MISC | Detection.FYI

Disabling Python warnings for executing untrusted code

Aug 24, 2023 · attack.Defense-Evansion attack.T1562.001 ·

Detecting the registry change that would prevent any warnings or alerts when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.

Using explorer.exe to open a file explorer folder via command prompt

Dec 22, 2022 · attack.Discovery attack.T1135 ·

Share on:

Detects the initial execution of cmd.exe which spawns explorer.exe with the appropriate command line arguments for opening the My Computer folder.

Using Emojis to evade detection

Dec 5, 2022 · ( ͡° ͜ʖ ͡°) ·

Share on:

Detects emojis in the command line

PowerShell AMSI Bypass Pattern

Nov 8, 2022 · attack.defense_evasion attack.t1562.001 attack.execution ·

Share on:

Detects attempts to disable AMSI in the commandline. It is possible to bypass AMSI by disabling it before loading the main payload.

Scheduled task executing powershell encoded payload from registry

Jun 14, 2022 · attack.execution attack.persistence attack.t1053.005 attack.t1059.001 ·

Share on:

Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.

HH.exe LOLBA executing .chm files

May 24, 2022 · attack.Compiled.HTML.File attack.T1218.001 ·

Share on:

Detecting the execution of hh.exe and the follow up activity for downloading or executing second stage payloads. This is based malspam activity delivering Remote Access Trojans via initial .chm payloads.