attack.stealth on Detection.FYI

.RDP File Created By Uncommon Application

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.

Abuse of Service Permissions to Hide Services Via Set-Service

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Abuse of Service Permissions to Hide Services Via Set-Service - PS

Tue, 28 Apr 2026 23:20:23 +0000

Abusing Print Executable

Tue, 28 Apr 2026 23:20:23 +0000

Attackers can use print.exe for remote file copy

Account Created And Deleted Within A Close Time Frame

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an account was created and deleted in a short period of time.

Account Disabled or Blocked for Sign in Attempts

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an account is disabled or blocked for sign in but tried to log in

Account Tampering - Suspicious Failed Logon Reasons

Tue, 28 Apr 2026 23:20:23 +0000

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Activity From Anonymous IP Address

Tue, 28 Apr 2026 23:20:23 +0000

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

AddinUtil.EXE Execution From Uncommon Directory

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.

Addition of SID History to Active Directory Object

Tue, 28 Apr 2026 23:20:23 +0000

An attacker can use the SID history attribute to gain additional privileges.

Admin User Remote Logon

Tue, 28 Apr 2026 23:20:23 +0000

Detect remote login by Administrator user (depending on internal pattern).

ADS Zone.Identifier Deleted By Uncommon Application

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.

AgentExecutor PowerShell Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Tue, 28 Apr 2026 23:20:23 +0000

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Application AppID Uri Configuration Changes

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a configuration change is made to an applications AppID URI.

Application URI Configuration Changes

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Application Using Device Code Authentication Flow

Tue, 28 Apr 2026 23:20:23 +0000

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Applications That Are Using ROPC Authentication Flow

Tue, 28 Apr 2026 23:20:23 +0000

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

AppX Located in Known Staging Directory Added to Deployment Pipeline

Tue, 28 Apr 2026 23:20:23 +0000

Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.

AppX Located in Uncommon Directory Added to Deployment Pipeline

Tue, 28 Apr 2026 23:20:23 +0000

Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.

AppX Package Deployment Failed Due to Signing Requirements

Tue, 28 Apr 2026 23:20:23 +0000

Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.

APT PRIVATELOG Image Load Pattern

Tue, 28 Apr 2026 23:20:23 +0000

Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances

APT27 - Emissary Panda Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of DLL side-loading malware used by threat group Emissary Panda aka APT27

APT29 2018 Phishing Campaign CommandLine Indicators

Tue, 28 Apr 2026 23:20:23 +0000

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

APT29 2018 Phishing Campaign File Indicators

Tue, 28 Apr 2026 23:20:23 +0000

Detects indicators of APT 29 (Cozy Bear) phishing-campaign as reported by mandiant

Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.

Arbitrary File Download Via IMEWDBLD.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Arbitrary File Download Via MSEDGE_PROXY.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of "msedge_proxy.exe" to download arbitrary files

Arbitrary File Download Via MSOHTMED.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of "MSOHTMED" to download arbitrary files

Arbitrary File Download Via MSPUB.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Arbitrary File Download Via PresentationHost.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

Arbitrary File Download Via Squirrel.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Arbitrary MSI Download Via Devinit.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Aruba Network Service Potential DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking

ASLR Disabled Via Sysctl or Direct Syscall - Linux

Tue, 28 Apr 2026 23:20:23 +0000

Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including: - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file - Execution of the `sysctl` command to set `kernel.randomize_va_space=0` Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.

AspNetCompiler Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

Assembly Loading Via CL_LoadAssembly.ps1

Tue, 28 Apr 2026 23:20:23 +0000

Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.

Atbroker Registry Change

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Atomic MacOS Stealer - Persistence Indicators

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.

Atypical Travel

Tue, 28 Apr 2026 23:20:23 +0000

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Audit CVE Event

Tue, 28 Apr 2026 23:20:23 +0000

Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Authentications To Important Apps Using Single Factor Authentication

Tue, 28 Apr 2026 23:20:23 +0000

Detect when authentications to important application(s) only required single-factor authentication

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)

AWS Bucket Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of S3 buckets in AWS CloudTrail logs. Monitoring the deletion of S3 buckets is critical for security and data integrity, as it may indicate potential data loss or unauthorized access attempts.

AWS IAM S3Browser LoginProfile Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.

AWS IAM S3Browser Templated S3 Bucket Policy Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects S3 browser utility creating Inline IAM policy containing default S3 bucket name placeholder value of "".

AWS IAM S3Browser User or AccessKey Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects S3 Browser utility creating IAM User or AccessKey.

AWS Key Pair Import Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.

AWS Root Credentials

Tue, 28 Apr 2026 23:20:23 +0000

Detects AWS root account usage

AWS SAML Provider Deletion Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access. An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

AWS Successful Console Login Without MFA

Tue, 28 Apr 2026 23:20:23 +0000

Detects successful AWS console logins that were performed without Multi-Factor Authentication (MFA). This alert can be used to identify potential unauthorized access attempts, as logging in without MFA can indicate compromised credentials or misconfigured security settings.

AWS Suspicious SAML Activity

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

AWS VPC Flow Logs Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of one or more VPC Flow Logs in AWS Elastic Compute Cloud (EC2) through the DeleteFlowLogs API call. Adversaries may delete flow logs to evade detection or remove evidence of network activity, hindering forensic investigations and visibility into malicious operations.

Azure AD Only Single Factor Authentication Required

Tue, 28 Apr 2026 23:20:23 +0000

Detect when users are authenticating without MFA being required.

Azure AD Threat Intelligence

Tue, 28 Apr 2026 23:20:23 +0000

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Azure Domain Federation Settings Modified

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when an user or application modified the federation settings on the domain.

Azure Kubernetes Admission Controller

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Azure Login Bypassing Conditional Access Policies

Tue, 28 Apr 2026 23:20:23 +0000

Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.

Azure Owner Removed From Application or Service Principal

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when a owner is was removed from a application or service principal in Azure.

Azure Service Principal Created

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when a service principal is created in Azure.

Azure Service Principal Removed

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when a service principal was removed in Azure.

Azure Subscription Permission Elevation Via ActivityLogs

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Azure Subscription Permission Elevation Via AuditLogs

Tue, 28 Apr 2026 23:20:23 +0000

Azure Unusual Authentication Interruption

Tue, 28 Apr 2026 23:20:23 +0000

Detects when there is a interruption in the authentication process.

BaaUpdate.exe Suspicious DLL Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking. This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94) which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.

Backup Catalog Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects backup catalog deletions

Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tue, 28 Apr 2026 23:20:23 +0000

Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.

Base64 Encoded PowerShell Command Detected

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Binary Padding - Linux

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Binary Padding - MacOS

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Binary Proxy Execution Via Dotnet-Trace.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects commandline arguments for executing a child process via dotnet-trace.exe

Bitbucket User Login Failure

Tue, 28 Apr 2026 23:20:23 +0000

Detects user authentication failure events. Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

Bitlocker Key Retrieval

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert for Bitlocker key retrieval.

BitLockerTogo.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.

BITS Transfer Job Download From Direct IP

Tue, 28 Apr 2026 23:20:23 +0000

Detects a BITS transfer job downloading file(s) from a direct IP address.

BITS Transfer Job Download From File Sharing Domains

Tue, 28 Apr 2026 23:20:23 +0000

Detects BITS transfer job downloading files from a file sharing domain.

BITS Transfer Job Download To Potential Suspicious Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location

BITS Transfer Job Downloading File Potential Suspicious Extension

Tue, 28 Apr 2026 23:20:23 +0000

Detects new BITS transfer job saving local files with potential suspicious extensions

BITS Transfer Job With Uncommon Or Suspicious Remote TLD

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

Bitsadmin to Uncommon IP Server Address

Tue, 28 Apr 2026 23:20:23 +0000

Detects Bitsadmin connections to IP addresses instead of FQDN names

Bitsadmin to Uncommon TLD

Tue, 28 Apr 2026 23:20:23 +0000

Detects Bitsadmin connections to domains with uncommon TLDs

Browser Execution In Headless Mode

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of Chromium based browser in headless mode

Bypass UAC via CMSTP

Tue, 28 Apr 2026 23:20:23 +0000

Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files

C# IL Code Compilation Via Ilasm.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.

Certificate Exported Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.

Changes To PIM Settings

Tue, 28 Apr 2026 23:20:23 +0000

Detects when changes are made to PIM roles

Changing Existing Service ImagePath Value Via Reg.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Cisco BGP Authentication Failures

Tue, 28 Apr 2026 23:20:23 +0000

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Cisco Clear Logs

Tue, 28 Apr 2026 23:20:23 +0000

Clear command history in network OS which is used for defense evasion

Cisco Duo Successful MFA Authentication Via Bypass Code

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a successful MFA authentication occurs due to the use of a bypass code. A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Cisco File Deletion

Tue, 28 Apr 2026 23:20:23 +0000

See what files are being deleted from flash file systems

Cisco LDP Authentication Failures

Tue, 28 Apr 2026 23:20:23 +0000

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Clearing Windows Console History

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Cmd Launched with Hidden Start Flags to Suspicious Targets

Tue, 28 Apr 2026 23:20:23 +0000

Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.

CMSTP Execution Process Access

Tue, 28 Apr 2026 23:20:23 +0000

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP Execution Process Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP Execution Registry Event

Tue, 28 Apr 2026 23:20:23 +0000

Detects various indicators of Microsoft Connection Manager Profile Installer execution

CMSTP UAC Bypass via COM Object Access

Tue, 28 Apr 2026 23:20:23 +0000

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

CobaltStrike Load by Rundll32

Tue, 28 Apr 2026 23:20:23 +0000

Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.

CobaltStrike Named Pipe

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a named pipe as used by CobaltStrike

CobaltStrike Named Pipe Pattern Regex

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

CobaltStrike Named Pipe Patterns

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Code Execution via Pcwutl.dll

Tue, 28 Apr 2026 23:20:23 +0000

Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.

Code Injection by ld.so Preload

Tue, 28 Apr 2026 23:20:23 +0000

Detects the ld.so preload persistence file. See `man ld.so` for more information.

CodePage Modification Via MODE.COM To Russian Language

Tue, 28 Apr 2026 23:20:23 +0000

Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.

COLDSTEEL Persistence Service Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of new services potentially related to COLDSTEEL RAT

COLDSTEEL RAT Anonymous User Process Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL

COLDSTEEL RAT Cleanup Command Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a "rundll32" process from the ColdSteel persistence service to initiate the cleanup command by calling one of its own exports. This functionality is not present in "MileStone2017" and some "MileStone2016" samples

COLDSTEEL RAT Service Persistence Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of an "svchost" process with specific command line flags, that were seen present and used by ColdSteel RAT

COM Object Execution via Xwizard.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.

Commvault QLogin with PublicSharingUser and GUID Password (CVE-2025-57788)

Tue, 28 Apr 2026 23:20:23 +0000

Detects a qlogin.exe command attempting to authenticate as the internal `_+_PublicSharingUser_` using a GUID as the password. This could be an indicator of an attacker exploiting CVE-2025-57788 to gain initial access using leaked credentials.

Control Panel Items

Tue, 28 Apr 2026 23:20:23 +0000

Detects the malicious use of a control panel item

ConvertTo-SecureString Cmdlet Usage Via CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

CrashControl CrashDump Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects disabling the CrashDump per registry (as used by HermeticWiper)

Created Files by Microsoft Sync Center

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

CreateDump Process Dump

Tue, 28 Apr 2026 23:20:23 +0000

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

Creation Of a Suspicious ADS File Outside a Browser Download

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers

Creation Of Non-Existent System DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs. Thus, the creation of such DLLs may indicate preparation for phantom DLL hijacking attacks.

