Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.

Read More

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Read More

Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro

Read More

Detects when a memory process image does not match the disk image, indicative of process hollowing.

Read More

Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Read More

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Read More

Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)

Read More

Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation

Read More

Detects potential PwnKit exploitation CVE-2021-4034 in auth logs

Read More

Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag

Read More

Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)

Read More

Detects scheduled task creation events that include suspicious actions, and is run once at 00:00

Read More

Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Read More

Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.

Read More

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Read More

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Read More

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Read More

Detects the creation of scheduled tasks in user session

Read More

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Read More

Detects uncommon processes creating remote threads

Read More

Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims

Read More

Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)

Read More

Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)

Read More

Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.

Read More

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Read More

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Read More

Detects a service installed by a client which has PID 0 or whose parent has PID 0

Read More

Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields

Read More

Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool

Read More

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Read More

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Read More

Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indicates WMI ActiveScriptEventConsumers EventConsumers activity.

Read More

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Read More

Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence

Read More

Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)

Read More

Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability

Read More

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.)

Read More

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

Read More

Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache

Read More

Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.

Read More

Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file

Read More

Detects uncommon target processes for remote thread creation

Read More

Detection of unusual child processes by different system processes

Read More

Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"

Read More

Detects possible suspicious glue development endpoint activity.

Read More

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More

Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking

Read More

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges.

Read More

Detects the use of CoercedPotato, a tool for privilege escalation

Read More

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

Read More

Detects the use of SharpUp, a tool for local privilege escalation

Read More

Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata

Read More

Detects the creation of a named pipe seen used by known APTs or malware.

Read More

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Read More

Detects a PDQDeploy service installation which indicates that PDQDeploy was installed on the machines. PDQDeploy can be abused by attackers to remotely install packages or execute commands on target machines

Read More

Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request.

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Read More

Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights

Read More

Detects potential DLL sideloading of "ShellDispatch.dll"

Read More

Detects potential DLL sideloading of "wwlib.dll"

Read More

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.

Read More

Detects the execution of AdvancedRun utility

Read More

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

Read More

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors regularly abuse it to manipulate system processes.

Read More

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Read More

Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like

Read More

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Read More

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Read More

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

Read More

Detects UAC bypass method using Windows event viewer

Read More

Detects attempts to create and add an account to the admin group via "dscl"

Read More

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

Read More

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Read More

Detects the load of HackSys Extreme Vulnerable Driver which is an intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level and often abused by threat actors

Read More

Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More

Detects when a configuration change is made to an applications AppID URI.

Read More

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Read More

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Read More

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Read More

Monitor and alert for changes to the device registration policy.

Read More

Detects when changes are made to PIM roles

Read More

Detects the default "UserName" used by the DiagTrackEoP POC

Read More

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

Read More

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Read More

Detects the exploitation of a security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation

Read More

Detects logon events that have characteristics of events generated during an attack with KrbRelayUp and the like

Read More

Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings)

Read More

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file (“iphlpapi.dll”) is sideloaded

Read More

Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag

Read More

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Read More

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Read More

Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report

Read More

Detects creation of a new service (kernel driver) with the type "kernel"

Read More

Detects PDQDeploy service installation on the target system. When a package is deployed via PDQDeploy it installs a remote service on the target machine with the name "PDQDeployRunner-X" where "X" is an integer starting from 1

Read More

Rule to detect the use of the SCX RunAsProvider ExecuteScript to execute any UNIX/Linux script using the /bin/sh shell. Script being executed gets created as a temp file in /tmp folder with a scx* prefix. Then it is invoked from the following directory /etc/opt/microsoft/scx/conf/tmpdir/. The file in that directory has the same prefix scx*. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager, Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Rule to detect the use of the SCX RunAsProvider Invoke_ExecuteShellCommand to execute any UNIX/Linux command using the /bin/sh shell. SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.

Read More

Detects when PIM alerts are set to disabled.

Read More

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Read More

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Read More

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Read More

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Read More

Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"

Read More

Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.

