Detects the specific Windows execution chain and process tree associated with the Axios NPM supply chain compromise. On March 30, 2026, malicious versions (1.14.1, 0.30.4) were published to npm, injecting a dependency (plain-crypto-js@4.2.1) that executed a postinstall script as a cross-platform RAT dropper. The dropper contacted a C2 server, delivered platform-specific payloads, deleted itself, and replaced package.json to evade detection. The attack used cscript.exe (VBScript), curl.exe (C2), and PowerShell masquerading as Windows Terminal.

Read More

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

Read More

Detects remote thread creation from CACTUSTORCH as described in references.

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Detects when the Microsoft Management Console (MMC) loads the DLL libraries like vbscript, jscript etc which might indicate an attempt to execute malicious scripts within a trusted system process for bypassing application whitelisting or defense evasion.

Read More

Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.

Read More

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.

Read More

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.

Read More

Detects suspicious registry modifications made by suspicious processes such as script engine processes such as WScript, or CScript etc. These processes are rarely used for legitimate registry modifications, and their activity may indicate an attempt to modify the registry without using standard tools like regedit.exe or reg.exe, potentially for evasion and persistence.

Read More

Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Read More

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Read More

Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

Read More

Detects wscript/cscript/mshta executions of scripts located in user directories

Read More

Detects a file ending in jse, vbe, js, vba, vbs, wsf, wsh written by cscript.exe or wscript.exe

Read More

Detects file creation events indicating NetExec (nxc.exe) execution on the local machine. NetExec is a PyInstaller-bundled binary that extracts its embedded data files to a "_MEI" directory under the Temp folder upon execution. Files dropped under the "\nxc" sub-directory of that extraction path are unique to NetExec and serve as reliable on-disk indicators of execution. NetExec (formerly CrackMapExec) is a widely used post-exploitation and lateral movement tool used for Active Directory enumeration, credential harvesting, and remote code execution.

Read More

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Read More

Detects command line parameters used by Koadic hack tool

Read More

Detects potential QBot activity by looking for process executions used previously by QBot

Read More

Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

Read More

Detects potential process and execution activity related to APT10 Cloud Hopper operation

Read More

Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine

Read More

Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine

Read More

Detects potential stage 1 Gootloader javascript execution.

Read More