Detects an Antivirus alert in a highly relevant file path or with a relevant file name. This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.

Read More

Detects the creation of a file with an uncommon extension in an Office application startup folder

Read More

Detects known hacktool execution based on image name.

Read More

Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675

Read More

Detects potentially highly relevant antivirus events in the application log based on known virus signature names and malware keywords.

Read More

Detects unauthorized access attempts to a resource.

Read More

Detects when full data export is attempted an unauthorized user.

Read More

Detects a command used by conti to find volume shadow backups

Read More

Detects the creation of diagcab file, which could be caused by some legitimate installer or is a sign of exploitation (review the filename and its location)

Read More

Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll

Read More

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

Read More

Detects the execution of the PurpleSharp adversary simulation tool

Read More

Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function.

Read More

Detects specific process parameters as used by Mustang Panda droppers

Read More

Detects when an Okta end-user reports activity by their account as being potentially suspicious.

Read More

Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools

Read More

Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges

Read More

Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility

Read More

Detects program executions in suspicious non-program folders related to malware or hacking activity

Read More

Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory

Read More

Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights

Read More

Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative

Read More

Detects the execution of a Sysinternals Tool via the creation of the "accepteula" registry key

Read More

Detects the execution of some potentially unwanted tools such as PsExec, Procdump, etc. (part of the Sysinternals suite) via the creation of the "accepteula" registry key.

Read More

Detects relevant ClamAV messages

Read More

Detects suspicious renamed SysInternals DebugView execution

Read More

Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)

Read More

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

Read More

Detects file creation patterns noticeable during the exploitation of CVE-2021-40444

Read More

Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution

Read More

Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.

Read More

Detects Windows update errors including installation failures and connection issues. Defenders should observe this in case critical update KBs aren't installed.

Read More