This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
Read MoreDetects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Read MoreThis rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
Read MoreDetects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
Read MoreDetects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.
Read MoreDetects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
Read MoreThe "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) can be used to execute arbitrary binaries
Read MoreThe "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
Read MoreWinDbg/CDB LOLBIN Usage
Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file
Read MoreDetects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format
Read MoreRemote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
Read MoreDetects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
Read MoreThe Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Read More