This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Detects the execution of CSharp interactive console by PowerShell

Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc

Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code.

Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.

The "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) can be used to execute arbitrary binaries

The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries

Detects usage of "cdb.exe" to launch 64-bit shellcode or arbitrary processes or commands from a debugger script file

Execute C# code with the Build Provider and proper folder structure in place.

Detect use of Ilasm.exe to compile c# code into dll or exe.

Detects the execution of the LOLBIN jsc.exe used by .NET to compile javascript code to .exe or .dll format

Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.

Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)

The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Detects a remote thread creation of Ttdinject.exe used as proxy