Detects the execution of malicious Python scripts from the AppData directory after the execution of the setup.exe installation package. Some installation packages allow for post-installation scripts to be run. A malicious actor could modify these scripts or add their own to execute malicious actions after the legitimate software is installed.
Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Detects creation of suspicious file extension registry key. This extension is then registered with a custom file type (see Detail component of detection below) with a malicious powershell payload specified.