Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
Detects the execution of CustomShellHost binary where the child isn't located in 'C:\Windows\explorer.exe'
Detects the execution of sigverif binary as a parent process which could indicate it being used as a LOLBIN to proxy execution
Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Detects Execution via SyncInvoke in CL_Invocation.ps1 module
Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module
Detects an attempt to execute code or create service on remote host via winrm.vbs.
Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution