Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Detects potential DLL sideloading of "wwlib.dll"

Detects the creation of the LiveKD driver, which is used for live kernel debugging

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Detects execution of the Windows Kernel Debugger "kd.exe".

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Detects driver load of the Process Hacker tool

Detects driver load of the System Informer tool

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence

Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.

Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.

Detects potential DLL sideloading of "SolidPDFCreator.dll"

Detects uncommon processes creating remote threads

Detects creation of the Process Explorer drivers by processes other than Process Explorer (procexp) itself. Hack tools or malware may use the Process Explorer driver to elevate privileges, drops it to disk for a few moments, runs a service using that driver and removes it afterwards.

Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.

Detects DLL sideloading of "dbgcore.dll"

Detects DLL sideloading of "dbghelp.dll"

Detects uncommon target processes for remote thread creation

Detect standard users login that are part of high privileged groups such as the Administrator group

Detects the default "UserName" used by the DiagTrackEoP POC

Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement

Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings)

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

Detects a ProcessHacker tool that elevated privileges to a very high level

Detects service installation in suspicious folder appdata

Detects service installation with suspicious folder patterns

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands

Detects suspicious service installation scripts

Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.