Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.

Read More

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.

Read More

Detects script execution using MSDOS 8.3 File names

Read More

Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.

Read More

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

Read More

Detects the execution of a Word document via the WinWord Start Menu shortcut. This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.

Read More

Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.

Read More

Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.

Read More

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Read More

Detects a python process calling to the PTY module in order to spawn a pretty tty which could be indicative of potential reverse shell activity.

Read More

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Read More

Detects usage of winget to add new potentially suspicious download sources

Read More

Detects suspicious parent process for cmd.exe

Read More

Detects the use of the "capsh" utility to invoke a shell.

Read More

Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.

Read More

Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.

Read More

Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.

Read More

Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.

Read More

Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.

Read More

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More

Detects the execution of "csc.exe" via "w3wp.exe" process. MOVEit affected hosts execute "csc.exe" via the "w3wp.exe" process to dynamically compile malicious DLL files.

MOVEit is affected by a critical vulnerability. Exploited hosts show evidence of dynamically compiling a DLL and writing it under C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\root\([a-z0-9]{5,12})\([a-z0-9]{5,12})\App_Web_[a-z0-9]{5,12}.dll.

Hunting Opportunity

Events from IIS dynamically compiling binaries via the csc.exe on behalf of the MOVEit application, especially since May 27th should be investigated.

Read More

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Read More

Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.

Read More

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

Read More

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Read More

Detects usage of winget to add new additional download sources

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Read More

Identifies when a new cloudshell is created inside of Azure portal.

Read More

detects BPFDoor .lock and .pid files access in temporary file storage facility

Read More

Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.

Read More

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Read More

Detects process activity patterns as seen being used by Sliver C2 framework implants

Read More

This events that are generated when using the hacktool Ruler by Sensepost

Read More

Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.

Read More

Detects different process execution behaviors as described in various threat reports on Lazarus group activity

Read More

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Read More

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

Read More

Detects processes loading modules related to PCRE.NET package

Read More

Detects processes creating temp files related to PCRE.NET package

Read More

Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.

Read More

Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.

Read More

Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084

Read More

Detects potential process patterns related to Cobalt Strike beacon activity

Read More

Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations

Read More

Detects possible payload obfuscation via the commandline

Read More

Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.

Read More

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state

Read More

Detects usage of "xterm" as a potential reverse shell tunnel

Read More

Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.

Read More

Detects PowerShell download and execution cradles.

Read More

Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)

Read More

Detects python spawning a pretty tty

Read More

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Read More

Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)

Read More

Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.

Read More

Detects PowerShell script execution via input stream redirect

Read More

Detects a suspicious script execution in temporary folders or folders accessible by environment variables

Read More

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Read More

Detects when the macOS Script Editor utility spawns an unusual child process.

Read More

Detects suspicious file based on their extension being created in "C:\PerfLogs". Note that this directory mostly contains ".etl" files

Read More

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Read More

Detects java process spawning suspicious children

Read More

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state

Read More

Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools

Read More

Detects suspicious process related to rasdial.exe

Read More

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Read More

Detects execution of powershell scripts via Runscripthelper.exe

Read More

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system

Read More

Detects a suspicious script executions from temporary folder

Read More

Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)

Read More

Detects automated lateral movement by Turla group

Read More

Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.

Read More

Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting

Read More

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

Read More

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

Read More

Detects triggering of AMSI by Windows Defender.

Read More

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Read More

Detects actions taken by Windows Defender malware detection engines

Read More

Detects Windows shells and scripting applications that write files to suspicious folders

Read More

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

Read More

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

Read More

Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.

Read More

Adversaries bypass controls using the Windows Command Shell in a plethora of ways, but you can detect the one we see most often with a simple combination of process execution and a corresponding command line. Part of the RedCanary 2024 Threat Detection Report.

Read More

This analytic uses a single ES_EVENT_TYPE_NOTIFY_EXEC event and looks for the the execution of curl, |, or osacompile commands. Part of the RedCanary 2024 Threat Detection Report.

