Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Detects inline windows shell commands redirecting output via the ">" symbol to a suspicious location

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.

Detects installation of a remote msi file from web.

Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system

Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands

Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts

Detects the usage of the "Squirrel.exe" binary as a LOLBIN. This binary is part of multiple software installations (Slack, Teams, Discord, etc.)

Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.

Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.

Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

The Devtoolslauncher.exe executes other binary

Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe

Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

Attackers can use explorer.exe for evading defense mechanisms

Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'

Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter

Attackers can use print.exe for remote file copy

Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary

The OpenWith.exe executes other binary

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

Detects code execution via the Windows Update client (wuauclt)

Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories

Detects binaries that use the same name as legitimate sysinternals tools to evade detection

Execute VBscript code that is referenced within the *.bgi file.

Execute C# code located in the consoleapp folder

Detects using Diskshadow.exe to execute arbitrary code in text file

Adversaries can use the built-in expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack

Detects when a user installs certificates by using CertOC.exe to load the target DLL file.

Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.

Detects possible NTLM coercion via certutil using the 'syncwithWU' flag

Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL

Detects using WorkFolders.exe to execute an arbitrary control.exe

Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.

Detects a renamed dctask64.exe used for process injection, command execution, process creation with a signed binary by ZOHO Corporation

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument

Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument