Detects the download of suspicious file type from a well-known file and paste sharing domain

Detects the download of suspicious file type from a well-known file and paste sharing domain

Detects the creation of an ADS (Alternate Data Stream) that contains an executable by looking at a non-empty Imphash

Detects the creation of a file on disk that has an imphash of a well-known hack tool

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection

Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection

Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection

Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).

Detects the download of suspicious file type from URLs with IP

Detects PowerShell script execution from Alternate Data Stream (ADS)

Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.

Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.

Extract data from cab file and hide it in an alternate data stream

Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.

Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism

Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.

Exports the target Registry key and hides it in the specified alternate data stream.