Detects the registration of a new ODBC driver.

Detects the registration of a new ODBC driver where the driver is located in a potentially suspicious location

Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task

Detects Bitsadmin connections to domains with uncommon TLDs

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)

Detects PowerShell creating a binary executable or a script file.

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.

Detects the creation of a new PowerShell module in the first folder of the module directory structure "\WindowsPowerShell\Modules\malware\malware.psm1". This is somewhat an uncommon practice as legitimate modules often includes a version folder.

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.

Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process

Detects PowerShell creating a PowerShell file (.ps1). While often times this behavior is benign, sometimes it can be a sign of a dropper script trying to achieve persistence.

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.

Detects DLL sideloading of "dbgcore.dll"

Detects DLL sideloading of "dbghelp.dll"

Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions

A login from a public IP can indicate a misconfigured firewall or network boundary.

Detects the creation of a local hidden user account which should not happen for event ID 4720.

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

Detects programs that connect to typical malware back connect ports based on statistical analysis from two different sandbox system databases

Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it

Detects when an Elastic Container Service (ECS) Task Definition includes a command to query the credential endpoint. This can indicate a potential adversary adding a backdoor to establish persistence or escalate privileges.

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Detects potential suspicious winget package installation from a suspicious source.

Detects changes to the AppInstaller (winget) admin settings. Such as enabling local manifest installations or disabling installer hash checks

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Detects when an attacker tries to backdoor the MSSQL server by adding a backdoor account to the sysadmin fixed server role

This rule detects the execution of the extended storage procedure backdoor named Maggie in the context of Microsoft SQL server

Detects when the a stored procedure is set or cleared for automatic execution in MSSQL. A stored procedure that is set to automatic execution runs every time an instance of SQL Server is started

Detects NetSupport Manager service installation on the target system.

Detects service installation of different remote access tools software. These software are often abused by threat actors to perform

Detects Remote Utilities Host service installation on the target system.

Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse

Detects service installation in suspicious folder appdata

Detects service installation with suspicious folder patterns

This method detects a service install of the malicious Microsoft Network Realtime Inspection Service service described in StoneDrill report by Kaspersky

Detects suspicious service installation scripts

This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018

This method detects a service install of malicious services mentioned in Carbon Paper - Turla report by ESET

Detects a BITS transfer job downloading file(s) from a direct IP address.