attack.t1127

Suspicious Use of CSharp Interactive Console

May 20, 2025 · attack.execution attack.defense-evasion attack.t1127 ·

Share on:

Detects the execution of CSharp interactive console by PowerShell

AspNetCompiler Execution

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·

Share on:

Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.

C# IL Code Compilation Via Ilasm.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·

Share on:

Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.

Detection of PowerShell Execution via Sqlps.exe

Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1127 ·

Share on:

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

JScript Compiler Execution

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·

Share on:

Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.

Kavremover Dropped Binary LOLBIN Usage

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·

Share on:

Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.

Node Process Executions

Aug 12, 2024 · attack.defense-evasion attack.t1127 attack.t1059.007 ·

Share on:

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

Potential Arbitrary Code Execution Via Node.EXE

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·

Share on:

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc

Potential Binary Proxy Execution Via Cdb.EXE

Aug 12, 2024 · attack.execution attack.t1106 attack.defense-evasion attack.t1218 attack.t1127 ·

Share on:

Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file

Potential Mftrace.EXE Abuse

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·

Share on:

Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.

Potentially Suspicious ASP.NET Compilation Via AspNetCompiler

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·

Share on:

Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.

Remote Thread Creation Ttdinject.exe Proxy

Aug 12, 2024 · attack.defense-evasion attack.t1127 ·

Share on:

Detects a remote thread creation of Ttdinject.exe used as proxy

SQL Client Tools PowerShell Session Detection

Aug 12, 2024 · attack.execution attack.t1059.001 attack.defense-evasion attack.t1127 ·

Share on:

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.