Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

Read More

Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.

Read More

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Read More

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

Read More

Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.

Read More

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

Read More

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc

Read More

Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file

Read More

Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.

Read More

Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.

Read More

Detects a remote thread creation of Ttdinject.exe used as proxy

Read More

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Read More

Detects potentially suspicious child processes of "aspnet_compiler.exe".

Read More

Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.

Read More

Detects the execution of CSharp interactive console by PowerShell

Read More

Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.

Read More

Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)

Read More

The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries

Read More

The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Read More

Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates files with suspicious file types, indicating that they may be executables, script files, or otherwise unusual.

Read More