Creation Of Pod In System Namespace

Tue, 28 Apr 2026 23:20:23 +0000

Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

Creation of WerFault.exe/Wer.dll in Unusual Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a file named "WerFault.exe" or "wer.dll" in an uncommon folder, which could be a sign of WerFault DLL hijacking.

Csc.EXE Execution Form Potentially Suspicious Parent

Tue, 28 Apr 2026 23:20:23 +0000

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

Curl Download And Execute Combination

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Custom File Open Handler Executes PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects the abuse of custom file open handler, executing powershell

Decode Base64 Encoded Text

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of base64 utility to decode arbitrary base64-encoded text

Decode Base64 Encoded Text -MacOs

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of base64 utility to decode arbitrary base64-encoded text

Deployment AppX Package Was Blocked By AppLocker

Tue, 28 Apr 2026 23:20:23 +0000

Detects an appx package deployment that was blocked by AppLocker policy.

Detection of PowerShell Execution via Sqlps.exe

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Device Registration or Join Without MFA

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert for device registration or join events where MFA was not performed.

DeviceCredentialDeployment Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of DeviceCredentialDeployment to hide a process from view.

Devtoolslauncher.exe Executes Specified Binary

Tue, 28 Apr 2026 23:20:23 +0000

The Devtoolslauncher.exe executes other binary

DHCP Callout DLL Installation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)

DHCP Server Error Failed Loading the CallOut DLL

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

DHCP Server Loaded the CallOut DLL

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library

Diamond Sleet APT DLL Sideloading Indicators

Tue, 28 Apr 2026 23:20:23 +0000

Detects DLL sideloading activity seen used by Diamond Sleet APT

Directory Removal Via Rmdir

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

Disable Administrative Share Creation at Startup

Tue, 28 Apr 2026 23:20:23 +0000

Administrative shares are hidden network shares created by Microsoft Windows NT operating systems that grant system administrators remote access to every disk volume on a network-connected system

Disable of ETW Trace - Powershell

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

Disable Powershell Command History

Tue, 28 Apr 2026 23:20:23 +0000

Detects scripts or commands that disabled the Powershell command history by removing psreadline module

Diskshadow Script Mode - Execution From Potential Suspicious Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Diskshadow Script Mode - Uncommon Script Extension Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

Displaying Hidden Files Feature Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files. This technique is abused by several malware families to hide their files from normal users.

DLL Execution via Rasautou.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

DLL Execution Via Register-cimprovider.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects using register-cimprovider.exe to execute arbitrary dll file.

DLL Load By System Process From Suspicious Locations

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a system process (i.e. located in system32, syswow64, etc.) loads a DLL from a suspicious location or a location with permissive permissions such as "C:\Users\Public"

DLL Loaded From Suspicious Location Via Cmspt.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects cmstp loading "dll" or "ocx" files from suspicious locations

DLL Loaded via CertOC.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

DLL Names Used By SVR For GraphicalProton Backdoor

Tue, 28 Apr 2026 23:20:23 +0000

Hunts known SVR-specific DLL names.

DLL Search Order Hijackig Via Additional Space in Path

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...) but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack

DLL Sideloading by VMware Xfer Utility

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL

DLL Sideloading Of ShellChromeAPI.DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL. Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Dllhost.EXE Execution Anomaly

Tue, 28 Apr 2026 23:20:23 +0000

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

DllUnregisterServer Function Call Via Msiexec.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects MsiExec loading a DLL and calling its DllUnregisterServer function

DMSA Link Attributes Modified

Tue, 28 Apr 2026 23:20:23 +0000

Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.

DMSA Service Account Created in Specific OUs - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

DNS Query Request By Regsvr32.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects DNS queries initiated by "Regsvr32.exe"

DNS Server Error Failed Loading the ServerLevelPluginDLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

DNS-over-HTTPS Enabled by Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

DotNet CLR DLL Loaded By Scripting Applications

Tue, 28 Apr 2026 23:20:23 +0000

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Driver Added To Disallowed Images In HVCI - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.

Driver/DLL Installation Via Odbcconf.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.

Drop Binaries Into Spool Drivers Color Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of suspcious binary files inside the "\windows\system32\spool\drivers\color\" as seen in the blog referenced below

DumpMinitool Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

Dynamic .NET Compilation Via Csc.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.

Dynamic CSharp Compile Artefact

Tue, 28 Apr 2026 23:20:23 +0000

When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution

Enable BPF Kprobes Tracing

Tue, 28 Apr 2026 23:20:23 +0000

Detects common command used to enable bpf kprobes tracing

Enable Local Manifest Installation With Winget

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the AppInstaller (winget) policy. Specifically the activation of the local manifest installation, which allows a user to install new packages via custom manifests.

Enabling COR Profiler Environment Variables

Tue, 28 Apr 2026 23:20:23 +0000

Detects .NET Framework CLR and .NET Core CLR "cor_enable_profiling" and "cor_profiler" variables being set and configured.

Equation Group DLL_U Export Function Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects a specific export function name used by one of EquationGroup tools

ETW Trace Evasion Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.

EventLog EVTX File Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence

EvilNum APT Golden Chickens Deployment Via OCX Files

Tue, 28 Apr 2026 23:20:23 +0000

Detects Golden Chickens deployment method as used by Evilnum and described in ESET July 2020 report

Exchange PowerShell Cmdlet History Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence

Execute Code with Pester.bat

Tue, 28 Apr 2026 23:20:23 +0000

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Execute Code with Pester.bat as Parent

Tue, 28 Apr 2026 23:20:23 +0000

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Execute Files with Msdeploy.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects file execution using the msdeploy.exe lolbin

Execute From Alternate Data Streams

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection

Execute Pcwrun.EXE To Leverage Follina

Tue, 28 Apr 2026 23:20:23 +0000

Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability

Execution DLL of Choice Using WAB.EXE

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

Execution Of Non-Existing File

Tue, 28 Apr 2026 23:20:23 +0000

Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)

Execution of Suspicious File Type Extension

Tue, 28 Apr 2026 23:20:23 +0000

Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.

Execution via stordiag.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe

Execution via WorkFolders.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects using WorkFolders.exe to execute an arbitrary control.exe

Exploit for CVE-2015-1641

Tue, 28 Apr 2026 23:20:23 +0000

Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641

Exploiting SetupComplete.cmd CVE-2019-1378

Tue, 28 Apr 2026 23:20:23 +0000

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

Explorer Process Tree Break

Tue, 28 Apr 2026 23:20:23 +0000

Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"

Exports Registry Key To an Alternate Data Stream

Tue, 28 Apr 2026 23:20:23 +0000

Exports the target Registry key and hides it in the specified alternate data stream.

External Remote RDP Logon from Public IP

Tue, 28 Apr 2026 23:20:23 +0000

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

External Remote SMB Logon from Public IP

Tue, 28 Apr 2026 23:20:23 +0000

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Failed Authentications From Countries You Do Not Operate Out Of

Tue, 28 Apr 2026 23:20:23 +0000

Detect failed authentications from countries you do not operate out of.

Failed Code Integrity Checks

Tue, 28 Apr 2026 23:20:23 +0000

Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

Failed Logon From Public IP

Tue, 28 Apr 2026 23:20:23 +0000

Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.

Fax Service DLL Search Order Hijack

Tue, 28 Apr 2026 23:20:23 +0000

The Fax service attempts to load ualapi.dll, which is non-existent. An attacker can then (side)load their own malicious DLL using this service.

File Decoded From Base64/Hex Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution

File Deleted Via Sysinternals SDelete

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of files by the Sysinternals SDelete utility. It looks for the common name pattern used to rename files.

File Deletion

Tue, 28 Apr 2026 23:20:23 +0000

Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity

File Deletion Via Del

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.

File Download Using ProtocolHandler.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)

File Download Via Bitsadmin

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of bitsadmin downloading a file

File Download Via Bitsadmin To A Suspicious Target Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of bitsadmin downloading a file to a suspicious target folder

File Download Via InstallUtil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"

File Download Via Windows Defender MpCmpRun.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of Windows Defender MpCmdRun.EXE to download files

File Download with Headless Browser

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

File Encoded To Base64 Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration

File In Suspicious Location Encoded To Base64 Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations

File Time Attribute Change

Tue, 28 Apr 2026 23:20:23 +0000

Detect file time attribute change to hide new or changes to existing files

File Time Attribute Change - Linux

Tue, 28 Apr 2026 23:20:23 +0000

Detect file time attribute change to hide new or changes to existing files.

File With Suspicious Extension Downloaded Via Bitsadmin

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of bitsadmin downloading a file with a suspicious extension

Files With System DLL Name In Unsuspected Locations

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Files With System Process Name In Unsuspected Locations

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Filter Driver Unloaded Via Fltmc.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detect filter driver unloading activity via fltmc.exe

Findstr Launching .lnk File

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

Fireball Archer Install

Tue, 28 Apr 2026 23:20:23 +0000

Detects Archer malware invocation via rundll32

Flash Player Update from Suspicious Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects a flashplayer update from an unofficial location

Forest Blizzard APT - Process Creation Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of specific processes and command line combination. These were seen being created by Forest Blizzard as described by MSFT.

Forfiles.EXE Child Process Masquerading

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.

Fsutil Suspicious Invocation

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).

Github New Secret Created

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Github Self Hosted Runner Changes Detected

Tue, 28 Apr 2026 23:20:23 +0000

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Github SSH Certificate Configuration Changed

Tue, 28 Apr 2026 23:20:23 +0000

Detects when changes are made to the SSH certificate configuration of the organization.

Goofy Guineapig Backdoor IOC

Tue, 28 Apr 2026 23:20:23 +0000

Detects malicious indicators seen used by the Goofy Guineapig malware

Google Cloud Kubernetes Admission Controller

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Google Workspace Government Attack Warning

Tue, 28 Apr 2026 23:20:23 +0000

Detects a login attempt in Google Workspace flagged as a potential attack by a government-backed threat actor

Gpscript Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy

Greedy File Deletion Using Del

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.

Greenbug Espionage Group Indicators

Tue, 28 Apr 2026 23:20:23 +0000

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

Guest Account Enabled Via Sysadminctl

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to enable the guest account using the sysadminctl utility

Guest User Invited By Non Approved Inviters

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Guest Users Invited To Tenant By Non Approved Inviters

Tue, 28 Apr 2026 23:20:23 +0000

Detects guest users being invited to tenant by non-approved inviters

HackTool - CACTUSTORCH Remote Thread Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects remote thread creation from CACTUSTORCH as described in references.

HackTool - CoercedPotato Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of CoercedPotato, a tool for privilege escalation

HackTool - CoercedPotato Named Pipe Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

HackTool - Covenant PowerShell Launcher

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious command lines used in Covenant luanchers

HackTool - CrackMapExec PowerShell Obfuscation

Tue, 28 Apr 2026 23:20:23 +0000

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

HackTool - DInjector PowerShell Cradle Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the Dinject PowerShell cradle based on the specific flags

HackTool - EfsPotato Named Pipe Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the pattern of a pipe name as used by the hack tool EfsPotato

HackTool - F-Secure C3 Load by Rundll32

Tue, 28 Apr 2026 23:20:23 +0000

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

HackTool - GMER Rootkit Detector and Remover Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution GMER tool based on image and hash fields.

HackTool - HollowReaper Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.

HackTool - Impersonate Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

HackTool - Koh Default Named Pipe

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation of default named pipes used by the Koh tool

HackTool - LittleCorporal Generated Maldoc Injection

Tue, 28 Apr 2026 23:20:23 +0000

Detects the process injection of a LittleCorporal generated Maldoc.

