Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64...etc).
Detect suspicious parent processes of well-known Windows processes
Detects a suspicious svchost process start
Detects the execution of msiexec.exe from an uncommon directory
Detects a flashplayer update from an unofficial location
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder