Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges

Read More

Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters.

Read More

Detects specific process parameters as used by Mustang Panda droppers

Read More

Detects the creation of a file with an uncommon extension in an Office application startup folder

Read More

Detects a command used by conti to find volume shadow backups

Read More

Detects creation of ".vhd"/".vhdx" files by browser processes. Malware can use mountable Virtual Hard Disk ".vhd" files to encapsulate payloads and evade security controls.

Read More

Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights

Read More

Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility

Read More

Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative

Read More

Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory

Read More