Detects possible malicious execution of JXA in-memory via OSAScript
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields
Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
Detects remote thread creation from CACTUSTORCH as described in references.
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
Detects command line parameters used by Koadic hack tool
Detects wscript/cscript executions of scripts located in user directories
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.