HackTool - LocalPotato Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples

HackTool - NoFilter Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

HackTool - Potential CobaltStrike Process Injection

Tue, 28 Apr 2026 23:20:23 +0000

Detects a potential remote threat creation with certain characteristics which are typical for Cobalt Strike beacons

HackTool - Powerup Write Hijack DLL

Tue, 28 Apr 2026 23:20:23 +0000

Powerup tool's Write Hijack DLL exploits DLL hijacking for privilege escalation. In it's default mode, it builds a self deleting .bat file which executes malicious command. The detection rule relies on creation of the malicious bat file (debug.bat by default).

HackTool - PPID Spoofing SelectMyParent Tool Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent

HackTool - RedMimicry Winnti Playbook Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

HackTool - SharpDPAPI Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.

HackTool - SharpImpersonation Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively

HackTool - SharpUp PrivEsc Tool Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of SharpUp, a tool for local privilege escalation

HackTool - Wmiexec Default Powershell Command

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script

HackTool - XORDump Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious use of XORDump process memory dumping utility

HackTool Named File Stream Created

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a named file stream with the imphash of a well-known hack tool

HH.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "hh.exe" to open ".chm" files.

Hidden Executable In NTFS Alternate Data Stream

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

Hidden Files and Directories

Tue, 28 Apr 2026 23:20:23 +0000

Detects adversary creating hidden file or directory, by detecting directories or files with . as the first character

Hidden Flag Set On File/Directory Via Chflags - MacOS

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.

Hidden User Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

Hiding Files with Attrib.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of attrib.exe to hide files from users.

Hiding User Account Via SpecialAccounts Registry Key

Tue, 28 Apr 2026 23:20:23 +0000

Detects modifications to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

Hiding User Account Via SpecialAccounts Registry Key - CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.

HTML Help HH.EXE Suspicious Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Huawei BGP Authentication Failures

Tue, 28 Apr 2026 23:20:23 +0000

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

IcedID Malware Suspicious Single Digit DLL Execution Via Rundll32

Tue, 28 Apr 2026 23:20:23 +0000

Detects RunDLL32.exe executing a single digit DLL named "1.dll" with the export function "DllRegisterServer". This behaviour was often seen used by malware and especially IcedID

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.

IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI

Tue, 28 Apr 2026 23:20:23 +0000

Ie4uinit Lolbin Use From Invalid Path

Tue, 28 Apr 2026 23:20:23 +0000

Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories

IIS WebServer Access Logs Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence

IIS WebServer Log Deletion via CommandLine Utilities

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.

ImagingDevices Unusual Parent/Child Processes

Tue, 28 Apr 2026 23:20:23 +0000

Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity

Import LDAP Data Interchange Format File Via Ldifde.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

Important Windows Service Terminated Unexpectedly

Tue, 28 Apr 2026 23:20:23 +0000

Detects important or interesting Windows services that got terminated unexpectedly.

Important Windows Service Terminated With Error

Tue, 28 Apr 2026 23:20:23 +0000

Detects important or interesting Windows services that got terminated for whatever reason

Impossible Travel

Tue, 28 Apr 2026 23:20:23 +0000

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Increased Failed Authentications Of Any Type

Tue, 28 Apr 2026 23:20:23 +0000

Detects when sign-ins increased by 10% or greater.

Indirect Command Execution By Program Compatibility Wizard

Tue, 28 Apr 2026 23:20:23 +0000

Detect indirect command execution via Program Compatibility Assistant pcwrun.exe

Indirect Command Execution From Script File Via Bash.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

Indirect Command Execution via SFTP ProxyCommand

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.

Indirect Inline Command Execution Via Bash.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.

InfDefaultInstall.exe .inf Execution

Tue, 28 Apr 2026 23:20:23 +0000

Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

Injected Browser Process Spawning Rundll32 - GuLoader Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.

Insensitive Subfolder Search Via Findstr.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Interactive Bash Suspicious Children

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious interactive bash as a parent to rather uncommon child processes

Invalid PIM License

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Invoke-Obfuscation CLIP+ Launcher

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation CLIP+ Launcher - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation CLIP+ Launcher - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation CLIP+ Launcher - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation CLIP+ Launcher - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Clip.exe to execute PowerShell

Invoke-Obfuscation COMPRESS OBFUSCATION

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Invoke-Obfuscation Obfuscated IEX Invocation

Tue, 28 Apr 2026 23:20:23 +0000

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

Invoke-Obfuscation Obfuscated IEX Invocation - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Invoke-Obfuscation Obfuscated IEX Invocation - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation RUNDLL LAUNCHER - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation RUNDLL LAUNCHER - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Invoke-Obfuscation STDIN+ Launcher

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher - Powershell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation STDIN+ Launcher - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of stdin to execute PowerShell

Invoke-Obfuscation VAR+ Launcher

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR+ Launcher - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR+ Launcher - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR+ Launcher - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR+ Launcher - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated use of Environment Variables to execute PowerShell

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via VAR++ LAUNCHER

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via VAR++ LAUNCHER

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via VAR++ LAUNCHER

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via VAR++ LAUNCHER

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via VAR++ LAUNCHER

Invoke-Obfuscation Via Stdin

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Stdin - Powershell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Stdin - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Stdin - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Stdin - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via Stdin in Scripts

Invoke-Obfuscation Via Use Clip

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use Clip - Powershell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use Clip - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use Clip - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use Clip - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use Clip.exe in Scripts

Invoke-Obfuscation Via Use MSHTA

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use MSHTA - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use MSHTA - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use MSHTA - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use MSHTA - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use MSHTA in Scripts

Invoke-Obfuscation Via Use Rundll32 - PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use Rundll32 in Scripts

Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use Rundll32 in Scripts

Invoke-Obfuscation Via Use Rundll32 - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use Rundll32 in Scripts

Invoke-Obfuscation Via Use Rundll32 - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects Obfuscated Powershell via use Rundll32 in Scripts

JScript Compiler Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

Juniper BGP Missing MD5

Tue, 28 Apr 2026 23:20:23 +0000

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Kapeka Backdoor Execution Via RunDLL32.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.

Kapeka Backdoor Loaded Via Rundll32.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the Kapeka Backdoor binary being loaded by rundll32.exe. The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.

Kavremover Dropped Binary LOLBIN Usage

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.

Kernel Memory Dump Via LiveKD

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory

Kubernetes Admission Controller Modification

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a modification (create, update or replace) action is taken that affects mutating or validating webhook configurations, as they can be used by an adversary to achieve persistence or exfiltrate access credentials.

Kubernetes Events Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects when events are deleted in Kubernetes. An adversary may delete Kubernetes events in an attempt to evade detection.

Launch-VsDevShell.PS1 Proxy Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.

Lazarus APT DLL Sideloading Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company

Lazarus System Binary Masquerading

Tue, 28 Apr 2026 23:20:23 +0000

Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location

Legitimate Application Dropped Archive

Tue, 28 Apr 2026 23:20:23 +0000

Detects programs on a Windows system that should not write an archive to disk

Legitimate Application Dropped Executable

Tue, 28 Apr 2026 23:20:23 +0000

Detects programs on a Windows system that should not write executables to disk

Legitimate Application Dropped Script

Tue, 28 Apr 2026 23:20:23 +0000

Detects programs on a Windows system that should not write scripts to disk

Legitimate Application Writing Files In Uncommon Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects legitimate applications writing any type of file to uncommon or suspicious locations that are not typical for application data storage or execution. Adversaries may leverage legitimate applications (Living off the Land Binaries - LOLBins) to drop or download malicious files to uncommon locations on the system to evade detection by security solutions.

Linux Base64 Encoded Pipe to Shell

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious process command line that uses base64 encoded input for execution with a shell

Linux Base64 Encoded Shebang In CLI

Tue, 28 Apr 2026 23:20:23 +0000

Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded

Linux Command History Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects commands that try to clear or tamper with the Linux command history. This technique is used by threat actors in order to evade defenses and execute commands without them being recorded in files such as "bash_history" or "zsh_history".

Linux Package Uninstall

Tue, 28 Apr 2026 23:20:23 +0000

Detects linux package removal using builtin tools such as "yum", "apt", "apt-get" or "dpkg".

Linux Shell Pipe to Shell

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell

LiveKD Driver Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of the LiveKD driver, which is used for live kernel debugging

LiveKD Driver Creation By Uncommon Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of the LiveKD driver by a process image other than "livekd.exe".

LiveKD Kernel Memory Dump File Created

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a file that has the same name as the default LiveKD kernel memory dump.

Login to Disabled Account

Tue, 28 Apr 2026 23:20:23 +0000

Detect failed attempts to sign in to disabled accounts.

Logon from a Risky IP Address

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

LOL-Binary Copied From System Directory

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.

LOLBIN Execution From Abnormal Drive

Tue, 28 Apr 2026 23:20:23 +0000

Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.

Lolbin Runexehelper Use As Proxy

Tue, 28 Apr 2026 23:20:23 +0000

Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs

Lolbin Unregmp2.exe Use As Proxy

Tue, 28 Apr 2026 23:20:23 +0000

Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"

Lummac Stealer Activity - Execution Of More.com And Vbc.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.

Malicious DLL File Dropped in the Teams or OneDrive Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation of a malicious DLL file in the location where the OneDrive or Team applications Upon execution of the Teams or OneDrive application, the dropped malicious DLL file ("iphlpapi.dll") is sideloaded

Malicious DLL Load By Compromised 3CXDesktopApp

Tue, 28 Apr 2026 23:20:23 +0000

Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp

Malicious Named Pipe Created

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a named pipe seen used by known APTs or malware.

Malicious PE Execution by Microsoft Visual Studio Debugger

Tue, 28 Apr 2026 23:20:23 +0000

There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

Malicious Usage Of IMDS Credentials Outside Of AWS Infrastructure

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an instance identity has taken an action that isn't inside SSM. This can indicate that a compromised EC2 instance is being used as a pivot point.

Malicious Windows Script Components File Execution by TAEF Detection

Tue, 28 Apr 2026 23:20:23 +0000

Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe

Malware Shellcode in Verclsid Target Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro

ManageEngine Endpoint Central Dctask64.EXE Potential Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

Masquerading as Linux Crond Process

Tue, 28 Apr 2026 23:20:23 +0000

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.

Mavinject Inject DLL Into Running Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag

MaxMpxCt Registry Value Changed

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the "MaxMpxCt" registry value. MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate. Ransomware threat actors and operators (specifically BlackCat) were seen increasing this value in order to handle a higher volume of traffic.

Measurable Increase Of Successful Authentications

Tue, 28 Apr 2026 23:20:23 +0000

Detects when successful sign-ins increased by 10% or greater.

Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Meterpreter or Cobalt Strike Getsystem Service Installation - System

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Microsoft 365 - Impossible Travel Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

Microsoft Defender Blocked from Loading Unsigned DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Microsoft Malware Protection Engine Crash

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Microsoft Malware Protection Engine Crash - WER

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects a suspicious crash of the Microsoft Malware Protection Engine

Microsoft Office DLL Sideload

Tue, 28 Apr 2026 23:20:23 +0000

Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location

Microsoft Sync Center Suspicious Network Connections

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

MMC Executing Files with Reversed Extensions Using RTLO Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.

MMC Loading Script Engines DLLs

Tue, 28 Apr 2026 23:20:23 +0000

Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.

Modification of ld.so.preload

Tue, 28 Apr 2026 23:20:23 +0000

Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes.

Monitoring For Persistence Via BITS

Tue, 28 Apr 2026 23:20:23 +0000

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.

Mount Execution With Hidepid Parameter

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system

MpiExec Lolbin

Tue, 28 Apr 2026 23:20:23 +0000

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

MSDT Execution Via Answer File

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).

MSHTA Execution with Suspicious File Extensions

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

Mshtml.DLL RunHTMLApplication Suspicious Usage

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)

MSI Installation From Web

Tue, 28 Apr 2026 23:20:23 +0000

Detects installation of a remote msi file from web.

