A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.

Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line

Detects a ping command that uses a hex encoded IP address

Detects potential commandline obfuscation using known escape characters

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Detects suspicious process command line that uses base64 encoded input for execution with a shell

Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded

Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell

Detects presence of a potentially xor encoded powershell command

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.