A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
Read MoreDetects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Read MoreDetects suspicious process command line that uses base64 encoded input for execution with a shell
Read MoreDetects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded
Read MoreDetects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell
Read MoreDetects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.
Read MorePayload Decoded and Decrypted via Built-in Utilities
Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
Read More