Msiexec Quiet Installation

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)

MsiExec Web Install

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious msiexec process starts with web addresses as parameter

Msxsl.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.

Multifactor Authentication Denied

Tue, 28 Apr 2026 23:20:23 +0000

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Multifactor Authentication Interrupted

Tue, 28 Apr 2026 23:20:23 +0000

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Network Connection Initiated By AddinUtil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.

Network Connection Initiated By Regsvr32.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects a network connection initiated by "Regsvr32.exe"

Network Connection Initiated Via Notepad.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.

New BITS Job Created Via Bitsadmin

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a new bits job by Bitsadmin

New BITS Job Created Via PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a new bits job by PowerShell

New Capture Session Launched Via DXCap.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.

New Country

Tue, 28 Apr 2026 23:20:23 +0000

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

New DLL Registered Via Odbcconf.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.

New DMSA Service Account Created in Specific OUs

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a dMSASvc account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the Cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.

New DNS ServerLevelPluginDll Installed

Tue, 28 Apr 2026 23:20:23 +0000

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)

New File Association Using Exefile

Tue, 28 Apr 2026 23:20:23 +0000

Detects the abuse of the exefile handler in new file association. Used for bypass of security products.

New or Renamed User Account with '$' Character

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.

New Process Created Via Taskmgr.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC

Node Process Executions

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

NotPetya Ransomware Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil

Nslookup PowerShell Download Cradle - ProcessCreation

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records

NTFS Alternate Data Stream

Tue, 28 Apr 2026 23:20:23 +0000

Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.

Obfuscated PowerShell MSI Install via WindowsInstaller COM

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.

Odbcconf.EXE Suspicious DLL Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.

Office Application Initiated Network Connection Over Uncommon Ports

Tue, 28 Apr 2026 23:20:23 +0000

Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.

Okta New Admin Console Behaviours

Tue, 28 Apr 2026 23:20:23 +0000

Detects when Okta identifies new activity in the Admin Console.

Old TLS1.0/TLS1.1 Protocol Version Enabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects applications or users re-enabling old TLS versions by setting the "Enabled" value to "1" for the "Protocols" registry key.

OneNote Attachment File Dropped In Suspicious Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation of files with the ".one"/".onepkg" extension in suspicious or uncommon locations. This could be a sign of attackers abusing OneNote attachments

OneNote.EXE Execution of Malicious Embedded Scripts

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.

OpenCanary - SSH Login Attempt

Tue, 28 Apr 2026 23:20:23 +0000

Detects instances where an SSH service on an OpenCanary node has had a login attempt.

OpenCanary - SSH New Connection Attempt

Tue, 28 Apr 2026 23:20:23 +0000

Detects instances where an SSH service on an OpenCanary node has had a connection attempt.

OpenCanary - Telnet Login Attempt

Tue, 28 Apr 2026 23:20:23 +0000

Detects instances where a Telnet service on an OpenCanary node has had a login attempt.

OpenWith.exe Executes Specified Binary

Tue, 28 Apr 2026 23:20:23 +0000

The OpenWith.exe executes other binary

Operation Wocao Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects activity mentioned in Operation Wocao report

Operation Wocao Activity - Security

Tue, 28 Apr 2026 23:20:23 +0000

Detects activity mentioned in Operation Wocao report

Outbound Network Connection Initiated By Cmstp.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.

Outbound Network Connection To Public IP Via Winlogon

Tue, 28 Apr 2026 23:20:23 +0000

Detects a "winlogon.exe" process that initiate network communications with public IP addresses

Outlook EnableUnsafeClientMailRules Setting Enabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Password Protected ZIP File Opened

Tue, 28 Apr 2026 23:20:23 +0000

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Password Protected ZIP File Opened (Email Attachment)

Tue, 28 Apr 2026 23:20:23 +0000

Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Password Protected ZIP File Opened (Suspicious Filenames)

Tue, 28 Apr 2026 23:20:23 +0000

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Password Provided In Command Line Of Net.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects a when net.exe is called with a password in the command line

Password Reset By User Account

Tue, 28 Apr 2026 23:20:23 +0000

Detect when a user has reset their password in Azure AD

Payload Decoded and Decrypted via Built-in Utilities

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

PDF File Created By RegEdit.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a file with the ".pdf" extension by the "RegEdit.exe" process. This indicates that a user is trying to print/save a registry key as a PDF in order to potentially extract sensitive information and bypass defenses.

Pikabot Fake DLL Extension Execution Via Rundll32.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.

PIM Alert Setting Changes To Disabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects when PIM alerts are set to disabled.

PIM Approvals And Deny Elevation

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Ping Hex IP

Tue, 28 Apr 2026 23:20:23 +0000

Detects a ping command that uses a hex encoded IP address

Pingback Backdoor Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Pingback Backdoor DLL Loading Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Pingback Backdoor File Indicators

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report

Possible Privilege Escalation via Weak Service Permissions

Tue, 28 Apr 2026 23:20:23 +0000

Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand

Potential 7za.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "7za.dll"

Potential Access Token Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".

Potential Antivirus Software DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc

Potential Application Whitelisting Bypass via Dnx.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.

Potential appverifUI.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "appverifUI.dll"

Potential APT-C-12 BlueMushroom DLL Load Activity Via Regsvr32

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential BlueMushroom DLL loading activity via regsvr32 from AppData Local

Potential Arbitrary Code Execution Via Node.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc

Potential Arbitrary Command Execution Using Msdt.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability

Potential Arbitrary Command Execution Via FTP.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".

Potential Arbitrary DLL Load Using Winword

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.

Potential Arbitrary File Download Using Office Application

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential arbitrary file download using a Microsoft Office application

Potential Arbitrary File Download Via Cmdl32.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.

Potential AVKkid.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "AVKkid.dll"

Potential Azure Browser SSO Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects abusing Azure Browser SSO by requesting OAuth 2.0 refresh tokens for an Azure-AD-authenticated Windows user (i.e. the machine is joined to Azure AD and a user logs in with their Azure AD account) wanting to perform SSO authentication in the browser. An attacker can use this to authenticate to Azure AD in a browser as that user.

Potential Baby Shark Malware Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects activity that could be related to Baby Shark malware

Potential Base64 Decoded From Images

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.

Potential Binary Impersonating Sysinternals Tools

Tue, 28 Apr 2026 23:20:23 +0000

Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.

Potential Binary Proxy Execution Via Cdb.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file

Potential Binary Proxy Execution Via VSDiagnostics.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.

Potential BlackByte Ransomware Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects command line patterns used by BlackByte ransomware in different operations

Potential Bumblebee Remote Thread Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects remote thread injection events based on action seen used by bumblebee

Potential CCleanerDU.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "CCleanerDU.dll"

Potential CCleanerReactivator.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "CCleanerReactivator.dll"

Potential Chrome Frame Helper DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "chrome_frame_helper.dll"

Potential COLDSTEEL Persistence Service DLL Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT

Potential COLDSTEEL Persistence Service DLL Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism

Potential COLDSTEEL RAT File Indicators

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.

Potential Command Line Path Traversal Evasion Attempt

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline

Potential Commandline Obfuscation Using Escape Characters

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential commandline obfuscation using known escape characters

Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Potential Compromised 3CXDesktopApp Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of known compromised version of 3CXDesktopApp

Potential Compromised 3CXDesktopApp Update Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software

Potential CVE-2023-36884 Exploitation Dropped File

Tue, 28 Apr 2026 23:20:23 +0000

Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884

Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect. This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.

Potential Data Stealing Via Chromium Headless Debugging

Tue, 28 Apr 2026 23:20:23 +0000

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.

Potential Defense Evasion Via Binary Rename

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Potential Defense Evasion Via Raw Disk Access By Uncommon Tools

Tue, 28 Apr 2026 23:20:23 +0000

Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts

Potential Defense Evasion Via Rename Of Highly Relevant Binaries

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Potential Defense Evasion Via Right-to-Left Override

Tue, 28 Apr 2026 23:20:23 +0000

Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.

Potential Devil Bait Malware Reconnaissance

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific process behavior observed with Devil Bait samples

Potential Devil Bait Related Indicator

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC

Potential DLL Injection Or Execution Using Tracker.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL injection and execution using "Tracker.exe"

Potential DLL Sideloading Of DBGCORE.DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects DLL sideloading of "dbgcore.dll"

Potential DLL Sideloading Of DBGHELP.DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "dbghelp.dll"

Potential DLL Sideloading Of DbgModel.DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "DbgModel.dll"

Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location

Potential DLL Sideloading Of MpSvc.DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "MpSvc.dll".

Potential DLL Sideloading Of MsCorSvc.DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "mscorsvc.dll".

Potential DLL Sideloading Of Non-Existent DLLs From System Folders

Tue, 28 Apr 2026 23:20:23 +0000

Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.

Potential DLL Sideloading Using Coregen.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Potential DLL Sideloading Via ClassicExplorer32.dll

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software

Potential DLL Sideloading Via comctl32.dll

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading using comctl32.dll to obtain system privileges

Potential DLL Sideloading Via DeviceEnroller.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter

Potential DLL Sideloading Via JsSchHlp

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor

Potential DLL Sideloading Via VMware Xfer

Tue, 28 Apr 2026 23:20:23 +0000

Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL

Potential Dridex Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential Dridex acitvity via specific process patterns

Potential EACore.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "EACore.dll"

Potential Edputil.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "edputil.dll"

Potential Emotet Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects all Emotet like process executions that are not covered by the more generic rules

Potential Emotet Rundll32 Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL

Potential EmpireMonkey Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential EmpireMonkey APT activity

Potential Encoded PowerShell Patterns In CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific combinations of encoding methods in PowerShell via the commandline

Potential Exploitation Attempt From Office Application

Tue, 28 Apr 2026 23:20:23 +0000

Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)

Potential Exploitation of RCE Vulnerability CVE-2025-33053

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 which involves unauthorized code execution via WebDAV through external control of file names or paths. The exploit abuses legitimate utilities like iediagcmd.exe or CustomShellHost.exe by manipulating their working directories to point to attacker-controlled WebDAV servers, causing them to execute malicious executables (like route.exe) from the WebDAV path instead of legitimate system binaries through Process.Start() search order manipulation.

Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.

Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Process Access

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential exploitation of remote code execution vulnerability CVE-2025-33053 by looking for process access that involves legitimate Windows executables (iediagcmd.exe, CustomShellHost.exe) accessing suspicious executables hosted on WebDAV shares. This indicates an attacker may be exploiting Process.Start() search order manipulation to execute malicious code from attacker-controlled WebDAV servers instead of legitimate system binaries. The vulnerability allows unauthorized code execution through external control of file names or paths via WebDAV.

Potential Fake Instance Of Hxtsr.EXE Executed

Tue, 28 Apr 2026 23:20:23 +0000

HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe

Potential File Download Via MS-AppInstaller Protocol Handler

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\"

Potential File Extension Spoofing Using Right-to-Left Override

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious filenames that contain a right-to-left override character and a potentially spoofed file extensions.

Potential Goofy Guineapig GoolgeUpdate Process Anomaly

Tue, 28 Apr 2026 23:20:23 +0000

Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor

Potential Goopdate.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "goopdate.dll", a DLL used by googleupdate.exe

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of hidden file/folder with the "::$index_allocation" stream. Which can be used as a technique to prevent access to folder and files from tooling such as "explorer.exe" and "powershell.exe"

Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI

Tue, 28 Apr 2026 23:20:23 +0000

Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"

Potential Homoglyph Attack Using Lookalike Characters

Tue, 28 Apr 2026 23:20:23 +0000

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Potential Homoglyph Attack Using Lookalike Characters in Filename

Tue, 28 Apr 2026 23:20:23 +0000

Potential In-Memory Execution Using Reflection.Assembly

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory

Potential Initial Access via DLL Search Order Hijacking

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.

