Detects uses of the createdump.exe LOLOBIN utility to dump process memory

Read More

Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"

Read More

Detects suspicious use of XORDump process memory dumping utility

Read More

Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name

Read More

Detects usage of the SysInternals Procdump utility

Read More

Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory

Read More

Detects suspicious ways to use the "DumpMinitool.exe" binary

Read More

Detects Bumblebee WmiPrvSE parent process manipulation

Read More

Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)

Read More

Detects the renaming of an existing computer account to a account name that doesn't contain a $ symbol as seen in attacks against CVE-2021-42287

Read More

Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

Read More

Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.

Read More

Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.

Read More

Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.

Read More

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

Read More

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Read More

Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"

Read More

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

Read More

Detects suspicious interactive bash as a parent to rather uncommon child processes

Read More

Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.

Read More

Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC

Read More

Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.

Read More

Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline

Read More

HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe

Read More

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Read More

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Read More

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we are also able to catch cases in which the attacker has renamed the procdump executable.

Read More

Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow

Read More

Detects a potentially suspicious execution of a process located in the '/tmp/' folder

Read More

Detects a potentially suspicious execution from an uncommon folder.

Read More

Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Read More

Detects the execution of a renamed version of the Plink binary

Read More

Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.

Read More

Detects a code page switch in command line or batch scripts to a rare language

Read More

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

Read More

Detects suspicious parent processes that should not have any children or should only have a single possible child program

Read More

Detects suspicious process run from unusual locations

Read More

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags

Read More

Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.

Read More

Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM

Read More

Detects Windows executables that write files with suspicious extensions

Read More

Detects powershell command lines used with a process name besides powershell. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects instances where the powershell process is renamed to notepad for defense evasion. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects execution of JavaScript (.js) files located in the AppData folder. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.

Read More

Detects Windows scripting host executing JavaScript files with MS-DOS shortname formatting, a technique associated with Gootloader. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects process creation utilizing double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects the presence of the u202+E character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used in obfuscation and masquerading techniques.

Read More

Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.

Read More

Detects the suspicious child use of shell or scripting interpreter to create a file ending in exe.

Read More

Detects creation of files potentially matching attempts to copy executables to temporary directories to hide usage.

Read More

Detects process creations where the Image does not have a .exe file extension.

Read More

Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of powershell renamed as Notepad.exe. Inspired by the 2022 Red Canary Threat Detection report.

Read More