Rules Contributing to Suspicious Process Creation Commandline Alert

The following rules are used to identify suspicious activity relating to command-line process creation. Any one or more of these will trigger the Suspicious Process Creation Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

SystemNightmare Exploitation Script Execution

Detects the exploitation of PrinterNightmare to get a shell as LOCAL_SYSTEM

Suspicious Reg Add Open Command

Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key

CL_LoadAssembly.ps1 Proxy Execution

Detects the use of a Microsoft signed script to execute commands and bypassing AppLocker.

Suspicious Characters in CommandLine

Detects suspicious Unicode characters in the command line, which could be a sign of obfuscation or defense evasion

Firewall Disabled via Netsh.EXE

Detects netsh commands that turns off the Windows firewall

Ke3chang Registry Key Modifications

Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020

Potential PowerShell Obfuscation Via WCHAR

Detects suspicious encoded character syntax often used for defense evasion

Conti Volume Shadow Listing

Detects a command used by conti to find volume shadow backups

InfDefaultInstall.exe .inf Execution

Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.

Root Certificate Installed From Susp Locations

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Suspicious PrinterPorts Creation (CVE-2020-1048)

Detects new commands that add new printer port which point to suspicious file

PowerShell Script Run in AppData

Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder

Potential Remote Desktop Tunneling

Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

MSTSC Shadowing

Detects RDP session hijacking by using MSTSC shadowing

Suspicious Scan Loop Network

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system

Obfuscated IP Download

Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command

MSExchange Transport Agent Installation

Detects the Installation of a Exchange Transport Agent

Pubprn.vbs Proxy Execution

Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.

Tamper Windows Defender Remove-MpPreference

Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet

AnyDesk Silent Installation

Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.

Execution via CL_Invocation.ps1

Detects Execution via SyncInvoke in CL_Invocation.ps1 module

Writing Of Malicious Files To The Fonts Folder

Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.

Suspicious FromBase64String Usage On Gzip Archive - Process Creation

Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.

Suspicious Usage Of ShellExec_RunDLL

Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack

Turla Group Lateral Movement

Detects automated lateral movement by Turla group

Netsh RDP Port Opening

Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware

PowerShell DownloadFile

Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line

Powershell Defender Exclusion

Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets

Lazarus Loaders

Detects different loaders as described in various threat reports on Lazarus group activity

Suspicious GrpConv Execution

Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors

Disabled RestrictedAdminMode For RDS - ProcCreation

Detect activation of DisableRestrictedAdmin to desable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise

Malicious Base64 Encoded Powershell Invoke Cmdlets

Detects base64 encoded powershell cmdlet invocation of known suspicious cmdlets

Uninstall Crowdstrike Falcon

Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon

Suspicious Powershell No File or Command

Detects suspicious powershell execution that ends with a common flag instead of a command or a filename to execute (could be a sign of implicit execution that uses files in WindowsApps directory)

New Network Provider - CommandLine

Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it

Turla Group Commands May 2020

Detects commands used by Turla group as reported by ESET in May 2020

Potential Data Stealing Via Chromium Headless Debugging

Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control

Invoke-Obfuscation Via Use MSHTA

Detects Obfuscated Powershell via use MSHTA in Scripts

Suspicious Rundll32 Script in CommandLine

Detects suspicious process related to rundll32 based on arguments

Suspicious Base64 Encoded Powershell Invoke

Detects base64 encoded powershell 'Invoke-' call

HackTool - Bloodhound/Sharphound Execution

Detects command line parameters used by Bloodhound and Sharphound hack tools

Explorer Process Tree Break

Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"

Suspicious Del in CommandLine

Detects suspicious command line to remove and 'exe' or 'dll'

Invoke-Obfuscation COMPRESS OBFUSCATION

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Operation Wocao Activity

Detects activity mentioned in Operation Wocao report

Fireball Archer Install

Detects Archer malware invocation via rundll32

Zip A Folder With PowerShell For Staging In Temp

Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration

Registry Dump of SAM Creds and Secrets

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored

Procdump Evasion

Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name

Powershell Token Obfuscation - Process Creation

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

Suspicious Minimized MSEdge Start

Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet

Suspicious PowerShell Download and Execute Pattern

Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

Add User to Local Administrators

Detects suspicious command line that adds an account to the local administrators/administrateurs group

Taskkill Symantec Endpoint Protection

Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.

