Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods. System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names. Attackers can use this fact and name their backdoor pods as if they were created by these controllers to avoid detection. Deployment of such a backdoor container e.g. named kube-proxy-bv61v, could be attempted in the kube-system namespace alongside the other administrative containers.

Read More

Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641

Read More

Detects the creation of a file with the ".dll" extension that has the name of a System DLL in uncommon or unsuspected locations. (Outisde of "System32", "SysWOW64", etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Read More

Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.). It is highly recommended to perform an initial baseline before using this rule in production.

Read More

Detects a flashplayer update from an unofficial location

Read More

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

Read More

Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location

Read More

Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.

Read More

Detects the execution of msiexec.exe from an uncommon directory

Read More

Detects two stages of the RedSun post-exploitation process chain that deliver a SYSTEM-level shell to the attacker's interactive session. Observed process chain services.exe → TieringEngineService.exe → conhost.exe (SYSTEM, CommandLine: bare path, no arguments) → cmd.exe / shell (SYSTEM, TerminalSessionId = attacker's session)

Stage 1 — TieringEngineService.exe spawns argument-less conhost.exe: After winning the oplock + Cloud Files mount point race, the malicious TieringEngineService.exe (RedSun.exe copied to System32, started via CoCreateInstance / services.exe) detects it is NT AUTHORITY\SYSTEM and calls LaunchConsoleInSessionId(). This opens \.\pipe\REDSUN, reads the attacker's session ID, duplicates the SYSTEM token, re-stamps it with that session ID via SetTokenInformation(TokenSessionId), then calls CreateProcessAsUser to spawn conhost.exe with no arguments.

Stage 2 — Shell spawned from rogue conhost.exe (EDR sources with GrandParentImage): The rogue SYSTEM conhost.exe spawns a shell (cmd.exe, PowerShell, etc.) as SYSTEM in the attacker's interactive session. On EDR sources that expose GrandParentImage, the full three-level chain (TieringEngineService.exe → conhost.exe → shell) can be matched directly. The legitimate TieringEngineService.exe is a headless COM server that is unlikely to spawn conhost.exe under normal conditions.

Read More

Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present. This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based AV bypass/privilege escalation tool.

RedSun works as follows:

1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger a Defender scan and remediation attempt
3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
5. During the oplock break window, RedSun swaps the mount point (junction) to redirect \?\C:\Windows\System32 to the attacker-controlled temp path
6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges

Read More

Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe). RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.

The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage, making the combination of this path prefix and the TieringEngineService.exe filename a highly specific indicator of RedSun activity.

Read More

Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.

Read More

Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.

Read More

Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder

Read More

Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.

Read More

Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence

Read More

Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.

Read More

Detects an uncommon svchost parent process

Read More

Detects the loading of unsigned .node files. Adversaries may abuse a lack of .node integrity checking to execute arbitrary code inside of trusted applications such as Slack. .node files are native add-ons for Electron-based applications, which are commonly used for desktop applications like Slack, Discord, and Visual Studio Code. This technique has been observed in the DripLoader malware, which uses unsigned .node files to load malicious native code into Electron applications.

Read More

Detect suspicious parent processes of well-known Windows processes

Read More

Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.

Read More