Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Read More

Detects Cobalt Strike module/commands accidentally entered in CMD shell

Read More

Detects various execution patterns of the CrackMapExec pentesting framework

Read More

Detects activity that could be related to Baby Shark malware

Read More

Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking

Read More

Detects the execution of AdvancedRun utility

Read More

Detects Trojan loader activity as used by APT28

Read More

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Read More

detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking

Read More

Detects command execution via ScreenConnect RMM

Read More

Detects file being transferred via ScreenConnect RMM

Read More

Detects the execution of a system command via the ScreenConnect RMM service.

Read More

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users<username>\Documents\ConnectWiseControl\Temp" before execution.

Read More

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More

Detects Elise backdoor activity used by APT32

Read More

Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189

Read More

Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378

Read More

Detects Rorschach ransomware execution activity

Read More

Detects a ZxShell start by the called and well-known function name

Read More

Detects command line strings which indicate potential attempts to bypass controls. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects IIS worker process spawning command shell. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects instances of explorer.exe spawning cmd.exe along with corresponding start and exit commands that we commonly observe in conjunction with a wide variety of malicious activity. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects suspect command line strings in CMD processes spawned by services.exe. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects attempts to establish persistence using schtasks and command shell. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

Read More

Detect the use of "<" to read and potentially execute a file via cmd.exe

Read More

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Read More

Detects the use of Jlaive to execute assemblies in a copied PowerShell

Read More

Detects command line parameters used by Koadic hack tool

Read More

Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation

Read More

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system

Read More

Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Read More

Detects use of Cobalt Strike module commands accidentally entered in the CMD shell

Read More

Detects common ways to bypass controls using Windows Command Shell. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of Windows Command Shell with unusually high counts of characters used for obfuscation. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for suspicious process interactions between the Windows IIS worker process (w3wp.exe) and the command shell. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of PowerShell with unusually high counts of characters like ^, +, $, and %. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.

Read More

Detecting the execution of weaponized maldoc or embedded link in outlook that uses ms-msdt scheme to execute code.

Read More

Detecting sdiagnhost.exe executing the POC as a result of vulnerability based on ms-msdt.

Read More