Potential Iviewers.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "iviewers.dll" (OLE/COM Object Interface Viewer)

Potential JLI.dll Side-Loading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL side-loading of jli.dll. JLI.dll has been observed being side-loaded by Java processes by various threat actors, including APT41, XWorm, and others in order to load malicious payloads in context of legitimate Java processes.

Potential Kapeka Decrypted Backdoor Indicator

Tue, 28 Apr 2026 23:20:23 +0000

Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges. The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.

Potential LethalHTA Technique Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process

Potential Libvlc.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "libvlc.dll", a DLL that is legitimately used by "VLC.exe"

Potential Linux Process Code Injection Via DD Utility

Tue, 28 Apr 2026 23:20:23 +0000

Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.

Potential LSASS Process Dump Via Procdump

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.

Potential Malicious AppX Package Installation Attempts

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential installation or installation attempts of known malicious appx packages

Potential Manage-bde.wsf Abuse To Proxy Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution

Potential Memory Dumping Activity Via LiveKD

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of LiveKD based on PE metadata or image name

Potential Meterpreter/CobaltStrike Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting

Potential MFA Bypass Using Legacy Client Authentication

Tue, 28 Apr 2026 23:20:23 +0000

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Potential Mfdetours.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Potential Mftrace.EXE Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.

Potential Mpclient.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Potential Mpclient.DLL Sideloading Via Defender Binaries

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.

Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.

Potential MsiExec Masquerading

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of msiexec.exe from an uncommon directory

Potential MuddyWater APT Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential Muddywater APT activity

Potential Notepad++ CVE-2025-49144 Exploitation

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential exploitation of CVE-2025-49144, a local privilege escalation vulnerability in Notepad++ installers (v8.8.1 and prior) where the installer calls regsvr32.exe without specifying the full path. This allows an attacker to execute arbitrary code with elevated privileges by placing a malicious regsvr32.exe alongside this Legitimate Notepad++ installer. The vulnerability is triggered when the installer attempts to register the NppShell.dll file, which is a component of Notepad++.

Potential NTLM Coercion Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects possible NTLM coercion via certutil using the 'syncwithWU' flag

Potential Obfuscated Ordinal Call Via Rundll32

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "rundll32" with potential obfuscated ordinal calls

Potential Password Spraying Attempt Using Dsacls.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects possible password spraying attempts using Dsacls

Potential PendingFileRenameOperations Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.

Potential Persistence Attempt Via Existing Service Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.

Potential Pikabot Hollowing Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries. The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries

Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.

Potential PlugX Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of an executable that is typically used by PlugX for DLL side loading starting from an uncommon location

Potential PowerShell Command Line Obfuscation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the PowerShell command lines with special characters

Potential PowerShell Execution Via DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.

Potential PowerShell Obfuscation Using Alias Cmdlets

Tue, 28 Apr 2026 23:20:23 +0000

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

Potential PowerShell Obfuscation Using Character Join

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation

Potential PowerShell Obfuscation Via Reversed Commands

Tue, 28 Apr 2026 23:20:23 +0000

Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

Potential PowerShell Obfuscation Via WCHAR/CHAR

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious encoded character syntax often used for defense evasion

Potential PrintNightmare Exploitation Attempt

Tue, 28 Apr 2026 23:20:23 +0000

Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675

Potential Privilege Escalation Attempt Via .Exe.Local Technique

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll"

Potential Privilege Escalation via Service Permissions Weakness

Tue, 28 Apr 2026 23:20:23 +0000

Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level

Potential Process Execution Proxy Via CL_Invocation.ps1

Tue, 28 Apr 2026 23:20:23 +0000

Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"

Potential Process Hollowing Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a memory process image does not match the disk image, indicative of process hollowing.

Potential Process Injection Via Msra.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics

Potential Provisioning Registry Key Abuse For Binary Proxy Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

Potential Provisioning Registry Key Abuse For Binary Proxy Execution - REG

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

Potential Provlaunch.EXE Binary Proxy Execution Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Potential Python DLL SideLoading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of Python DLL files.

Potential Qakbot Rundll32 Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific process tree behavior of a "rundll32" execution often linked with potential Qakbot activity.

Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential malicious and unauthorized usage of bcdedit.exe

Potential Raspberry Robin Aclui Dll SideLoading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential sideloading of malicious "aclui.dll" by OleView.This behavior was observed in Raspberry-Robin variants reported by chekpoint research on Feburary 2024.

Potential Raspberry Robin CPL Execution Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function. This behavior was observed in multiple Raspberry-Robin variants.

Potential Rcdll.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of rcdll.dll

Potential ReflectDebugger Content Execution Via WerFault.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow

Potential Register_App.Vbs LOLScript Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.

Potential Registry Persistence Attempt Via DbgManagedDebugger

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes

Potential Regsvr32 Commandline Flag Anomaly

Tue, 28 Apr 2026 23:20:23 +0000

Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.

Potential Remote SquiblyTwo Technique Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.

Potential RemoteFXvGPUDisablement.EXE Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module

Tue, 28 Apr 2026 23:20:23 +0000

Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock

Tue, 28 Apr 2026 23:20:23 +0000

Potential RjvPlatform.DLL Sideloading From Default Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.

Potential RjvPlatform.DLL Sideloading From Non-Default Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.

Potential RoboForm.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "roboform.dll", a DLL used by RoboForm Password Manager

Potential Rundll32 Execution With DLL Stored In ADS

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).

Potential Script Proxy Execution Via CL_Mutexverifiers.ps1

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands

Potential Secure Deletion with SDelete

Tue, 28 Apr 2026 23:20:23 +0000

Detects files that have extensions commonly seen while SDelete is used to wipe files.

Potential ShellDispatch.DLL Functionality Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"

Potential ShellDispatch.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "ShellDispatch.dll"

Potential Signing Bypass Via Windows Developer Features

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

Potential Signing Bypass Via Windows Developer Features - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects when the enablement of developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.

Potential SmadHook.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "SmadHook.dll", a DLL used by SmadAV antivirus

Potential SolidPDFCreator.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "SolidPDFCreator.dll"

Potential Suspicious Activity Using SeCEdit

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy

Potential Suspicious BPF Activity - Linux

Tue, 28 Apr 2026 23:20:23 +0000

Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.

Potential Suspicious Child Process Of 3CXDesktopApp

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise

Potential Suspicious Mofcomp Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts

Potential Suspicious Windows Feature Enabled

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Potential Suspicious Windows Feature Enabled - ProcCreation

Tue, 28 Apr 2026 23:20:23 +0000

Potential Suspicious Winget Package Installation

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential suspicious winget package installation from a suspicious source.

Potential SysInternals ProcDump Evasion

Tue, 28 Apr 2026 23:20:23 +0000

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Potential System DLL Sideloading From Non System Locations

Tue, 28 Apr 2026 23:20:23 +0000

Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64, etc.).

Potential Vcruntime140 DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library. Threat actors have been observed using DLL sideloading techniques to load malicious payloads under the guise of legitimate applications such as SqlWriter, SqlDumper etc. Notably, APT29 has been documented leveraging WinELOADER to sideload vcruntime140.dll for executing malicious code.

Potential Vivaldi_elf.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "vivaldi_elf.dll"

Potential Waveedit.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.

Potential Wazuh Security Platform DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL side loading of DLLs that are part of the Wazuh security platform

Potential WerFault ReflectDebugger Registry Value Abuse

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential WerFault "ReflectDebugger" registry value abuse for persistence.

Potential Winnti Dropper Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects files dropped by Winnti as described in RedMimicry Winnti playbook

Potential WWlib.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of "wwlib.dll"

Potentially Over Permissive Permissions Granted Using Dsacls.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of Dsacls to grant over permissive permissions

Potentially Suspicious ASP.NET Compilation Via AspNetCompiler

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.

Potentially Suspicious Cabinet File Expansion

Tue, 28 Apr 2026 23:20:23 +0000

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

Potentially Suspicious Child Process Of ClickOnce Application

Tue, 28 Apr 2026 23:20:23 +0000

Detects potentially suspicious child processes of a ClickOnce deployment application

Potentially Suspicious Child Process Of DiskShadow.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

Potentially Suspicious Child Process of KeyScrambler.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects potentially suspicious child processes of KeyScrambler.exe

Potentially Suspicious Child Process Of Regsvr32

Tue, 28 Apr 2026 23:20:23 +0000

Detects potentially suspicious child processes of "regsvr32.exe".

Potentially Suspicious Child Process Of VsCode

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Potentially Suspicious Child Processes Spawned by ConHost

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.

Potentially Suspicious CMD Shell Output Redirect

Tue, 28 Apr 2026 23:20:23 +0000

Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

Potentially Suspicious DLL Registered Via Odbcconf.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.

Potentially Suspicious DMP/HDMP File Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.

Potentially Suspicious Execution From Parent Process In Public Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.

Potentially Suspicious Execution From Tmp Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects a potentially suspicious execution of a process located in the '/tmp/' folder

Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location

Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension

Tue, 28 Apr 2026 23:20:23 +0000

Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.

Potentially Suspicious File Download From ZIP TLD

Tue, 28 Apr 2026 23:20:23 +0000

Detects the download of a file with a potentially suspicious extension from a .zip top level domain.

Potentially Suspicious GoogleUpdate Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects potentially suspicious child processes of "GoogleUpdate.exe"

Potentially Suspicious Office Document Executed From Trusted Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Potentially Suspicious Ping/Copy Command Combination

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.

Potentially Suspicious Regsvr32 HTTP IP Pattern

Tue, 28 Apr 2026 23:20:23 +0000

Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.

Potentially Suspicious Regsvr32 HTTP/FTP Pattern

Tue, 28 Apr 2026 23:20:23 +0000

Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.

Potentially Suspicious Rundll32 Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities

Potentially Suspicious Rundll32.EXE Execution of UDL File

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.

Potentially Suspicious Self Extraction Directive File Created

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.

Potentially Suspicious Windows App Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution

Potentially Suspicious Wuauclt Network Connection

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.

PowerShell Base64 Encoded FromBase64String Cmdlet

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line

PowerShell Base64 Encoded Invoke Keyword

Tue, 28 Apr 2026 23:20:23 +0000

Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls

PowerShell Base64 Encoded Reflective Assembly Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects base64 encoded .NET reflective loading of Assembly

PowerShell Base64 Encoded WMI Classes

Tue, 28 Apr 2026 23:20:23 +0000

Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.

PowerShell Console History Logs Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence

PowerShell Core DLL Loaded Via Office Application

Tue, 28 Apr 2026 23:20:23 +0000

Detects PowerShell core DLL being loaded by an Office Product

PowerShell Decompress Commands

Tue, 28 Apr 2026 23:20:23 +0000

A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.

PowerShell Deleted Mounted Share

Tue, 28 Apr 2026 23:20:23 +0000

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Powershell Detect Virtualization Environment

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox

Powershell Executed From Headless ConHost Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.

PowerShell Logging Disabled Via Registry Key Tampering

Tue, 28 Apr 2026 23:20:23 +0000

Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging

PowerShell MSI Install via WindowsInstaller COM From Remote Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.

PowerShell Script Change Permission Via Set-Acl

Tue, 28 Apr 2026 23:20:23 +0000

Detects PowerShell execution to set the ACL of a file or a folder

PowerShell Set-Acl On Windows Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects PowerShell scripts to set the ACL to a file in the Windows folder

PowerShell ShellCode

Tue, 28 Apr 2026 23:20:23 +0000

Detects Base64 encoded Shellcode

Powershell Store File In Alternate Data Stream

Tue, 28 Apr 2026 23:20:23 +0000

Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.

Powershell Timestomp

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

Powershell Token Obfuscation - Process Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

PowerShell WMI Win32_Product Install MSI

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class

Prefetch File Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence

PrintBrm ZIP Creation of Extraction

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.

