Detects user account creation on ESXi system via esxcli

Read More

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Read More

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

Read More

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Read More

Detects changes to the ESXi syslog configuration via "esxcli"

Read More

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

Read More

Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.

Read More

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Read More

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

Read More

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Read More

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.

Read More

Detects a possible remote connections to Silenttrinity c2

Read More

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Read More

Detects the execution of CSharp interactive console by PowerShell

Read More

This events that are generated when using the hacktool Ruler by Sensepost

Read More

Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

Read More

Detects different hacktools used for relay attacks on Windows for privilege escalation

Read More

Detects outbound network connection initiated by Microsoft Dialer. The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer. This is an outdated process in the current conext of it's usage and is a common target for info stealers for process injection, and is used to make C2 connections, common example is "Rhadamanthys"

Read More

Attempts to detect system changes made by Blue Mockingbird

Read More

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

Read More

Detects potential tampering with Windows Defender settings such as adding exclusion using wmic

Read More

Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.

Read More

Detects the presence of a registry key created during Azorult execution

Read More

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Read More

Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0. CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass, which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through template injection. This sequence enables unauthenticated remote code execution, significantly increasing the impact of exploitation.

Read More

Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Read More

Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Read More

Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.

Read More

Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.

Read More

Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.

Read More

Detects potentially suspicious child processes of KeyScrambler.exe

Read More

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

Read More

Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

Read More

Detects the use of SharpUp, a tool for local privilege escalation

Read More

Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.

Read More

Detects unexpected command shell execution (cmd.exe) from w3wp.exe when tied to CentreStack's portal.config, indicating potential exploitation (e.g., CVE-2025-30406)

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More

Detects the execution of a specific OneLiner to download and execute powershell modules in memory.

Read More

Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Read More

Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.

Read More

Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. This rule flags suspicious use of such padding observed in real-world attacks.

Read More

Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.

Read More

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

Read More

Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.

Read More

Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.

Read More

Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.

Read More

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Read More

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Read More

Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Read More

Detects the execution of a specific OneLiner to Invoke PowerShell commands.

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More

Detects potential APT FIN7 exploitation activity as reported by Google. In order to obtain initial access, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server and initiate specific Windows process chains.

Read More

Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects the creation of known offensive powershell scripts used for exploitation

Read More

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Read More

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

Read More

Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.

Read More

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges

Read More

Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.

Read More

Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.

Read More

Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.

Read More

File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.

Read More

Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.

Read More

Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.

Read More

Detects command line patterns used by BlackByte ransomware in different operations

Read More

Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.

Read More

Detects the execution of the Qakbot uninstaller file mentioned in the USAO-CDCA document on the disruption of the Qakbot malware and botnet

Read More

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

Read More

Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.

Read More

Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.

Read More

Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.

Read More

Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot

Read More

Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.

Read More

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

Read More

Detects the execution of a system command via the ScreenConnect RMM service.

Read More

Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe

Read More

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Read More

Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

Read More

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

Read More

Detects potential RDP Session Hijacking activity on Windows systems

Read More

Detects the "IDiagnosticProfileUAC" UAC bypass technique

Read More

Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.

Read More

Detects process creation activity related to Peach Sandstorm APT

Read More

Detects wscript/cscript executions of scripts located in user directories

Read More

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

Read More

Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.

Read More

An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the wmic command-line utility and has been observed being used by threat actors such as Volt Typhoon.

Read More

Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff

Read More

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Read More

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

Read More

Detects execution of known compromised version of 3CXDesktopApp

Read More

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Read More

Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.

Read More

Detects the execution of python with calls to the socket and pty module in order to connect and spawn a potential reverse shell.

Read More

Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.

Read More

Detects a highly relevant Antivirus alert that reports an exploitation framework. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More

Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More

Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.

Read More

Detects commandline arguments for executing a child process via dotnet-trace.exe

Read More

Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.

Read More

Detects potential calls to NtOpenProcess directly from NTDLL.

