This rule detects suspicious processes with parent images located in the C:\Users\Public folder

Read More

Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors regularly abuse it to manipulate system processes.

Read More

Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations

Read More

Detects disabling the CrashDump per registry (as used by HermeticWiper)

Read More

Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.

Read More

Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system

Read More

Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\

Read More

Detects extraction of ISO, VHD, LNK, or IMG files from zip files. Commonly associated with QakBot and IcedID.

Read More

Detects process execution in PerfLogs folder - a folder used by Windows for log collection - and matching previously-observed naming patterns for ransomware executables.

Read More

Detect creation of suspicious executable file name. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.

Read More

Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages

Read More

Detects when an attacker tries to hide from Sysmon by disabling or stopping it

Read More