Privileged Account Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a new admin is created.

Procdump Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the SysInternals Procdump utility

Process Access via TrolleyExpress Exclusion

Tue, 28 Apr 2026 23:20:23 +0000

Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory

Process Creation Using Sysnative Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

Process Deletion of Its Own Executable

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.

Process Execution From A Potentially Suspicious Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects a potentially suspicious execution from an uncommon folder.

Process Launched Without Image Name

Tue, 28 Apr 2026 23:20:23 +0000

Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.

Process Memory Dump Via Comsvcs.DLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Process Memory Dump Via Dotnet-Dump

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.

Process Proxy Execution Via Squirrel.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Program Executed Using Proxy/Local Command Via SSH.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detect usage of the "ssh.exe" binary as a proxy to launch other programs.

Proxy Execution via Vshadow

Tue, 28 Apr 2026 23:20:23 +0000

Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.

Proxy Execution Via Wuauclt.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

Ps.exe Renamed SysInternals Tool

Tue, 28 Apr 2026 23:20:23 +0000

Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report

PSScriptPolicyTest Creation By Uncommon Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of the "PSScriptPolicyTest" PowerShell script by an uncommon process. This file is usually generated by Microsoft Powershell to test against Applocker.

PUA - AdvancedRun Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of AdvancedRun utility

PUA - AdvancedRun Suspicious Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

PUA - DefenderCheck Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.

PUA - Potential PE Metadata Tamper Using Rcedit

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

PUA - Process Hacker Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.

PUA - System Informer Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Publisher Attachment File Dropped In Suspicious Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents

Pubprn.vbs Proxy Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.

Python Image Load By Non-Python Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects the image load of "Python Core" by a non-Python process. This might be indicative of a execution of executable that has been bundled from Python code. Various tools like Py2Exe, PyInstaller, and cx_Freeze are used to bundle Python code into standalone executables. Threat actors often use these tools to bundle malicious Python scripts into executables, sometimes to obfuscate the code or to bypass security measures.

Python One-Liners with Base64 Decoding

Tue, 28 Apr 2026 23:20:23 +0000

Detects Python one-liners that use base64 decoding functions in command line executions. Malicious scripts or attackers often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.

Python One-Liners with Base64 Decoding - Linux

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of Python's base64 decoding functions in command line executions on Linux systems. Malicious scripts often use python one-liners to decode and execute base64-encoded payloads, which is a common technique for obfuscation and evasion.

Qakbot Regsvr32 Calc Pattern

Tue, 28 Apr 2026 23:20:23 +0000

Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot

Qakbot Rundll32 Exports Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.

Qakbot Rundll32 Fake DLL Extension Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.

Rare Remote Thread Creation By Uncommon Source Image

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon processes creating remote threads.

RedSun - Conhost.exe Spawned by TieringEngineService.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session. Observed process chain services.exe → TieringEngineService.exe → conhost.exe (SYSTEM, CommandLine: bare path, no arguments) → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session) Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe: After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId(). This opens \\.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then calls CreateProcessAsUser to spawn conhost.exe with no arguments. Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage): The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session. On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly. The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.

RedSun - Named Pipe Created

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a named pipe with the hardcoded name "REDSUN". The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain. RedSun creates the pipe as \\??\pipe\REDSUN. The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM. Presence of this pipe name indicates active or recent RedSun execution.

RedSun - TieringEngineService.exe Detected as EICAR Test File

Tue, 28 Apr 2026 23:20:23 +0000

Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool. RedSun works as follows: 1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\ 2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt 3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file 4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open 5. During the oplock break window, RedSun swaps the mount point (junction) to redirect \\?\C:\Windows\System32 to the attacker-controlled temp path 6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges

RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe). RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain. The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage, making the combination of this path prefix and the TieringEngineService.exe filename a highly specific indicator of RedSun activity.

RegAsm.EXE Execution Without CommandLine Flags or Files

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.

RegAsm.EXE Initiating Network Connection To Public IP

Tue, 28 Apr 2026 23:20:23 +0000

Detects "RegAsm.exe" initiating a network connection to public IP adresses

REGISTER_APP.VBS Proxy Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.

Registry Modification for OCI DLL Redirection

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry modifications related to 'OracleOciLib' and 'OracleOciLibPath' under 'MSDTC' settings. Threat actors may modify these registry keys to redirect the loading of 'oci.dll' to a malicious DLL, facilitating phantom DLL hijacking via the MSDTC service.

Registry Persistence via Service in Safe Mode

Tue, 28 Apr 2026 23:20:23 +0000

Detects the modification of the registry to allow a driver or service to persist in Safe Mode.

Registry-Free Process Scope COR_PROFILER

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)

Regsvr32 DLL Execution With Suspicious File Extension

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of REGSVR32.exe with DLL files masquerading as other files

Regsvr32 DLL Execution With Uncommon Extension

Tue, 28 Apr 2026 23:20:23 +0000

Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.

Regsvr32 Execution From Highly Suspicious Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of regsvr32 where the DLL is located in a highly suspicious locations

Regsvr32 Execution From Potential Suspicious Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.

Remote Access Tool - NetSupport Execution From Unusual Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')

Remote Access Tool - Renamed MeshAgent Execution - MacOS

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.

Remote Access Tool - Renamed MeshAgent Execution - Windows

Tue, 28 Apr 2026 23:20:23 +0000

Remote Access Tool - RURAT Execution From Unusual Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')

Remote AppX Package Downloaded from File Sharing or CDN Domain

Tue, 28 Apr 2026 23:20:23 +0000

Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.

Remote CHM File Download/Execution Via HH.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.

Remote Code Execute via Winrm.vbs

Tue, 28 Apr 2026 23:20:23 +0000

Detects an attempt to execute code or create service on remote host via winrm.vbs.

Remote File Download Via Findstr.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

Remote Thread Creation By Uncommon Source Image

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon processes creating remote threads.

Remote Thread Creation In Uncommon Target Image

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon target processes for remote thread creation

Remote Thread Creation Ttdinject.exe Proxy

Tue, 28 Apr 2026 23:20:23 +0000

Detects a remote thread creation of Ttdinject.exe used as proxy

Remote Thread Creation Via PowerShell In Uncommon Target

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a remote thread from a Powershell process in an uncommon target process

Remote XSL Execution Via Msxsl.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.

RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses

Tue, 28 Apr 2026 23:20:23 +0000

Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.

Remotely Hosted HTA File Executed Via Mshta.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file

Remove Exported Mailbox from Exchange Webserver

Tue, 28 Apr 2026 23:20:23 +0000

Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit

Remove Scheduled Cron Task/Job

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible

Renamed AutoHotkey.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of a renamed autohotkey.exe binary based on PE metadata fields

Renamed AutoIt Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.

Renamed BrowserCore.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)

Renamed CreateDump Utility Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

Renamed CURL.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Renamed FTP.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Renamed Jusched.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group

Renamed Mavinject.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag

Renamed MegaSync Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.

Renamed Microsoft Teams Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed Microsoft Teams binary.

Renamed Msdt.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed "Msdt.exe" binary

Renamed NetSupport RAT Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings

Renamed NirCmd.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.

Renamed Office Binary Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed office binary

Renamed PAExec Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of renamed version of PAExec. Often used by attackers

Renamed PingCastle Binary Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.

Renamed Plink Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed version of the Plink binary

Renamed Powershell Under Powershell Channel

Tue, 28 Apr 2026 23:20:23 +0000

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

Renamed ProcDump Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.

Renamed Remote Utilities RAT (RURAT) Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of renamed Remote Utilities (RURAT) via Product PE header field

Renamed Schtasks Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.

Renamed Vmnat.exe Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects renamed vmnat.exe or portable version that can be used for DLL side-loading

Renamed ZOHO Dctask64 Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

Response File Execution Via Odbcconf.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.

Rhadamanthys Stealer Module Launch Via Rundll32.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023

Roles Activated Too Frequently

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when the same privilege role has multiple activations by the same user.

Roles Activation Doesn't Require MFA

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when a privilege role can be activated without performing mfa.

Roles Are Not Being Used

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when a user has been assigned a privilege role and are not using that role.

Roles Assigned Outside PIM

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Root Account Enable Via Dsenableroot

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to enable the root account via "dsenableroot"

Run PowerShell Script from ADS

Tue, 28 Apr 2026 23:20:23 +0000

Detects PowerShell script execution from Alternate Data Stream (ADS)

Rundll32 Execution With Uncommon DLL Extension

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of rundll32 with a command line that doesn't contain a common extension

Rundll32 Execution Without CommandLine Parameters

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

Rundll32 InstallScreenSaver Execution

Tue, 28 Apr 2026 23:20:23 +0000

An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver

Rundll32 Internet Connection

Tue, 28 Apr 2026 23:20:23 +0000

Detects a rundll32 that communicates with public IP addresses

Rundll32 Spawned Via Explorer.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.

RunDLL32 Spawning Explorer

Tue, 28 Apr 2026 23:20:23 +0000

Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way

Rundll32 UNC Path Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects rundll32 execution where the DLL is located on a remote location (share)

RunMRU Registry Key Deletion

Tue, 28 Apr 2026 23:20:23 +0000

Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.

RunMRU Registry Key Deletion - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.

Scheduled Task Creation Masquerading as System Processes

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.

Scheduled Task Creation with Curl and PowerShell Execution Combo

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.

SCR File Write Event

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example.

ScreenConnect - SlashAndGrab Exploitation Indicators

Tue, 28 Apr 2026 23:20:23 +0000

Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress

ScreenSaver Registry Key Set

Tue, 28 Apr 2026 23:20:23 +0000

Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl

Scripting/CommandLine Process Spawned Regsvr32

Tue, 28 Apr 2026 23:20:23 +0000

Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.

Sdiagnhost Calling Suspicious Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.

Self Extraction Directive File Created In Potentially Suspicious Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

Sensitive File Dump Via Print.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the abuse of the Print.exe utility for credential harvesting which involves using Print.Exe to copy sensitive files such as ntds.dit, SAM, SECURITY, or SYSTEM from the Windows directory in order to extract credentials, locally or remotely.

Server Side Template Injection Strings

Tue, 28 Apr 2026 23:20:23 +0000

Detects SSTI attempts sent via GET requests in access logs

Service DACL Abuse To Hide Services Via Sc.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.

Service Registry Key Read Access Request

Tue, 28 Apr 2026 23:20:23 +0000

Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.

Service Registry Permissions Weakness Check

Tue, 28 Apr 2026 23:20:23 +0000

Service Security Descriptor Tampering Via Sc.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detection of sc.exe utility adding a new service with special permission which hides that service.

SES Identity Has Been Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities

Set Suspicious Files as System Files Using Attrib.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs

Setup16.EXE Execution With Custom .Lst File

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.

Shell32 DLL Execution in Suspicious Directory

Tue, 28 Apr 2026 23:20:23 +0000

Detects shell32.dll executing a DLL in a suspicious directory

Sign-in Failure Due to Conditional Access Requirements Not Met

Tue, 28 Apr 2026 23:20:23 +0000

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Sign-ins by Unknown Devices

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.

Sign-ins from Non-Compliant Devices

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert for sign-ins where the device was non-compliant.

Silenttrinity Stager Msbuild Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects a possible remote connections to Silenttrinity c2

Small Sieve Malware CommandLine Indicator

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific command line argument being passed to a binary as seen being used by the malware Small Sieve.

Small Sieve Malware File Indicator Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.

Sofacy Trojan Loader Activity

Tue, 28 Apr 2026 23:20:23 +0000

Detects Trojan loader activity as used by APT28

Space After Filename - macOS

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.

SQL Client Tools PowerShell Session Detection

Tue, 28 Apr 2026 23:20:23 +0000

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Stale Accounts In A Privileged Role

Tue, 28 Apr 2026 23:20:23 +0000

Identifies when an account hasn't signed in during the past n number of days.

