Detects execution of Chromium based browser in headless mode

Read More

Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.

Read More

Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files

Read More

Detects suspicious command lines used in Covenant luanchers

Read More

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

Read More

Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.

Read More

Detects the execution of AdvancedRun utility

Read More

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden

Read More