Detects use of Cobalt Strike commands accidentally entered in the CMD shell

Read More

Detects Bumblebee WmiPrvSE parent process manipulation

Read More

Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.

Read More

Detects the execution of a specific OneLiner to Invoke PowerShell commands.

Read More

Detects the deletion of scheduled tasks related to Windows Defender.

Read More

Rule to detect registry modifications to enable WDigest using powershell over the commandline.

Read More

Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host

Read More

Detects the registry modification to enable restricted admin mode using reg.exe

Read More

These commands were used to create a WebShell by exploiting ProxyShell vulnerabilities

Read More

Detects the execution of the commonly used ZeroLogon PoC executable.

Read More

Detecting the command FlawedGrace is using for the purpose of injecting into it the spawned process, in this case the cmd.exe process.

Read More

Detects the use reg.exe to hide users from listed in the logon screen. This is possible by changing the registry key value to 0 for a specific user.

Read More

Detects script execution using MSDOS 8.3 File names

Read More

Detects the use of lazagne using command line execution.

Read More

Detection of well-known mimikatz command line arguments. Added more commandline indicators from referenced rule by author - Teymur Kheirkhabarov, oscd.community

Read More

Detects a Mshta executing code from the registry

Read More

Detects use of custom scripts i.e. BAT files.

Read More

Detects the process creation from Scheduled Task with REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line

Read More

Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.

Read More

Detects use of SplashTop

Read More

Detects suspicious commands created from sqlservr process.

Read More

Detecting the use of dir command to inspect directories on the remote host.

Read More

AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.

Read More

Detects potentially malicious AteraAgent installations when the IntegratorLogin parameter is used to register a non-business email.

Read More

Detects use of chcp to look up the system locale value as part of host discovery

Read More

Threat actor (APT35) created user, enabled it, set password, add to admins and remote desktop users.

Read More

Detects use of driverquery to look up the installed and configured drivers as part of host discovery

Read More

Detects Emotet Spawning ipconfig and systeminfo.

Read More

Detecting the use of tasklist to display processes of remote hosts using the /S parameter.

Read More

Detects abuse of mofcomp to load WMI classes i.e. to create WMI event subscriptions

Read More

Detection of NIM Tooling that Creates a Remote User (pth_createusers.exe) and Adds them to Local Admins group (pth_addadmin.exe)

Read More

Detects use of nslookup to look up the local nameserver as part of host discovery

Read More

Detects use of Cobalt Strike module commands accidentally entered in the CMD shell

Read More

PSEXEC executed with non default service binary name

Read More

Rule to detect discovery activity for WDigest registry settings

Read More

Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Read More

Detects command line creation of scheduled tasks using commomly abused LOLbins.

Read More

Detects use of time to look up the system time as part of host discovery

Read More

Detects use of Windows Uninstall defender feature

Read More

Detects a very specific command the Ursnif loader runs.

Read More

Detects querying of Windows Security log for account activity

Read More