Start of NT Virtual DOS Machine

Tue, 28 Apr 2026 23:20:23 +0000

Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications

Steganography Extract Files with Steghide

Tue, 28 Apr 2026 23:20:23 +0000

Detects extraction of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Steganography Hide Files with Steghide

Tue, 28 Apr 2026 23:20:23 +0000

Detects embedding of files with usage of steghide binary, the adversaries may use this technique to prevent the detection of hidden information.

Steganography Hide Zip Information in Picture File

Tue, 28 Apr 2026 23:20:23 +0000

Detects appending of zip file to image

Steganography Unzip Hidden Information From Picture File

Tue, 28 Apr 2026 23:20:23 +0000

Detects extracting of zip file from image file

Successful Authentications From Countries You Do Not Operate Out Of

Tue, 28 Apr 2026 23:20:23 +0000

Detect successful authentications from countries you do not operate out of.

Suspect Svchost Activity

Tue, 28 Apr 2026 23:20:23 +0000

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Suspicious Advpack Call Via Rundll32.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function

Suspicious AgentExecutor PowerShell Execution

Tue, 28 Apr 2026 23:20:23 +0000

Suspicious BitLocker Access Agent Update Utility Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.

Suspicious Browser Activity

Tue, 28 Apr 2026 23:20:23 +0000

Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser

Suspicious Cabinet File Execution Via Msdt.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190

Suspicious Calculator Usage

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.

Suspicious Child Process Created as System

Tue, 28 Apr 2026 23:20:23 +0000

Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts

Suspicious Child Process of AspNetCompiler

Tue, 28 Apr 2026 23:20:23 +0000

Detects potentially suspicious child processes of "aspnet_compiler.exe".

Suspicious Child Process Of BgInfo.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Suspicious Child Process Of Wermgr.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Suspicious CodePage Switch Via CHCP

Tue, 28 Apr 2026 23:20:23 +0000

Detects a code page switch in command line or batch scripts to a rare language

Suspicious Computer Account Name Change CVE-2021-42287

Tue, 28 Apr 2026 23:20:23 +0000

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Suspicious Computer Machine Password by PowerShell

Tue, 28 Apr 2026 23:20:23 +0000

The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

Suspicious Control Panel DLL Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits

Suspicious Copy From or To System Directory

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.

Suspicious Creation with Colorcpl

Tue, 28 Apr 2026 23:20:23 +0000

Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\

Suspicious Csi.exe Usage

Tue, 28 Apr 2026 23:20:23 +0000

Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'

Suspicious CustomShellHost Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.

Suspicious Diantz Alternate Data Stream Execution

Tue, 28 Apr 2026 23:20:23 +0000

Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.

Suspicious Digital Signature Of AppX Package

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of AppX packages with known suspicious or malicious signature

Suspicious DLL Loaded via CertOC.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user installs certificates by using CertOC.exe to load the target DLL file.

Suspicious DotNET CLR Usage Log Artifact

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

Suspicious Double Extension Files

Tue, 28 Apr 2026 23:20:23 +0000

Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.

Suspicious Download From Direct IP Via Bitsadmin

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of bitsadmin downloading a file using an URL that contains an IP

Suspicious Download From File-Sharing Website Via Bitsadmin

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of bitsadmin downloading a file from a suspicious domain

Suspicious Download Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of certutil with certain flags that allow the utility to download files.

Suspicious Driver/DLL Installation Via Odbcconf.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.

Suspicious DumpMinitool Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious ways to use the "DumpMinitool.exe" binary

Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"

Suspicious Environment Variable Has Been Registered

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings

Suspicious Executable File Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.

Suspicious Execution of InstallUtil Without Log

Tue, 28 Apr 2026 23:20:23 +0000

Uses the .NET InstallUtil.exe application in order to execute image without log

Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix

Tue, 28 Apr 2026 23:20:23 +0000

Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.

Suspicious Extrac32 Alternate Data Stream Execution

Tue, 28 Apr 2026 23:20:23 +0000

Extract data from cab file and hide it in an alternate data stream

Suspicious File Created by ArcSOC.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.

Suspicious File Created Via OneNote Application

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild

Suspicious File Creation Activity From Fake Recycle.Bin Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware

Suspicious File Creation In Uncommon AppData Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

Suspicious File Download From File Sharing Websites - File Stream

Tue, 28 Apr 2026 23:20:23 +0000

Detects the download of suspicious file type from a well-known file and paste sharing domain

Suspicious File Downloaded From Direct IP Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.

Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.

Suspicious File Encoded To Base64 Via Certutil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious

Suspicious Filename with Embedded Base64 Commands

Tue, 28 Apr 2026 23:20:23 +0000

Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.

Suspicious Files in Default GPO Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder

Suspicious Get-Variable.exe Creation

Tue, 28 Apr 2026 23:20:23 +0000

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

Suspicious GUP Usage

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks

Suspicious HH.EXE Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Suspicious High IntegrityLevel Conhost Legacy Option

Tue, 28 Apr 2026 23:20:23 +0000

ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.

Suspicious Hyper-V Cmdlets

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may carry out malicious operations using a virtual instance to avoid detection

Suspicious IIS URL GlobalRules Rewrite Via AppCmd

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.

Suspicious Inbox Manipulation Rules

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious rules that delete or move messages or folders are set on a user's inbox.

Suspicious IO.FileStream

Tue, 28 Apr 2026 23:20:23 +0000

Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

Suspicious JavaScript Execution Via Mshta.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of javascript code using "mshta.exe".

Suspicious LNK Double Extension File Created

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of files with an "LNK" as a second extension. This is sometimes used by malware as a method to abuse the fact that Windows hides the "LNK" extension by default.

Suspicious Login Activity Classified By Google

Tue, 28 Apr 2026 23:20:23 +0000

Detects Google Workspace login activity that's classified as suspicious by Google.

Suspicious Microsoft Office Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)

Suspicious Msbuild Execution By Uncommon Parent Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process

Suspicious MSDT Parent Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

Suspicious MSHTA Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution

Suspicious MsiExec Embedding Parent

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads

Suspicious Msiexec Execute Arbitrary DLL

Tue, 28 Apr 2026 23:20:23 +0000

Suspicious Msiexec Quiet Install From Remote Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of Msiexec.exe to install packages hosted remotely quietly

Suspicious Network Connection Binary No CommandLine

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious network connections made by a well-known Windows binary run with no command line parameters

Suspicious Obfuscated PowerShell Code

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines

Suspicious Parent Double Extension File Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detect execution of suspicious double extension files in ParentCommandLine

Suspicious Ping/Del Command Combination

Tue, 28 Apr 2026 23:20:23 +0000

Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example

Suspicious Powercfg Execution To Change Lock Screen Timeout

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout

Suspicious PowerShell Invocations - Specific - ProcessCreation

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious PowerShell invocation command parameters

Suspicious PowerShell WindowStyle Option

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden

Suspicious Printer Driver Empty Manufacturer

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious printer driver installation with an empty Manufacturer value

Suspicious Process Execution From Fake Recycle.Bin Folder

Tue, 28 Apr 2026 23:20:23 +0000

Detects process execution from a fake recycle bin folder, often used to avoid security solution.

Suspicious Process Masquerading As SvcHost.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.

Suspicious Process Parents

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious parent processes that should not have any children or should only have a single possible child program

Suspicious Process Start Locations

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious process run from unusual locations

Suspicious Provlaunch.EXE Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Suspicious Regsvr32 Execution From Remote Share

Tue, 28 Apr 2026 23:20:23 +0000

Detects REGSVR32.exe to execute DLL hosted on remote shares

Suspicious Remote Child Process From Outlook

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Suspicious Remote Logon with Explicit Credentials

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious processes logging on with explicit credentials

Suspicious Response File Execution Via Odbcconf.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.

Suspicious Rundll32 Activity Invoking Sys File

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452

Suspicious Rundll32 Execution With Image Extension

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of Rundll32.exe with DLL files masquerading as image files

Suspicious Rundll32 Invoking Inline VBScript

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452

Suspicious Rundll32 Setupapi.dll Activity

Tue, 28 Apr 2026 23:20:23 +0000

setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.

Suspicious Runscripthelper.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of powershell scripts via Runscripthelper.exe

Suspicious Scheduled Task Creation via Masqueraded XML File

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Suspicious Service Binary Directory

Tue, 28 Apr 2026 23:20:23 +0000

Detects a service binary running in a suspicious directory

Suspicious Service DACL Modification Via Set-Service Cmdlet - PS

Tue, 28 Apr 2026 23:20:23 +0000

Suspicious Set Value of MSDT in Registry (CVE-2022-30190)

Tue, 28 Apr 2026 23:20:23 +0000

Detects set value ms-msdt MSProtocol URI scheme in Registry that could be an attempt to exploit CVE-2022-30190.

Suspicious ShellExec_RunDLL Call Via Ordinal

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.

Suspicious SignIns From A Non Registered Device

Tue, 28 Apr 2026 23:20:23 +0000

Detects risky authentication from a non AD registered device without MFA being required.

Suspicious Space Characters in RunMRU Registry Path - ClickFix

Tue, 28 Apr 2026 23:20:23 +0000

Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.

Suspicious Space Characters in TypedPaths Registry Path - FileFix

Tue, 28 Apr 2026 23:20:23 +0000

Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.

Suspicious Speech Runtime Binary Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.

Suspicious Splwow64 Without Params

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious Splwow64.exe process without any command line parameters

Suspicious Start-Process PassThru

Tue, 28 Apr 2026 23:20:23 +0000

Powershell use PassThru option to start in background

Suspicious SYSTEM User Process Creation

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)

Suspicious Unsigned Thor Scanner Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects loading and execution of an unsigned thor scanner binary.

Suspicious Usage of For Loop with Recursive Directory Search in CMD

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. This behavior has been observed in various malicious lnk files.

Suspicious Usage Of ShellExec_RunDLL

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack

Suspicious Use of CSharp Interactive Console

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of CSharp interactive console by PowerShell

Suspicious Userinit Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious child process of userinit

Suspicious Vsls-Agent Command With AgentExtensionPath Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter

Suspicious Windows Update Agent Empty Cmdline

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags

Suspicious WMIC Execution Via Office Process

Tue, 28 Apr 2026 23:20:23 +0000

Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).

Suspicious WmiPrvSE Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious and uncommon child processes of WmiPrvSE

Suspicious Wordpad Outbound Connections

Tue, 28 Apr 2026 23:20:23 +0000

Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. This might indicate potential process injection activity from a beacon or similar mechanisms.

Suspicious Workstation Locking via Rundll32

Tue, 28 Apr 2026 23:20:23 +0000

Detects a suspicious call to the user32.dll function that locks the user workstation

Suspicious XOR Encoded PowerShell Command

Tue, 28 Apr 2026 23:20:23 +0000

Detects presence of a potentially xor encoded powershell command

Suspicious ZipExec Execution

Tue, 28 Apr 2026 23:20:23 +0000

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

SyncAppvPublishingServer Bypass Powershell Restriction - PS Module

Tue, 28 Apr 2026 23:20:23 +0000

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

SyncAppvPublishingServer Execute Arbitrary PowerShell Code

Tue, 28 Apr 2026 23:20:23 +0000

Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.

SyncAppvPublishingServer Execution to Bypass Powershell Restriction

Tue, 28 Apr 2026 23:20:23 +0000

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

Tue, 28 Apr 2026 23:20:23 +0000

Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs

Sysinternals Tools AppX Versions Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.

Sysmon Configuration Error

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages

Sysmon Configuration Modification

Tue, 28 Apr 2026 23:20:23 +0000

Detects when an attacker tries to hide from Sysmon by disabling or stopping it

Sysmon Driver Unloaded Via Fltmc.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects possible Sysmon filter driver unloaded via fltmc.exe

System Control Panel Item Loaded From Uncommon Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.

