Detects the execution of fsutil.exe to enable a Dev Drive with an argument that disables the AV on the created drive. This technique is available starting with Windows 11.

Read More

Detects the execution registry change that enables a Dev Drive without allowing AV to access the created drive. This technique is available starting with Windows 11.

Read More

Detects the execution of malicious Python scripts from the AppData directory after the execution of the setup.exe installation package. Some installation packages allow for post-installation scripts to be run. A malicious actor could modify these scripts or add their own to execute malicious actions after the legitimate software is installed.

Read More

Detects the execution of appcmd.exe that is used to extract credentials from configuration files. IIS application pools can run as different users for security and isolation purposes. When a user is specified for the application pool, their credentials are stored in plaintext in the configuration file.

Read More

Detects the execution of CMSTP that is used install fake Connection Manager Profiles via contains via .INF files that resign on a temp location on disk and contains instructions for how the Connection Manager should install the profile. The .INF files could contain malicious code under the section RunPreSetupCommandsSection which is the commands to run before setup.

Read More

Wrmgr.exe should not spawn without any command line arguments. Sometimes malware are using process injection to masquerade their malicious activities and evade detection.

Read More

Using dumpbin.exe, a windows binary that is installed along side visual studio versions. When dumbin.exe is executed, it is calling link.exe without checking the legitimacy of the link.exe named binary in the same directory.

Read More

Detects execution of side-loaded executable via the update.exe, part microsoft teams' application binary.

Read More