Detects creation of ".vhd"/".vhdx" files by browser processes.
Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.
Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
Detects the creation of an file in user Word Startup
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
Detects the creation of an executable by another executable