MsiExec Web Install

Detects suspicious msiexec process starts with web addresses as parameter

PsExec Service Start

Detects a PsExec service start

Scheduled Task WScript VBScript

Detects specific process parameters as used by ACTINIUM scheduled task persistence creation.

Dropping Of Password Filter DLL

Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS

Suspicious UltraVNC Execution

Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)

Potential AMSI Bypass Using NULL Bits - ProcessCreation

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Invoke-Obfuscation CLIP+ Launcher

Detects Obfuscated use of Clip.exe to execute PowerShell

Hydra Password Guessing Hack Tool

Detects command line parameters used by Hydra password guessing hack tool

SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code

Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs

Suspicious Add User to Remote Desktop Users Group

Detects suspicious command line in which a user gets added to the local Remote Desktop Users group

GatherNetworkInfo.vbs Script Usage

Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target

APT29

This method detects a suspicious PowerShell command line combination as used by APT29 in a campaign against U.S. think tanks.

Suspicious WMIC ActiveScriptEventConsumer Creation

Detects WMIC executions in which a event consumer gets created in order to establish persistence

TAIDOOR RAT DLL Load

Detects specific process characteristics of Chinese TAIDOOR RAT malware load

Empire PowerShell UAC Bypass

Detects some Empire PowerShell UAC bypass methods

Emotet Process Creation

Detects all Emotet like process executions that are not covered by the more generic rules

Esentutl Gather Credentials

Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.

EvilNum Golden Chickens Deployment via OCX Files

Detects Golden Chickens deployment method as used by Evilnum in report published in July 2020

Suspicious Dosfuscation Character in Commandline

Detects possible payload obfuscation via the commandline

WhoAmI as Parameter

Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)

Powershell Inline Execution From A File

Detects inline execution of PowerShell code from a file

Base64 Encoded PowerShell Command Detected

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

CL_Mutexverifiers.ps1 Proxy Execution

Detects the use of a Microsoft signed script to execute commands

Suspicious X509Enrollment - Process Creation

Detect use of X509Enrollment

Suspicious Regsvr32 HTTP IP Pattern

Detects a certain command line flag combination used by regsvr32 when used to download and register a DLL from a remote address which uses HTTP (not HTTPS) and a IP address and not FQDN

Rundll32 Without Parameters

Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module

Suspicious Ntdll Pipe Redirection

Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection

Raccine Uninstall

Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.

REGISTER_APP.VBS Proxy Execution

Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.

PowerShell Get-Process LSASS

Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity

Raspberry Robin Dot Ending File

Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin

LockerGoga Ransomware

Detects LockerGoga Ransomware command line.

Write Protect For Storage Disabled

Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.

Audio Capture via PowerShell

Detects audio capture via PowerShell Cmdlet.

Potential Suspicious Windows Feature Enabled - ProcCreation

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Reg Disable Security Service

Detects a suspicious reg.exe invocation that looks as if it would disable an important security service

Serv-U Exploitation CVE-2021-35211 by DEV-0322

Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322

Suspicious Debugger Registration Cmdline

Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).

CrackMapExec Command Execution

Detect various execution methods of the CrackMapExec pentesting framework

DevInit Lolbin Download

Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system

Sticky-Key Backdoor Copy Cmd.exe

By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.

Suspicious Use of Procdump on LSASS

Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.

Suspicious Rundll32 Activity Invoking Sys File

Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452

ETW Logging Tamper In .NET Processes

Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.

Suspicious WMIC Execution - ProcessCallCreate

Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32"...etc

BlueMashroom DLL Load

Detects a suspicious DLL loading from AppData Local path as described in BlueMashroom report

Mshtml DLL RunHTMLApplication Abuse

Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)

Persistence Via TypedPaths - CommandLine

Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt

UtilityFunctions.ps1 Proxy Dll

Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.

