Detects Windows Scripting Host processes (wscript.exe and cscript.exe) that are invoking the execution of common scripting formats that Red Canary has observed being used by Qbot—such as .js, .vbs, and .wsf—that are from a logical mounted drive using the drive letters D: through Z: and that have a child process. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects Rundll32.exe process creations with non-standard file types denoted by excluding the common file types from the command-=line selection. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects process creation from wscript or cscript interpreters with commands occuring on mounted drive letters. Defenders should check whether these processes have child processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects extraction of ISO, VHD, LNK, or IMG files from zip files. Commonly associated with QakBot and IcedID.

Read More

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Read More

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Read More

Detects browser applications creating archive/container files such as zip, rar, or 7z, as occurs during an HTML smuggling attack where a browser decodes and executes malicious code within an HTML file. Commonly associated with QakBot and IcedID.

Read More

DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. This detects use of the same DLL to rundll32.exe. Inspired by the 2022 Red Canary Threat Detection report.

Read More