Detects a Python process initiating a network connection. While this often relates to package installation, it can also indicate a potential malicious script communicating with a C&C server.
WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
Detects the use of Advanced Port Scanner.
Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Detects execution of network scanning and reconnaisance tools. These tools can be used for the enumeration of local or remote network services for example.
Detects enumeration of local or remote network services.
Detects many failed connection attempts to different ports or hosts