Detects usage of bitsadmin downloading a file to a suspicious target folder

Detects usage of bitsadmin downloading a file with a suspicious extension

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Detect suspicious parent processes of well-known Windows processes

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Detects the execution of a renamed ProcDump executable often used by attackers or malware

Detects usage of bitsadmin downloading a file

Detects usage of bitsadmin downloading a file to uncommon target folder

Detects usage of bitsadmin downloading a file using an URL that contains an IP

Detects usage of bitsadmin downloading a file from a suspicious domain

Detects the execution of a renamed "Msdt.exe" binary

Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)

Detects a suspicious copy operation that tries to copy a program from a system (System32 or SysWOW64) directory to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations

Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images lcoations to stage currently used files for rename after reboot.

Powershell use PassThru option to start in background

Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.