Read More

Detects when a new admin is created.

Read More

Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.

Read More

Detects service installation in suspicious folder appdata

Read More

Detects known malicious service installation that appear in cases in which a Sliver implants execute the PsExec commands

Read More

Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen

Read More

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Read More

Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287

Read More

Detects suspicious Powershell code that execute COM Objects

Read More

Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths

Read More

Detects suspicious processes including shells spawnd from WinRM host process

Read More

Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools

Read More

Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Read More

Detects update to a scheduled task event that contain suspicious keywords.

Read More

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Detects suspicious service installation scripts

Read More

Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges

Read More

Detects the pattern of a UAC bypass using Windows Event Viewer

Read More

Detects the "IDiagnosticProfileUAC" UAC bypass technique

Read More

Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique

Read More

Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%

Read More

Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface

Read More

Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in

Read More

Detects when a user is added to a privileged role.

Read More

Detects usage of the "usermod" binary to add users add users to the root or suoders groups

Read More

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

Read More

Monitor and alert for users added to device admin roles.

Read More

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

Read More

Detects the load of a signed WinRing0 driver often used by threat actors, crypto miners (XMRIG) or malware for privilege escalation

Read More

Detect DLL Load from Spooler Service backup folder

Read More

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Read More

Detects when an user attached a Lambda layer to an existing function to override a library that is in use by the function, where their malicious code could utilize the function's IAM role for AWS API calls. This would give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

Read More

Detects AWS root account usage

Read More

Identifies the suspicious use of AssumeRole. Attackers could move laterally and escalate privileges.

Read More

Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges.

Read More

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More

Identifies when a Google Cloud Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Read More

User Added to an Administrator's Azure AD Role

Read More

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

Read More

Detects the pattern of a pipe name as used by the hack tool EfsPotato

Read More

Detects a user certificate that was valid but could not be mapped to a user in a strong way (such as via explicit mapping, key trust mapping, or a SID) This could be a sign of exploitation of the elevation of privilege vulnerabilities (CVE-2022-34691, CVE-2022-26931, CVE-2022-26923) that can occur when the KDC allows certificate spoofing by not requiring a strong mapping. Events where the AccountName and CN of the Subject do not match, or where the CN ends in a dollar sign indicating a machine, may indicate certificate spoofing.

Read More

Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'

Read More

Detects the load of known malicious drivers by hash value

Read More

Detects the load of known malicious drivers via their names only.

Read More

Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt

Read More

Detects the load of known vulnerable drivers by hash value

Read More

Detects the load of known vulnerable drivers via their names only.

Read More

Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.

Read More

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Read More

Identifies when the same privilege role has multiple activations by the same user.

Read More

Identifies when a privilege role can be activated without performing mfa.

Read More

Identifies when a user has been assigned a privilege role and are not using that role.

Read More

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Read More

Identifies when an account hasn't signed in during the past n number of days.

Read More

Identifies an event where there are there are too many accounts assigned the Global Administrator role.

Read More

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Read More

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

Read More

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

Read More

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Read More

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

Read More

Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser

Read More

Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.

Read More

Looks for network connections from notepad. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention.

Read More

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Read More

Detects attempts to create and add an account to the admin group via "sysadminctl"

Read More

Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)

Read More

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Read More

Bypasses User Account Control using a fileless method

Read More

There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC

Read More

Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events.

Read More

Detects when an attacker tries to disable User Account Control (UAC) by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0

Read More

Detect modification of the startup key to a path where a payload could be stored to be launched during startup

Read More

Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence.

Read More

Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider. Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains.

Read More

Detects a suspicious printer driver installation with an empty Manufacturer value

Read More

Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)

Read More

Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)

Read More

Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)

Read More

Detects the creation of a named pipe as used by CobaltStrike

Read More

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

Read More

Detects creation of default named pipe used by the DiagTrackEoP POC, a tool that abuses "SeImpersonate" privilege.

Read More

Detects creation of default named pipes used by the Koh tool

Read More