System File Execution Location Anomaly

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.

System Information Discovery Using System_Profiler

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

System Information Discovery Via Sysctl - MacOS

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.

TAIDOOR RAT DLL Load

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific process characteristics of Chinese TAIDOOR RAT malware load

Taskmgr as LOCAL_SYSTEM

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM

Tasks Folder Evasion

Tue, 28 Apr 2026 23:20:23 +0000

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

TeamViewer Log File Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence

Temporary Access Pass Added To An Account

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Terminal Server Client Connection History Cleared - Registry

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of registry keys containing the MSTSC connection history

Third Party Software DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects DLL sideloading of DLLs that are part of third party software (zoom, discord....etc)

Time Travel Debugging Utility Usage

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Time Travel Debugging Utility Usage - Image

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Tomcat WebServer Logs Deleted

Tue, 28 Apr 2026 23:20:23 +0000

Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence

Too Many Global Admins

Tue, 28 Apr 2026 23:20:23 +0000

Identifies an event where there are there are too many accounts assigned the Global Administrator role.

Touch Suspicious Service File

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the "touch" process in service file.

Triple Cross eBPF Rootkit Default LockFile

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.

Triple Cross eBPF Rootkit Execve Hijack

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges

Triple Cross eBPF Rootkit Install Commands

Tue, 28 Apr 2026 23:20:23 +0000

Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script

Troubleshooting Pack Cmdlet Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)

Trusted Path Bypass via Windows Directory Spoofing

Tue, 28 Apr 2026 23:20:23 +0000

Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification. This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.

Turla Group Commands May 2020

Tue, 28 Apr 2026 23:20:23 +0000

Detects commands used by Turla group as reported by ESET in May 2020

UAC Bypass Using Event Viewer RecentViews

Tue, 28 Apr 2026 23:20:23 +0000

Detects the pattern of UAC Bypass using Event Viewer RecentViews

UAC Bypass Using EventVwr

Tue, 28 Apr 2026 23:20:23 +0000

Detects the pattern of a UAC bypass using Windows Event Viewer

UAC Bypass With Fake DLL

Tue, 28 Apr 2026 23:20:23 +0000

Attempts to load dismcore.dll after dropping it

UEFI Persistence Via Wpbbin - FileCreation

Tue, 28 Apr 2026 23:20:23 +0000

Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method

UEFI Persistence Via Wpbbin - ProcessCreation

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section

Unauthorized System Time Modification

Tue, 28 Apr 2026 23:20:23 +0000

Detect scenarios where a potentially unauthorized application or user is modifying the system time.

UNC4841 - Barracuda ESG Exploitation Indicators

Tue, 28 Apr 2026 23:20:23 +0000

Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.

UNC4841 - Download Compressed Files From Temp.sh Using Wget

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.

UNC4841 - Download Tar File From Untrusted Direct IP Via Wget

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.

UNC4841 - Email Exfiltration File Pattern

Tue, 28 Apr 2026 23:20:23 +0000

Detects filename pattern of email related data used by UNC4841 for staging and exfiltration

UNC4841 - SSL Certificate Exfiltration Via Openssl

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.

Uncommon Assistive Technology Applications Execution Via AtBroker.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".

Uncommon AddinUtil.EXE CommandLine Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.

Uncommon Child Process Of AddinUtil.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.

Uncommon Child Process Of Appvlp.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.

Uncommon Child Process Of BgInfo.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Uncommon Child Process Of Conhost.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

Uncommon Child Process Of Defaultpack.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs

Uncommon Child Process Of Setres.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.

Uncommon Child Process Spawned By Odbcconf.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.

Uncommon File Creation By Mysql Daemon Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects the creation of files with scripting or executable extensions by Mysql daemon. Which could be an indicator of "User Defined Functions" abuse to download malware.

Uncommon FileSystem Load Attempt By Format.com

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.

Uncommon Link.EXE Parent Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.

Uncommon Process Access Rights For Target Image

Tue, 28 Apr 2026 23:20:23 +0000

Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.

Uncommon Sigverif.EXE Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.

Uncommon Svchost Command Line Parameter

Tue, 28 Apr 2026 23:20:23 +0000

Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.

Uncommon Svchost Parent Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects an uncommon svchost parent process

Unfamiliar Sign-In Properties

Tue, 28 Apr 2026 23:20:23 +0000

Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.

Unmount Share Via Net.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Unsigned .node File Loaded

Tue, 28 Apr 2026 23:20:23 +0000

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

Unsigned AppX Installation Attempt Using Add-AppxPackage

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript

Tue, 28 Apr 2026 23:20:23 +0000

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Unsigned Binary Loaded From Suspicious Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

Unsigned DLL Loaded by Windows Utility

Tue, 28 Apr 2026 23:20:23 +0000

Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.

Unsigned Mfdetours.DLL Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.

Unsigned Module Loaded by ClickOnce Application

Tue, 28 Apr 2026 23:20:23 +0000

Detects unsigned module load by ClickOnce application.

Unusual File Download from Direct IP Address

Tue, 28 Apr 2026 23:20:23 +0000

Detects the download of suspicious file type from URLs with IP

Unusual File Download From File Sharing Websites - File Stream

Tue, 28 Apr 2026 23:20:23 +0000

Detects the download of suspicious file type from a well-known file and paste sharing domain

Use Icacls to Hide File to Everyone

Tue, 28 Apr 2026 23:20:23 +0000

Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files

Use NTFS Short Name in Command Line

Tue, 28 Apr 2026 23:20:23 +0000

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection

Use NTFS Short Name in Image

Tue, 28 Apr 2026 23:20:23 +0000

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection

Use Of Hidden Paths Or Files

Tue, 28 Apr 2026 23:20:23 +0000

Detects calls to hidden files or files located in hidden directories in NIX systems.

Use of Legacy Authentication Protocols

Tue, 28 Apr 2026 23:20:23 +0000

Alert on when legacy authentication has been used on an account

Use of Remote.exe

Tue, 28 Apr 2026 23:20:23 +0000

Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.

Use of Scriptrunner.exe

Tue, 28 Apr 2026 23:20:23 +0000

The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting

Use Of The SFTP.EXE Binary As A LOLBIN

Tue, 28 Apr 2026 23:20:23 +0000

Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag

Use of TTDInject.exe

Tue, 28 Apr 2026 23:20:23 +0000

Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)

Use of VisualUiaVerifyNative.exe

Tue, 28 Apr 2026 23:20:23 +0000

VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Use of VSIISExeLauncher.exe

Tue, 28 Apr 2026 23:20:23 +0000

The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries

Use of Wfc.exe

Tue, 28 Apr 2026 23:20:23 +0000

The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Use Short Name Path in Image

Tue, 28 Apr 2026 23:20:23 +0000

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection

User Access Blocked by Azure Conditional Access

Tue, 28 Apr 2026 23:20:23 +0000

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

User Added To Admin Group Via Dscl

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to create and add an account to the admin group via "dscl"

User Added To Admin Group Via DseditGroup

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

User Added To Admin Group Via Sysadminctl

Tue, 28 Apr 2026 23:20:23 +0000

Detects attempts to create and add an account to the admin group via "sysadminctl"

User Added to an Administrator's Azure AD Role

Tue, 28 Apr 2026 23:20:23 +0000

User Added to an Administrator's Azure AD Role

User Added to Local Administrator Group

Tue, 28 Apr 2026 23:20:23 +0000

Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

User Added To Privilege Role

Tue, 28 Apr 2026 23:20:23 +0000

Detects when a user is added to a privileged role.

User State Changed From Guest To Member

Tue, 28 Apr 2026 23:20:23 +0000

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

Users Added to Global or Device Admin Roles

Tue, 28 Apr 2026 23:20:23 +0000

Monitor and alert for users added to device admin roles.

Users Authenticating To Other Azure AD Tenants

Tue, 28 Apr 2026 23:20:23 +0000

Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.

Using SettingSyncHost.exe as LOLBin

Tue, 28 Apr 2026 23:20:23 +0000

Detects using SettingSyncHost.exe to run hijacked binary

UtilityFunctions.ps1 Proxy Dll

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.

Verclsid.exe Runs COM Object

Tue, 28 Apr 2026 23:20:23 +0000

Detects when verclsid.exe is used to run COM object via GUID

Virtualbox Driver Installation or Starting of VMs

Tue, 28 Apr 2026 23:20:23 +0000

Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.

Visual Basic Command Line Compiler Usage

Tue, 28 Apr 2026 23:20:23 +0000

Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.

Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary

Visual Studio NodejsTools PressAnyKey Renamed Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries

VMGuestLib DLL Sideload

Tue, 28 Apr 2026 23:20:23 +0000

Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service.

VMMap Signed Dbghelp.DLL Potential Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of a signed dbghelp.dll by the Sysinternals VMMap.

VMMap Unsigned Dbghelp.DLL Potential Sideloading

Tue, 28 Apr 2026 23:20:23 +0000

Detects potential DLL sideloading of an unsigned dbghelp.dll by the Sysinternals VMMap.

Wab Execution From Non Default Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity

Wab/Wabmig Unusual Parent Or Child Processes

Tue, 28 Apr 2026 23:20:23 +0000

Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity

Weak or Abused Passwords In CLI

Tue, 28 Apr 2026 23:20:23 +0000

Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline

Win Susp Computer Name Containing Samtheadmin

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool

Windows Binaries Write Suspicious Extensions

Tue, 28 Apr 2026 23:20:23 +0000

Detects Windows executables that write files with suspicious extensions

Windows Binary Executed From WSL

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships

Windows Kernel Debugger Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of the Windows Kernel Debugger "kd.exe".

Windows MSIX Package Support Framework AI_STUBS Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.

Windows Processes Suspicious Parent Directory

Tue, 28 Apr 2026 23:20:23 +0000

Detect suspicious parent processes of well-known Windows processes

Windows Service Terminated With Error

Tue, 28 Apr 2026 23:20:23 +0000

Detects Windows services that got terminated for whatever reason

Windows Shell/Scripting Processes Spawning Suspicious Programs

Tue, 28 Apr 2026 23:20:23 +0000

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Windows Spooler Service Suspicious Binary Load

Tue, 28 Apr 2026 23:20:23 +0000

Detect DLL Load from Spooler Service backup folder. This behavior has been observed during the exploitation of the Print Spooler Vulnerability CVE-2021-1675 and CVE-2021-34527 (PrinterNightmare).

Winnti Malware HK University Campaign

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities

Winnti Pipemon Characteristics

Tue, 28 Apr 2026 23:20:23 +0000

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Winrs Local Command Execution

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.

Wlrmdr.EXE Uncommon Argument Or Child Process

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.

WMIC Loading Scripting Libraries

Tue, 28 Apr 2026 23:20:23 +0000

Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). It could be an indicator of SquiblyTwo technique, which uses Windows Management Instrumentation (WMI) to execute malicious code.

Writing Of Malicious Files To The Fonts Folder

Tue, 28 Apr 2026 23:20:23 +0000

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

WSL Child Process Anomaly

Tue, 28 Apr 2026 23:20:23 +0000

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

WSL Kali-Linux Usage

Tue, 28 Apr 2026 23:20:23 +0000

Detects the use of Kali Linux through Windows Subsystem for Linux

XBAP Execution From Uncommon Locations Via PresentationHost.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL

XSL Script Execution Via WMIC.EXE

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

Xwizard.EXE Execution From Non-Default Location

Tue, 28 Apr 2026 23:20:23 +0000

Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".

ZxShell Malware

Tue, 28 Apr 2026 23:20:23 +0000

Detects a ZxShell start by the called and well-known function name