Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
Detects an uncommon svchost parent process
Detect suspicious parent processes of well-known Windows processes
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
Detects binaries used by the Lazarus group which use system names but are executed and launched from non-default location
Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
Detects the execution of msiexec.exe from an uncommon directory
Detects a flashplayer update from an unofficial location
Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.