Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands

Detects potential arbitrary file download using a Microsoft Office application

Detects the conhost execution as parent process. Can be used to evaded defense mechanism.

Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.

Detects suspicious Splwow64.exe process without any command line parameters

Detects execution of powershell scripts via Runscripthelper.exe

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Detects binaries that use the same name as legitimate sysinternals tools to evade detection

Execute VBscript code that is referenced within the *.bgi file.

Detects execution of renamed version of PAExec. Often used by attackers

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library

Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Detects a service binary running in a suspicious directory

Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)

Detect usage of the "ssh.exe" binary as a proxy to launch other programs

Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path

Detects execution of ftp.exe script execution with the "-s" flag and any child processes ran by ftp.exe

lolbas Cmdl32 is use to download a payload to evade antivirus

Performs execution of specified file, can be used for defensive evasion.

Detects the abuse of custom file open handler, executing powershell