Read More

Adversaries leverage AppleScript to try to steal the user’s login password. This analytic attempts to detect that activity via the first variation. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detecting obfuscation in the command shell is relatively straightforward, but there are a lot of variations to consider when you’re developing detection coverage. Of course, the process you’re looking for will always be cmd.exe, but the corresponding command line can contain a variety of suspicious characters. The trick is finding the thresholds where the inclusion of obfuscation characters go from normal to anomalous (but benign) to suspicious enough to warrant alerting. The following pseudo-detection logic offers a good starting point for developing detection coverage for obfuscation in the command line. Part of the RedCanary 2024 Threat Detection Report.

Read More

This analytic looks for the execution of a process that seems to be powershell.exe along with a corresponding command line containing the term base64. Base64 encoding isn’t inherently suspicious, but it’s worth looking out for in a lot of environments, and the following pseudo-detection logic can help detect a wide variety of malicious activity. Part of the RedCanary 2024 Threat Detection Report.

Read More

This detection analytic looks for the execution of powershell.exe with command lines that include variations of the -encodedcommand argument; PowerShell will recognize and accept anything from -e onward, and it will show up outside of the encoded bits. Part of the RedCanary 2024 Threat Detection Report.

Read More

This analytic looks for the execution of a process that seems to be powershell.exe along with a corresponding command line containing the term base64. Base64 encoding isn’t inherently suspicious, but it’s worth looking out for in a lot of environments, and the following pseudo-detection logic can help detect a wide variety of malicious activity. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects Windows Scripting Host processes (wscript.exe and cscript.exe) that are invoking the execution of common scripting formats that Red Canary has observed being used by Qbot—such as .js, .vbs, and .wsf—that are from a logical mounted drive using the drive letters D: through Z: and that have a child process. Part of the RedCanary 2024 Threat Detection Report.

Read More

The following pseudo detector should generate an alert when services.exe spawns cmd.exe along with a corresponding echo or /c command, which are common attributes of post exploitation that we’ve seen in association with this technique. Part of the RedCanary 2024 Threat Detection Report.

Read More

Many of our PowerShell detection analytics look for cmdlets, methods, and switches that may indicate malicious activity. The following analytic is by no means exhaustive but offers a few valuable examples of suspicious cmdlets and other oft-abused features to look out for. Part of the RedCanary 2024 Threat Detection Report.

Read More

There are numerous default PowerShell cmdlets that allow administrators to leverage WMI via PowerShell. Both adversaries and administrators use these cmdlets to query the operating system or execute commands, either locally or remotely. Cmdlets like Get-WMIObject are often used for reconnaissance. Part of the RedCanary 2024 Threat Detection Report.

Read More

We have a lot of detection analytics that seek out suspicious or unusual process lineage spawning or spawning from cmd.exe. Many of them don’t often generate confirmed threat detections but can occasionally raise the flag on important threats, like Exchange compromises. One semi-common pattern in our library of analytics is suspicious process interactions between the Windows IIS worker process (w3wp.exe) and the command shell. The following amalgamation of analytics might help you detect a diverse array of malicious activity related to web server compromises. Part of the RedCanary 2024 Threat Detection Report.

Read More

This detection analytic looks for instances of explorer.exe spawning cmd.exe along with corresponding start and exit commands that we commonly observe in conjunction with a wide variety of malicious activity. Part of the RedCanary 2024 Threat Detection Report.

Read More

Adversaries frequently establish persistence by using scheduled tasks to launch the Windows Command Shell. Detecting this behavior is relatively straightforward. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More

Detects execution of the legitimate Autoit3 utility from a suspect parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.

Read More

Detects multiple suspicious process in a limited timeframe

Read More

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Read More

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Read More

Detects process execution with the --access-token flag accompanied by a 64-character alphanumeric string in the space-delimited command-line arguments..

Read More

Detects process execution with the --access-token flag accompanied by a child process with a 'get uuid' option.

Read More

Looks for look for cmdlets, methods, and switches that may indicate malicious activity. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects potential adversaries using powershell WMI-related cmdlets to query the operating system or execute commands, either locally or remotely. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects potential stage 1 Gootloader javascript execution.

Read More