Unidentified Attacker November 2018

A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.

Powershell AMSI Bypass via .NET Reflection

Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning

PowerShell SAM Copy

Detects suspicious PowerShell scripts accessing SAM hives

UAC Bypass Using Event Viewer RecentViews

Detects the pattern of UAC Bypass using Event Viewer RecentViews

Suspicious Office Token Search Via CLI

Detects possible search for office tokens via CLI by looking for the string "eyJ0eX". This string is used as an anchor to look for the start of the JWT token used by office and similar apps.

Change Default File Association To Executable

Detects when a program changes the default file association of any extension to an executable

Conti Backup Database

Detects a command used by conti to dump database

Winnti Pipemon Characteristics

Detects specific process characteristics of Winnti Pipemon malware reported by ESET

Suspicious ZipExec Execution

ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

NirCmd Tool Execution As LOCAL SYSTEM

Detects the use of NirCmd tool for command execution as SYSTEM user

Invoke-Obfuscation Via Use Clip

Detects Obfuscated Powershell via use Clip.exe in Scripts

PowerShell Base64 Encoded Shellcode

Detects Base64 encoded Shellcode

Ryuk Ransomware

Detects Ryuk ransomware activity

Arbitrary Shell Command Execution Via Settingcontent-Ms

The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.

Base64 Encoded Reflective Assembly Load

Detects base64 encoded .NET reflective loading of Assembly

Suspicious NT Resource Kit Auditpol Usage

Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.

Weak or Abused Passwords In CLI

Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline

Suspicious Encoded Obfuscated LOAD String

Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load

RunXCmd Tool Execution As System

Detects the use of RunXCmd tool for command execution

Base64 Encoded Listing of Shadowcopy

Detects base64 encoded listing Win32_Shadowcopy

MERCURY Command Line Patterns

Detects suspicious command line patterns as seen being used by MERCURY threat actor

DTRACK Process Creation

Detects specific process parameters as seen in DTRACK infections

Suspicious Netsh Discovery Command

Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems

F-Secure C3 Load by Rundll32

F-Secure C3 produces DLLs with a default exported StartNodeRelay function.

Suspicious RunAs-Like Flag Combination

Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools

Stop Or Remove Antivirus Service

Detects usage of 'Stop-Service' or 'Remove-Service' powershell cmdlet to disable AV services. Adversaries may disable security tools to avoid possible detection of their tools and activities by stopping antivirus service

Adwind RAT / JRAT

Detects javaw.exe in AppData folder as used by Adwind / JRAT

Suspicious AdvancedRun Runas Priv User

Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts

ShimCache Flush

Detects actions that clear the local ShimCache and remove forensic evidence

Sliver C2 Implant Activity Pattern

Detects process activity patterns as seen being used by Sliver C2 framework implants

Disabled IE Security Features

Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features

Invoke-Obfuscation RUNDLL LAUNCHER

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Tasks Folder Evasion

The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr

Sofacy Trojan Loader Activity

Detects Trojan loader activity as used by APT28

Suspicious Commandline Escape

Detects suspicious process that use escape characters

Suspicious Rundll32 Invoking Inline VBScript

Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452

Disabled Volume Snapshots

Detects commands that temporarily turn off Volume Snapshots

PowerShell Get-Clipboard Cmdlet Via CLI

Detects usage of the 'Get-Clipboard' cmdlet via CLI

Suspicious Reg Add BitLocker

Detects suspicious addition to BitLocker related registry keys via the reg.exe utility

Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet

Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet

Conti Ransomware Execution

Conti ransomware command line ioc

Snatch Ransomware

Detects specific process characteristics of Snatch ransomware word document droppers

Copy from Volume Shadow Copy

Detects a copy execution that targets a shadow copy (sometimes used to copy registry hives that are in use)

Suspicious VBScript UN2452 Pattern

Detects suspicious inline VBScript keywords as used by UNC2452

Sensitive Registry Access via Volume Shadow Copy

Detects a command that accesses password storing registry hives via volume shadow backups

Abusable Invoke-ATHRemoteFXvGPUDisablementCommand

RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).

