Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.

Read More

Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.

Read More

Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

Read More

Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.

Read More

Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.

Read More

Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.

Read More

Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.

Read More

Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries. Usually ".sed" files are simple ini files and not PE binaries.

Read More

Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location. These files are used by the "iexpress.exe" utility in order to create self extracting packages. Attackers were seen abusing this utility and creating PE files with embedded ".sed" entries.

Read More

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

Read More

Detects execution of known compromised version of 3CXDesktopApp

Read More

Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks

Read More

Detects commandline arguments for executing a child process via dotnet-trace.exe

Read More

Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads. Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files. In the observed Pikabot infections, a combination of the commands described above are used to orchestrate the download and execution of malicious DLL files.

Read More

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Read More

Detects usage of "msedge_proxy.exe" to download arbitrary files

Read More

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache<RANDOM-8-CHAR-DIRECTORY>"

Read More

Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Read More

Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.

Read More

Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)

Read More

Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.

Read More

Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.

Read More

Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Read More

Detect usage of the "ssh.exe" binary as a proxy to launch other programs.

Read More

Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.

Read More

Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.

Read More

Attackers can use print.exe for remote file copy

Read More

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.

Read More

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Read More

Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.

Read More

Detects usage of "MSOHTMED" to download arbitrary files

Read More

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Read More

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

Read More

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Read More

Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'

Read More

Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.

Read More

This rule detects suspicious files created by Microsoft Sync Center (mobsync)

Read More

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Read More

Detects the execution of DeviceCredentialDeployment to hide a process from view

Read More

The Devtoolslauncher.exe executes other binary

Read More

Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.

Read More

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

Read More

Detects file execution using the msdeploy.exe lolbin

Read More

Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab)

Read More

Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability

Read More

This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.

Read More

Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe

Read More

Detects using WorkFolders.exe to execute an arbitrary control.exe

Read More

Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)

Read More

Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE"

Read More

Detects the use of Windows Defender MpCmdRun.EXE to download files

Read More

Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories

Read More

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

Read More

Detect indirect command execution via Program Compatibility Assistant pcwrun.exe

Read More

Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

Read More

Detects programs on a Windows system that should not write an archive to disk

Read More

Detects programs on a Windows system that should not write executables to disk

Read More

Detects programs on a Windows system that should not write scripts to disk

Read More

Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs

Read More

Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"

Read More

There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.

Read More

Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe

Read More

Detects suspicious connections from Microsoft Sync Center to non-private IPs.

Read More

Detects installation of a remote msi file from web.

Read More

Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.

Read More

The OpenWith.exe executes other binary

Read More

Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.

Read More

Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.

Read More

Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file

Read More

Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.

Read More

Detects the 3CXDesktopApp updater downloading a known compromised version of the 3CXDesktopApp software

Read More

Detects specific process behavior observed with Devil Bait samples

Read More

Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.

Read More

Detects possible NTLM coercion via certutil using the 'syncwithWU' flag

Read More

Detects possible password spraying attempts using Dsacls

Read More

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

Read More

Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".

Read More

Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Read More

Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.

Read More

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Read More

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Read More

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Read More

Detects potential suspicious child processes of "3CXDesktopApp.exe". Which could be related to the 3CXDesktopApp supply chain compromise

Read More

Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts

Read More

Detects usage of Dsacls to grant over permissive permissions

Read More

Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.

Read More

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.

Read More

Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.

Read More

Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.

Read More

Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.

Read More

Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.

Read More

Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.

Read More

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Read More

Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Read More

Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'

Read More

Detects when a user installs certificates by using CertOC.exe to load the target DLL file.

Read More

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

Read More

Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.

Read More

Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter

Read More

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Read More

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Read More

Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.

Read More

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Read More

Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs

Read More

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Read More

Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.

Read More

Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".

Read More

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.

Read More

Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.

Read More

Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.

Read More

Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript

Read More

Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs

Read More

Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.

Read More

Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.

Read More

The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting

Read More

Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag

Read More

VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.

Read More

Detects when verclsid.exe is used to run COM object via GUID

Read More

Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary

Read More

Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries

Read More

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Read More

Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.

Read More

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

Read More

Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL

Read More

Detects the execution of CMSTP that is used install fake Connection Manager Profiles via contains via .INF files that resign on a temp location on disk and contains instructions for how the Connection Manager should install the profile. The .INF files could contain malicious code under the section RunPreSetupCommandsSection which is the commands to run before setup.

Read More

Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed, it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory.

Read More

Detects execution of side-loaded executable via the update.exe, part microsoft teams' application binary.

Read More

Detects the subvert execution of malicious payloads using vsdiagnostics.exe. VSDiagnostics.exe is an executable part of the Microsoft Visual Studio. Threat actors can use the start to start a new session in combination with the /launch and /launchargs parameters to execute a malicious payload on disk.

Read More

Wermgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection.

Read More

DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. Adversaries will often supply the same DLL to rundll32.exe as well. Executing the DllRegisterServer export function with rundll32.exe is tradecraft that’s unique to adversary behavior and is rarely seen in legitimate scenarios. We’ve observed this behavior in threats including Qbot, Ursnif, and Zloader, to name a few examples. Part of the RedCanary 2024 Threat Detection Report.

Read More

The following pseudo-detector should help security teams detect instances where Rundll32 opens a cross process handle into LSASS to collect credentials. Part of the RedCanary 2024 Threat Detection Report.

Read More

As is the case with most techniques in this report, it's critical that you are able to take stock of what is normal in your environment if you hope to be able to identify what isn't. In the context of Rundll32, you’ll want to monitor for executions of rundll32.exe from unusual parent processes, and the following pseudo-analytic—based on an amalgamation of Red Canary detection logic—should help security teams do just that. Part of the RedCanary 2024 Threat Detection Report.

Read More

Rundll32 does not normally execute without corresponding command-line arguments and while spawning a child process. Given this, you may want to alert on the execution of processes that appear to be rundll32.exe without any command-line arguments , especially when they spawn child processes or make network connections. Part of the RedCanary 2024 Threat Detection Report.

Read More

Consider monitoring for instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. The following pseudo-analytic applies specifically to adversaries who use the MiniDump export functionality of comsvcs.dll to dump the contents of LSASS, but this logic could be adapted to detect other malicious activity as well. Part of the RedCanary 2024 Threat Detection Report.

Read More

To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting msiexec.exe making outbound network connections to download and install packages in the command-line interface will give you the opportunity to examine the activity and determine if it’s malicious or not. Part of the RedCanary 2024 Threat Detection Report.

Read More

Detects the suspicious child process of calc

Read More

Detects the suspicious child process of regsvr32

Read More

Detects DNS queries from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects downloads by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects file creations by processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects network connections from processes with double file extensions, a common method of masquerading or obfuscating a file type in malware delivery. Observed in early 2023 AsyncRAT/Quasar malware delivery using malicious OneNote files.

Read More

Detects potential process injection of RegAsm.exe as indicated by lack of command-line arguments. This was observed in a recent campaign to distribute AsyncRAT and Quasar RAT using malicious OneNot files.

Read More

DLLs that are designed to be loaded by Regsvr32 are expected to have a DllRegisterServer export function implemented. This detects use of the same DLL to rundll32.exe. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of rundll32.exe running Windows native DLLs that have export functionalities that adversaries commonly leverage for executing malicious code and evading defensive controls. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects executions of rundll32.exe from unusual or suspicious parent processes. Inspired by the 2022 Red Canary Threat Detection report.

Read More

Detects instances of rundll32.exe with no command line that spawns a child process. Inspired by the 2022 Red Canary Threat Detection report.

Read More