Detects command line patterns used by BlackByte ransomware in different operations

Read More

Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.

Read More

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Read More

Detects when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response and originating IP that are used to determine bad actors.

Read More

Detects suspicious process command line that uses base64 encoded input for execution with a shell

Read More

Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded

Read More

Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell

Read More

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Read More

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

Read More

Detects a ping command that uses a hex encoded IP address

Read More

Detects potential commandline obfuscation using known escape characters

Read More

Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line

Read More

A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.

Read More

Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address

Read More

Detects suspicious rules that delete or move messages or folders are set on a user's inbox.

Read More

Detects presence of a potentially xor encoded powershell command

Read More

Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.

Read More

Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.

Read More

Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.

Read More

Detects the loading of suspicious .NET methods, seen in PowerShell script load content. This behavior is not limited to Yellow Cockatoo and can be applied universally for malicious PowerShell obfuscation attempts. Part of the RedCanary 2024 Threat Detection Report.

Read More

Looks for the execution of powershell.exe with command lines that include variations of the -encodedcommand argument. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of cmd.exe or powershell.exe with command lines that includes the term base64. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Looks for the execution of powershell.exe with command lines that includes the term base64. Inspired by the 2022 Red Canary Threat Detection report.

Read More