Looks for network connections from notepad. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Read More

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Read More

Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.

Read More

Detects the creation of a named pipe as used by CobaltStrike

Read More

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

Read More

Detects the pattern of a pipe name as used by the hacktool EfsPotato

Read More

Detects the creation of a named pipe seen used by known APTs or malware.

Read More

Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances

Read More

Detects potential Dridex acitvity via specific process patterns

Read More

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

Read More

Detects instances of PowerShell accessing any other processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes running without command lines, which can indicate process injection. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects notepad making network connections, a potential process injection signal. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects uncommon processes creating remote threads

Read More

Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Read More

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

Read More

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Read More

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Read More

Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics

Read More

Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452

Read More

Detects the use of the Dinject PowerShell cradle based on the specific flags

Read More

Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro

Read More

Detects Base64 encoded Shellcode

Read More

Detects a suspicious child process of userinit

Read More

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Read More

Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject

Read More

Looks for process access activity where PowerShell is accessing any other processes. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for process execution with no command line arguments, which may indicate process injection. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

Read More

Detects suspicious network connection by Notepad

Read More

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

Read More