content. This behavior is not limited to Yellow Cockatoo and can be applied universally for malicious PowerShell obfuscation attempts. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects powershell command lines used with a process name besides powershell. Part of the RedCanary 2024 Threat Detection Report.

Read More

The following pseudo-detector should help security teams detect instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2024 Threat Detection Report.

Read More

As is the case with most techniques in this report, it's critical that you are able to take stock of what is normal in your environment if you hope to be able to identify what isn't. In the context of Rundll32, you’ll want to monitor for executions of rundll32.exe from unusual parent processes, and the following pseudo-analytic—based on an amalgamation of Red Canary detection logic—should help security teams do just that. Part of the RedCanary 2024 Threat Detection Report.

Read More

Rundll32 does not normally execute without corresponding command-line arguments and while spawning a child process. Given this, you may want to alert on the execution of processes that appear to be rundll32.exe without any command-line arguments , especially when they spawn child processes or make network connections. Part of the RedCanary 2024 Threat Detection Report.

Read More

Consider monitoring for instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. The following pseudo-analytic applies specifically to adversaries who use the MiniDump export functionality of comsvcs.dll to dump the contents of LSASS, but this logic could be adapted to detect other malicious activity as well. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects instances where the powershell process is renamed to notepad for defense evasion. Part of the RedCanary 2024 Threat Detection Report.

Read More

To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting msiexec.exe making outbound network connections to download and install packages in the command-line interface will give you the opportunity to examine the activity and determine if it’s malicious or not. Part of the RedCanary 2024 Threat Detection Report.

Read More

RedCanary detected high volumes of obfuscation this year looking for apparent phishing schemes where adversaries conceal JavaScript payloads in ZIP files and write them to the users and temp directories. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects script execution using MSDOS 8.3 File names

Read More

Detects the execution of a specific OneLiner to Invoke PowerShell commands.

Read More

Detects the deletion of scheduled tasks related to Windows Defender.

Read More

Detecting the command FlawedGrace is using for the purpose of injecting into it the spawned process, in this case the cmd.exe process.

Read More

Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.

Read More

Rule to detect registry modifications to enable WDigest using powershell over the commandline.

Read More

Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host

Read More

Detects the registry modification to enable restricted admin mode using reg.exe

Read More

Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.

Read More

Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.

Read More

Detects the suspicious child process of calc

Read More

Detects the suspicious child process of regsvr32

Read More

Detects execution of JavaScript (.js) files located in the AppData folder. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects files written to user downloads folder or appdata folder, associated with Mark-of-the-Web Bypass. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Read More

Detects non-powershell.exe processes executing with command lines that are usually associated with powershell. This is an example for demonstration purposes only. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the DllRegisterServer export function implemented with Rundll32. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of Rundll32 being spawned by unusual or suspicious parent processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of Rundll32 without a command line spawning child processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects powershell processes renamed to notepad.exe. This is a narrow example for demonstration purposes only. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects Windows scripting host executing JavaScript files with MS-DOS shortname formatting, a technique associated with Gootloader. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects .lnk files created by Powershell in the startup folder. Associated with (but not unique to) Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspicious Powershell script load contents associated with Yellow Cockatoo, AKA Solarmarker/Jupyter Stealer. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects evade to Macie detection.

Read More

Detects process reimaging defense evasion technique

Read More

Detects Execution via SyncInvoke in CL_Invocation.ps1 module

Read More

Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module

Read More

This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.

Read More

Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework (See reference section for code block)

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Read More

Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects process creation utilizing double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects the presence of the u202+E character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used in obfuscation and masquerading techniques.

Read More

Detects potential process injection of RegAsm.exe as indicated by lack of command-line arguments. This was observed in a recent campaign to distribute AsyncRAT and Quasar RAT using malicious OneNot files.

Read More

Detects registry addition for LanmanServer MaxMpxCt. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects registry value set to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects powershell scripts attempting to disable MS Defender components using Set-MpPreference as performed by Vice Society ransomware gang. This includes additional techniques to evade existing rules by feeding in a proxy value of $true using a powershell boolean expression like (0 -eq $false).

Read More

Detects a Mshta executing code from the registry

Read More

Detects Bumblebee WmiPrvSE parent process manipulation

Read More

Rule to detect registry modifications to enable WDigest using powershell script modules.

Read More

Detects extraction of ISO, VHD, LNK, or IMG files from zip files. Commonly associated with QakBot and IcedID.

Read More

Detects browser applications creating archive/container files such as zip, rar, or 7z, as occurs during an HTML smuggling attack where a browser decodes and executes malicious code within an HTML file. Commonly associated with QakBot and IcedID.

Read More

Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Read More

Detects the suspicious child use of shell or scripting interpreter to create a file ending in exe.

Read More

Detects creation of files potentially matching attempts to copy executables to temporary directories to hide usage.

Read More

Detects process creations where the Image does not have a .exe file extension.

Read More

Detects process execution in PerfLogs folder - a folder used by Windows for log collection - and matching previously-observed naming patterns for ransomware executables.

Read More

Detects registry modifications to change MaxMpxCt settings. BlackCat does this to increase the number of outstanding requests allowed, such as SMB requests to distribute ransomware through an environment.

Read More

Detects use of the reg utility to tamper with MS Defender protections.

Read More

Looks for the execution of powershell.exe with command lines that include variations of the -encodedcommand argument. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects the use of wevtutil to clear or otherwise manipulate Windows event logs.

Read More

Detects creation of files potentially associated with QakBot initial infection, documented by Adithya Chandra and Sushant Kumar Arya of Trellix in August 2022.

Read More

Looks for instances of powershell being used to disable or impair Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for instances of powershell being used to modify or degrade Windows Defender functionality. Inspired by the 2022 Red Canary Threat Detection report.

Read More

DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. This detects use of the same DLL to rundll32.exe. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of cmd.exe or powershell.exe with command lines that includes the term base64. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of CMD executing a batch stored on an externally-mounted drives, in turn spawning a tar extraction process.

Read More

Looks for the execution of Windows Command Shell with unusually high counts of characters used for obfuscation. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects potential stage 2 Gootloader registry key creation.

Read More

Looks for the execution of powershell.exe with command lines that includes the term base64. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of PowerShell with unusually high counts of characters like ^, +, $, and %. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of non-powershell process with command lines matching common powershell format. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of non-powershell process with command lines matching common powershell format. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects executions of rundll32.exe from unusual or suspicious parent processes. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of rundll32.exe with no command line that spawns a child process. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of powershell renamed as Notepad.exe. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects creation of suspicious file extension registry key. This extension is then registered with a custom file type (see Detail component of detection below) with a malicious powershell payload specified.

Read More