Read More

Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.

Read More

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Read More

Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe

Read More

Detects potentially suspicious file download from file sharing domains using curl.exe

Read More

Detects potentially suspicious file downloads from file sharing domains using wget.exe

Read More

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More

Detects usage of winget to add new potentially suspicious download sources

Read More

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Read More

Detects usage of "msedge_proxy.exe" to download arbitrary files

Read More

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP

Read More

Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team

Read More

Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7

Read More

Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team

Read More

Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team

Read More

Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team

Read More

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"

Read More

Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.

Read More

Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.

Read More

Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects the creation of a remote thread from a Powershell process in an uncommon target process

Read More

Detects suspicious parent process for cmd.exe

Read More

Detects known hacktool execution based on image name.

Read More

Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries

Read More

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

Read More

Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675

Read More

Detects creation of a lightly-renamed PSExec file in C:\Users\Public, as observed in the Cicada3301 Ransomware report from MorphiSec.

Read More

Detects the use of a potentially-renamed psexec to run the Cicada3301 ransomware tool.

Read More

Detects the use of the "capsh" utility to invoke a shell.

Read More

Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.

Read More

Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.

Read More

Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.

Read More

Detects execution of ChromeLoader malware via a registered scheduled task

Read More

Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.

Read More

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More

Detects file creation activity that is related to Diamond Sleet APT activity

Read More

Detects process creation activity indicators related to Diamond Sleet APT

Read More

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More

Detects when a user downloads a file from an IP based URL using CertOC.exe

Read More

Detects file downloads directly from IP address URL using curl.exe

Read More

Detects file creation activity that is related to Onyx Sleet APT activity

Read More

Detects potential exploitation attempt of CVE-2022-22954, a remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. As reported by Morphisec, part of the attack chain, threat actors used PowerShell commands that executed as a child processes of the legitimate Tomcat "prunsrv.exe" process application.

Read More

Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.

MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\([a-z0-9]{5,12})\([a-z0-9]{5,12})\App_Web_[a-z0-9]{5,12}.dll.

Hunting Opportunity

Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.

Read More

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Read More

Detects the enabling of the PowerShell script execution policy. Once enabled, this policy allows scripts to be executed.

Read More

Detects the initial execution of the Raspberry Robin malware from an external drive using "Cmd.EXE".

Read More

Detects raspberry robin subsequent execution of commands.

Read More

Detects command execution via ScreenConnect RMM

Read More

Detects file being transferred via ScreenConnect RMM

Read More

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users<username>\Documents\ConnectWiseControl\Temp" before execution.

Read More

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Read More

Detects post exploitation execution technique of the Serpent backdoor. According to Proofpoint, one of the commands that the backdoor ran was via creating a temporary scheduled task using an unusual method. It creates a fictitious windows event and a trigger in which once the event is created, it executes the payload.

Read More

Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.

Read More

Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022. The ".lnk" file was delivered via phishing campaign.

Read More

Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.

Read More

Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.

Read More

Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability. 7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process.

Read More

Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.

Read More

Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.

Read More

Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships

Read More

Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.

Read More

Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.

Read More

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse the technique as a phishing vector to capture authentication credentials or other sensitive data.

Read More

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

Read More

Detects Kerberos DLL being loaded by an Office Product

Read More

Detects DSParse DLL being loaded by an Office Product

Read More

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Read More

Detects usage of winget to add new additional download sources

Read More

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Read More

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

Read More

Detects the removal or uninstallation of an application via "Wmic.EXE".

Read More

Detects calls to the "terminate" function via wmic in order to kill an application

Read More

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Read More

Detects execution of the Notepad++ updater (gup) to launch other commands or executables

Read More

Detects usage of "MSOHTMED" to download arbitrary files

Read More

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Read More

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

Read More

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Read More

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Read More

Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Read More

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Read More

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

Read More

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

Read More

Detects S3 Browser utility creating IAM User or AccessKey.

Read More