Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.

Read More

Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.

Read More

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Read More

Detects command line parameters used by Koadic hack tool

Read More

Detects possible malicious execution of JXA in-memory via OSAScript

Read More

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

Read More

Detects a file ending in jse, vbe, js, vba, vbs written by cscript.exe or wscript.exe

Read More

Detects remote thread creation from CACTUSTORCH as described in references.

Read More

Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.

Read More

Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.

Read More

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

Read More

Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.

Read More

Detects wscript/cscript executions of scripts located in user directories

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Read More

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

Read More

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Read More