Detecting the command FlawedGrace is using for the purpose of injecting into it the spawned process, in this case the cmd.exe process.

Read More

Detects the execution of more.com and vbc.exe in the process tree. This behavior was observed by a set of samples related to Lummac Stealer. The Lummac payload is injected into the vbc.exe process.

Read More

Detects the use of CoercedPotato, a tool for privilege escalation

Read More

Detects the pattern of a pipe name as used by the hack tool EfsPotato

Read More

Detects the use of the Dinject PowerShell cradle based on the specific flags

Read More

Detects the pattern of a pipe name as used by the hack tool CoercedPotato

Read More

Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.

Read More

Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Read More

Detects suspicious Windows Error Reporting manager (wermgr.exe) child process

Read More

Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .

Read More

Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances

Read More

Detects the creation of a named pipe as used by CobaltStrike

Read More

Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles

Read More

Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles

Read More

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

Read More

Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.

Read More

Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution.

Read More

Detects the creation of a named pipe seen used by known APTs or malware.

Read More

Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro

Read More

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

Read More

Detects a network connection that is initiated by the "notepad.exe" process. This might be a sign of process injection from a beacon process or something similar. Notepad rarely initiates a network communication except when printing documents for example.

Read More

Detects potential Dridex acitvity via specific process patterns

Read More

Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics

Read More

Detects Base64 encoded Shellcode

Read More

Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)

Read More

Detects uncommon processes creating remote threads.

Read More

Detects remote thread creation in command shell applications, such as "Cmd.EXE" and "PowerShell.EXE". It is a common technique used by malware, such as IcedID, to inject malicious code and execute it within legitimate processes.

Read More

Detects uncommon processes creating remote threads.

Read More

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Read More

Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452

Read More

Detects a suspicious child process of userinit

Read More

Detects the execution of installed GuLoader malware on the host. GuLoader is initiating network connections via the rundll32.exe process that is spawned via a browser parent(injected) process.

Read More

The following pseudo-detector should help security teams detect instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2024 Threat Detection Report.

Read More

Looks for network connections from notepad. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of PowerShell accessing any other processes. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects processes running without command lines, which can indicate process injection. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects notepad making network connections, a potential process injection signal. Part of the RedCanary 2023 Threat Detection Report.

Read More

Looks for process access activity where PowerShell is accessing any other processes. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for process execution with no command line arguments, which may indicate process injection. Inspired by the 2022 Red Canary Threat Detection report.

Read More