Detects processes loading modules related to PCRE.NET package

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

Detects PowerShell download and execution cradles.

Detects suspicious file based on their extension being created in "C:\PerfLogs". Note that this directory mostly contains ".etl" files

Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.

Detects usage of "xterm" as a potential reverse shell tunnel

Detects python spawning a pretty tty which could be indicative of potential reverse shell activity

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges.

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.

Detects usage of winget to add new additional download sources

Detects usage of winget to add new potentially suspicious download sources

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Detects potential process patterns related to Cobalt Strike beacon activity

Detects possible payload obfuscation via the commandline

Detects suspicious parent process for cmd.exe

Detects Wscript or Cscript executing from a drive other than C. This has been observed with Qakbot executing from within a mounted ISO file.

Detects process activity patterns as seen being used by Sliver C2 framework implants

Detects suspicious process related to rasdial.exe

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system

Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

Detects execution of powershell scripts via Runscripthelper.exe

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Detects python spawning a pretty tty

Detects PowerShell script execution via input stream redirect

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

This events that are generated when using the hacktool Ruler by Sensepost

Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.

Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.

Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.

Detects a suspicious script executions in temporary folders or folders accessible by environment variables

Detects java process spawning suspicious children

Detects a suspicious script executions from temporary folder

Execute commands and binaries from the context of "forfiles". This is used as a LOLBIN for example to bypass application whitelisting.

Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Detects when the macOS Script Editor utility spawns an unusual child process.

Detects triggering of AMSI by Windows Defender.