Detect usage of the "ssh.exe" binary as a proxy to launch other programs

Read More

Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack

Read More

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Read More

Detects the execution of malicious Python scripts from the AppData directory after the execution of the setup.exe installation package. Some installation packages allow for post-installation scripts to be run. A malicious actor could modify these scripts or add their own to execute malicious actions after the legitimate software is installed.

Read More

Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.

Read More

Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash

Read More

Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash

Read More

Detects potential arbitrary file download using a Microsoft Office application

Read More

Detects execution of renamed version of PAExec. Often used by attackers

Read More

Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Read More

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Read More

Detects binaries that use the same name as legitimate sysinternals tools to evade detection

Read More

lolbas Cmdl32 is use to download a payload to evade antivirus

Read More

ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.

Read More

Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)

Read More

Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path

Read More

Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields

Read More

Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity

Read More

Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Read More

Detects the abuse of custom file open handler, executing powershell

Read More

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

Read More

Detects execution of ftp.exe script execution with the "-s" or "/s" flag and any child processes ran by ftp.exe

Read More

Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands

Read More

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

Read More

Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.

Read More

Detects suspicious Splwow64.exe process without any command line parameters

Read More

Detects execution of powershell scripts via Runscripthelper.exe

Read More

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Read More

Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library

Read More

Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships

Read More

Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation

Read More

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Read More

Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability

Read More

Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields

Read More

Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190

Read More

Detects a service binary running in a suspicious directory

Read More

Detects creation of suspicious file extension registry key. This extension is then registered with a custom file type (see Detail component of detection below) with a malicious powershell payload specified.

Read More