Execute From Alternate Data Streams

Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection

Potential Tampering With Security Products Via WMIC

Detects uninstallation or termination of security products using the WMIC utility

Potential Download/Upload Activity Using Type Command

Detects usage of the "type" command to download/upload data from WebDAV server

Invoke-Obfuscation Via Stdin

Detects Obfuscated Powershell via Stdin in Scripts

Wscript Shell Run In CommandLine

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

Reg Add RUN Key

Detects suspicious command line reg.exe tool adding key to RUN key in Registry

Disable or Delete Windows Eventlog

Detects command that is used to disable or delete Windows eventlog via logman Windows utility

Java Running with Remote Debugging

Detects a JAVA process running with remote debugging allowing more than just localhost to connect

Monitoring For Persistence Via BITS

BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded

Obfuscated Command Line Using Special Unicode Characters

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

Compress Data and Lock With Password for Exfiltration With 7-ZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Suspicious DIR Execution

Detects usage of the "dir" command that's part of windows batch/cmd to collect information about directories

Suspicious Diantz Download and Compress Into a CAB File

Download and compress a remote file and store it in a cab file on local machine.

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

Detects Obfuscated Powershell via VAR++ LAUNCHER

Ps.exe Renamed SysInternals Tool

Detects renamed SysInternals tool execution with a binary named ps.exe as used by Dragonfly APT group and documented in TA17-293A report

TropicTrooper Campaign November 2018

Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia

Shadow Copies Access via Symlink

Shadow Copies storage symbolic link creation using operating systems utilities

Suspicious Desktopimgdownldr Command

Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet

Rundll32 JS RunHTMLApplication Pattern

Detects suspicious command line patterns used when rundll32 is used to run JavaScript code

ADCSPwn Hack Tool

Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service

Potential PowerShell Execution Policy Tampering - ProcCreation

Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine

CrackMapExec PowerShell Obfuscation

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

Copy DMP Files From Share

Detects usage of the copy command to copy files with the .dmp extensions from a remote share

Deletion of Volume Shadow Copies via WMI with PowerShell

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

ScreenConnect Remote Access

Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support)

Curl Start Combination

Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.

Suspicious Usage of the Manage-bde.wsf Script

Detects usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script

Potential COM Objects Download Cradles Usage - Process Creation

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Base64 MZ Header In CommandLine

Detects encoded base64 MZ header in the commandline

Capture a Network Trace with netsh.exe

Detects capture a network trace via netsh.exe trace functionality

Baby Shark Activity

Detects activity that could be related to Baby Shark malware

Suspicious Ping/Del Command Combination

Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example

Change Default File Association

When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

PowerShell Web Download and Execution

Detects suspicious ways to download files or content and execute them using PowerShell Invoke-Expression

Empire PowerShell Launch Parameters

Detects suspicious powershell command line parameters used in Empire

Invoke-Obfuscation STDIN+ Launcher

Detects Obfuscated use of stdin to execute PowerShell

Conti NTDS Exfiltration Command

Detects a command used by conti to exfiltrate NTDS

Covenant Launcher Indicators

Detects suspicious command lines used in Covenant luanchers

UNC2452 PowerShell Pattern

Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports

Launch-VsDevShell.PS1 Proxy Execution

Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.

Detect Virtualbox Driver Installation OR Starting Of VMs

Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.

Suspicious RDP Redirect Using TSCON

Detects a suspicious RDP session redirect using tscon.exe

Rar Usage with Password and Compression Level

Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.

Invoke-Obfuscation VAR+ Launcher

Detects Obfuscated use of Environment Variables to execute PowerShell

Suspicious SYSVOL Domain Group Policy Access

Detects Access to Domain Group Policies stored in SYSVOL

AnyDesk Piped Password Via CLI

Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.

