Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

Detects suspicious ways to use the "DumpMinitool.exe" binary

Detects uses of the createdump.exe LOLOBIN utility to dump process memory

Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline

Detects a code page switch in command line or batch scripts to a rare language

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"

Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Detects a Windows program executable started from a suspicious folder

Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM

Detects the creation of a process from Windows task manager

Detects usage of the SysInternals Procdump utility

HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe

Detects suspicious process run from unusual locations

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation

Detects suspicious use of XORDump process memory dumping utility

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

Detects the execution of a renamed version of the Plink binary

Detects a suspicious execution from an uncommon folder

Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion

Detects Bumblebee WmiPrvSE parent process manipulation

Detects possible bypass EDR and SIEM via abnormal user account name.

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)