Detects wscript/cscript executions of scripts located in user directories
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Detects potential process and execution activity related to APT10 Cloud Hopper operation
Detects potential QBot activity by looking for process executions used previously by QBot
Detects remote thread creation from CACTUSTORCH as described in references.
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
Detects command line parameters used by Koadic hack tool
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.