Detects suspicious parent process for cmd.exe

Read More

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

Read More

A symbolic link is a type of file that contains a reference to another file. This is probably done to make sure that the ransomware is able to follow shortcuts on the machine in order to find the original file to encrypt

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.

Read More

Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.

Read More

Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.

Read More

Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.

Read More

Detects when the macOS Script Editor utility spawns an unusual child process.

Read More

Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.

Read More

Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.

Read More

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More

Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations

Read More

Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges.

Read More

Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.

Read More

Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.

Read More

Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.

Read More

Detects python spawning a pretty tty which could be indicative of potential reverse shell activity

Read More

Detects a suspicious script execution in temporary folders or folders accessible by environment variables

Read More

Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools

Read More

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Read More

Detects automated lateral movement by Turla group

Read More

Detects suspicious child process creations of VMware Tools process which may indicate persistence setup

Read More

Detects Windows shells and scripting applications that write files to suspicious folders

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134

Read More

Identifies when a new cloudshell is created inside of Azure portal.

Read More

detects BPFDoor .lock and .pid files access in temporary file storage facility

Read More

This rule detects suspicious processes with parent images located in the C:\Users\Public folder

Read More

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

Read More

Detects python spawning a pretty tty

Read More

Detects java process spawning suspicious children

Read More

Detects a suspicious script executions from temporary folder

Read More

Execute commands and binaries from the context of "forfiles". This is used as a LOLBIN for example to bypass application whitelisting.

Read More

The FSharp Interpreters, FsiAnyCpu.exe and FSi.exe, can be used for AWL bypass and is listed in Microsoft recommended block rules.

Read More

Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting

Read More

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Read More

Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe. This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs process injection and connects to the DarkGate command-and-control server. Curl, KeyScramblerLogon, and these other processes consitute non-standard and suspicious ways to retrieve the Autoit3 executable.

Read More

Detects execution of the legitimate Autoit3 utility from a suspect parent process. AutoIt3.exe is used within the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate command-and-control server.

Read More

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Read More

Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe

Read More

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state

Read More

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state

Read More

Detects the redirection of Ursnif discovery commands as part of the initial execution of the malware.

Read More

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system

Read More

Detects different process execution behaviors as described in various threat reports on Lazarus group activity

Read More

Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2021-26084

Read More

Detects potential exploitation of CVE-2021-40444 via suspicious process patterns seen in in-the-wild exploitations

Read More

Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)

Read More

Detects processes loading modules related to PCRE.NET package

Read More

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

Read More

Detects PowerShell download and execution cradles.

Read More

Detects suspicious file based on their extension being created in "C:\PerfLogs". Note that this directory mostly contains ".etl" files

Read More

Detects usage of "xterm" as a potential reverse shell tunnel

Read More

Detects multiple suspicious process in a limited timeframe

Read More

Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)

Read More

Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.

Read More

Detects usage of winget to add new additional download sources

Read More

Detects usage of winget to add new potentially suspicious download sources

Read More

Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes

Read More

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

Read More

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Read More

Detects potential process patterns related to Cobalt Strike beacon activity

Read More

Detects possible payload obfuscation via the commandline

Read More

Detects process activity patterns as seen being used by Sliver C2 framework implants

Read More

Detects suspicious process related to rasdial.exe

Read More

Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)

Read More

Detects execution of powershell scripts via Runscripthelper.exe

Read More

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Read More

Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)

Read More

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Read More

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Read More

Detects PowerShell script execution via input stream redirect

Read More

This events that are generated when using the hacktool Ruler by Sensepost

Read More

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Read More

Detects command/scripting interpreter-created processes executing on an external drive. This will detect common instances of malware using LNK files to obscure malicious commands for user execution. Commonly associated with QakBot and IcedID.

Read More

Detects triggering of AMSI by Windows Defender.

Read More

Detects all actions taken by Windows Defender malware detection engines

Read More

Detects process execution with the --access-token flag accompanied by a 64-character alphanumeric string in the space-delimited command-line arguments..

Read More

Detects process execution with the --access-token flag accompanied by a child process with a 'get uuid' option.

Read More

Looks for look for cmdlets, methods, and switches that may indicate malicious activity. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects potential adversaries using powershell WMI-related cmdlets to query the operating system or execute commands, either locally or remotely. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects potential stage 1 Gootloader javascript execution.

Read More

Detects processes creating temp files related to PCRE.NET package

Read More