Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript

Detects remote thread creation from CACTUSTORCH as described in references.

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Detects a suspicious parent of csc.exe, which could by a sign of payload delivery

Detects command line parameters used by Koadic hack tool

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Detects wscript/cscript executions of scripts located in user directories

Detects possible malicious execution of JXA in-memory via OSAScript

Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.