Detects suspicious parent process for cmd.exe

Read More

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects various indicators of Microsoft Connection Manager Profile Installer execution

Read More

Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.

Read More

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Read More

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

Read More

Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)

Read More

Detects the process injection of a LittleCorporal generated Maldoc.

Read More

Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.

Read More

Detects possible collection of data from the clipboard via execution of the osascript binary

Read More

Detects common command used to enable bpf kprobes tracing

Read More

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Read More

Detects powershell scripts that import modules from suspicious directories

Read More

Detects powershell scripts that import modules from suspicious directories

Read More

Detects possible malicious execution of JXA in-memory via OSAScript

Read More

Detects Commandlet names and arguments from the Nishang exploitation framework

Read More

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Read More

Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Read More

Detects Cobalt Strike module/commands accidentally entered in CMD shell

Read More

Detects potential suspicious run-only executions compiled using OSACompile

Read More

Detect use of PDQ Deploy remote admin tool

Read More

Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)

Read More

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

Read More

Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)

Read More

Detects possible password spraying attempts using Dsacls

Read More

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

Read More

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

Read More

Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation

Read More

Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection

Read More

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Read More

Detects usage of Dsacls to grant over permissive permissions

Read More

Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc.

Read More

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Read More

Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use

Read More

Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)

Read More

Detects execution of AppX packages with known suspicious or malicious signature

Read More

Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

Read More

Detects an svchost process spawning an instance of an office application. This happens when the initial word application creates an instance of one of the Office COM objects such as 'Word.Application', 'Excel.Application', etc. This can be used by malicious actors to create malicious Office documents with macros on the fly. (See vba2clr project in the references)

Read More

Detects suspicious PowerShell download command

Read More

Detects scheduled task creation events that include suspicious actions, and is run once at 00:00

Read More

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

Read More

Detects Log4J Wstomcat process execution as seen in Mint Sandstorm activity

Read More

Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.

Read More

Detects usage of the "wusa.exe" (Windows Update Standalone Installer) utility to extract cab using the "/extract" argument from suspicious paths

Read More

Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs

Read More

Detects specific command line execution used by FIN7 as reported by WithSecureLabs for reconnaissance and POWERTRASH execution

Read More

Detects PowerShell script file creation with specific name or suffix which was seen being used often by FIN7 PowerShell scripts

Read More

Detects specific command line execution used by Mustang Panda in a targeted attack against the Australian government as reported by Lab52

Read More

Detects potential execution of the PowerShell script POWERTRASH

Read More

Detects a WMI modules being loaded by an uncommon process

Read More

Detects the creation of scheduled tasks in user session

Read More

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Read More

Detects usage of "msedge_proxy.exe" to download arbitrary files

Read More

Detects usage of "MSOHTMED" to download arbitrary files

Read More

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Read More

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

Read More

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"

Read More

Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.

Read More

Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.

Read More

Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL

Read More

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More

Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process

Read More

Detects suspicious and uncommon child processes of WmiPrvSE

Read More

Detects the use of smbexec.py tool by detecting a specific service installation

Read More

Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team

Read More

Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7

Read More

Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team

Read More

Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team

Read More

Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team

Read More

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Read More

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

Read More

Detects various execution patterns of the CrackMapExec pentesting framework

Read More

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

Read More

Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline

Read More

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects use of Set-ExecutionPolicy to set insecure policies

Read More

Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity

Read More

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014

Read More

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detect usage of the "defaultpack.exe" binary as a proxy to launch other programs

Read More

Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques

Read More

Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.

Read More

Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.

Read More

Detects potential RDP Session Hijacking activity on Windows systems

Read More

Detects inline execution of PowerShell code from a file

Read More

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system

Read More

Detects suspicious ways to download files or content using PowerShell

Read More

Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.

Read More

Commandline to launch powershell with a base64 payload

Read More

Detects when the macOS Script Editor utility spawns an unusual child process.

Read More

Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

Read More

Detects default file names outputted by the BloodHound collection tool SharpHound

Read More

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Read More

Detects keywords from well-known PowerShell exploitation frameworks

Read More

Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts

Read More

Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript

Read More

Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

Read More

Detects MSI package installation from suspicious locations

Read More

Detects file creation activity that is related to Diamond Sleet APT activity

Read More

Detects process creation activity indicators related to Diamond Sleet APT

Read More

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More

Detects file creation activity that is related to Onyx Sleet APT activity

Read More

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

Read More

Detects PowerShell called from an executable by the version mismatch method

Read More

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Read More

Detects remote PowerShell sessions

Read More

Detects renamed powershell

Read More

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Read More

Detects suspicious PowerShell download command

Read More

Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.

Read More

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Read More

Detects known hacktool execution based on image name.

Read More

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

Read More

Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content

Read More

Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)

Read More

Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.

Read More

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More

Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation

Read More

Detects a named pipe used by Turla group samples

Read More

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More

Detects when a user downloads a file from an IP based URL using CertOC.exe

Read More

Detects file downloads directly from IP address URL using curl.exe

Read More

Detects potentially suspicious file downloads directly from IP addresses using curl.exe

Read More

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Read More

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

Read More

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Read More

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

Read More

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

Read More

Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.

Read More

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges.

Read More

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

Read More

Detects usage of Gpg4win to decrypt files

Read More

Detects usage of Gpg4win to encrypt files

Read More

Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.

Read More

Detects the creation of files with an executable or script extension by an Office application.

Read More

Detects command line parameters used by Bloodhound and Sharphound hack tools

Read More

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

Read More

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Read More

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Read More

Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Detects base64 encoded strings used in hidden malicious PowerShell command lines

Read More

Detects Commandlet names from ShellIntel exploitation scripts.

Read More

Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm

Read More