Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.

Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec

Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility

Detects suspicious mshta process execution patterns

Detects a typical pattern of a CobaltStrike BOF which inject into other processes

Detects use of WinAPI Functions in PowerShell scripts

Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file

Detects a named pipe used by Turla group samples

Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles

detects BPFDoor .lock and .pid files access in temporary file storage facility