Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious

Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process)

Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

Detects execution of "reg.exe" to disable security services such as Windows Defender.

Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection

Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Detects when attackers or tools disable Windows Defender functionalities via the windows registry

Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow.

Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet

Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Detects loading of Amsi.dll by uncommon processes

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

Detects loading of "Amsi.dll" by a living of the land process. This could be an indication of a "PowerShell without PowerShell" attack

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Detects PowerShell core DLL being loaded by an Office Product

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others).

Detects usage of bitsadmin downloading a file to a suspicious target folder

Detects usage of bitsadmin downloading a file with a suspicious extension

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded

Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.

Detects potentially suspicious child processes of "GoogleUpdate.exe"

Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.

Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.

Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.

Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.

Detects execution of regsvr32 where the DLL is located in a highly suspicious locations

Detects potentially suspicious child processes of "regsvr32.exe".

Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.

Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.

Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

Clear command history in network OS which is used for defense evasion

Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.

Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.

Detects the image load of vss_ps.dll by uncommon executables

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Detects download of certain file types from hosts with dynamic DNS names (selected list)

Detects suspicious requests to Telegram API without the usual Telegram User-Agent

Detects the download of a file with a potentially suspicious extension from a .zip top level domain.