Suspicious PowerShell Mailbox Export to Share

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Compress Data and Lock With Password for Exfiltration With WINZIP

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities

Network Reconnaissance Activity

Detects a set of suspicious network related commands often used in recon stages

File overwritten by cipher tool

The Windows tool cipher can be used to remove data from available unused disk space on the entire volume. Ransomware could use this technique to prevent the victim from using file recovery tools to recover their files.

PowerShell reverse shell one-liner

A PowerShell process with arguments that may indicate a reverse shell execution has been detected.

Shellcode execution via InstallUtil.exe

Suspicious file/code has been executed via InstallUtil.exe. This is a common technique used by malware to install additional malicious components and/or execute Shellcode.

ALPC Task Scheduler Exploit LPE

Microsoft Windows task scheduler contains a local privilege escalation vulnerability in the Advanced Local Procedure Call (ALPC) interface, which can allow an attacker to perform a local privilege escalation.

Behavior DNS cache cleared

The DNS cache has been cleared in the system.

WMIC sending output to clipboard

WMIC command is using /output:clipboard as a way to hide the normal output of process creation that is printed when creating a process with WMIC.

CnC Channel through Nslookup

A Windows process was detected using Nslookup with abnormal flag(s) usually used by malware to communicate with the Command and Control.

WMIC Retrieving Security Configuration

The wmic.exe command was executed to get information from the security configurations. This could be an indication of malicious activity.

Taskkill killing Antivirus process

An attempt to kill an Antivirus process has been detected. This can be the result of a manual command used by an attacker or an automated process as part of malware being deployed in the system.

WSH Injection via PubPrn

An attempt to inject malicious code into a Microsoft signed WSH script has been detected. This can be an attempt to bypass whitelisting restrictions.

AppLocker Bypass

A successful attempt to bypass AppLocker has been detected. This can indicate an attacker is trying to bypass whitelisting technologhies and escalate privileges or/and move laterally in your network.

File Deletion Backup files deleted recursively

An attempt to delete files and folders that migth contain backup data has been detected. This could be an indication of a ransomware infection or an attacker trying to cause damage.

Attempt to stop or delete Windows Defender service

Windows Defender Real-time Protection scanning for malware and other potentially unwanted software has been stopped.

Windows Process Argument contains Base64 Encoded PE Header

A process has been launched with a Base64 encoded argument. Once decoded, the argument corresponds to the PE Header. This can indicate an attacker is trying to bypass any present execution policy.

Cobalt Gang Windows script execution

A known Cobalt Gang script has been executed in the system. This could mean that your computer has been compromised and malicious code is running in your endpoint.

Windows execution using odbcconf tool

The odbcconf tool allows users to configure Open Database Connectivity (ODBC) drivers. The utility can be misused to execute malicious code and evade detection techniques.

Windows INF file launch

The Advanced INF Package Installer (advpack.dll) can use the LaunchINFSection function to invoke a section from .inf files. This could be used by attackers to remotely launch staged SCT files with malicious code.

Windows MavInject DLL Injection

MavInject is a Windows utility that can be used to execute code. Mavinject can be used to inject a DLL into a running process.

Suspicious ACL Change

A suspicious change was detected to an access control list (ACL). In this case, 'Full Access' was granted to 'Everyone' on a file or folder.

Credential Access Tool Detected - LaZagne

LaZagne is a multiplatform tool capable to retrieve user credentials from several system services and applications, such as web browsers.

Indirect command execution using pcalua.exe

An user tried to use a Windows pcalua.exe utility to execute commands in an alternative way (without using cmd.exe or powershell.exe). Attackers may use this technique to avoid invoking the cmd but still execute commands.

Windows UAC Bypass

A User Account Control Bypass activity was detected. This can be due to either regular operation or because an attacker is trying to escalate privileges.

SAM, SECURITY or SYSTEM Registry Hive Export

These hives can be used with a password cracker or creddump to dump the LANMAN/NTLM hashes, view cached credentials, and decrypt LSA secrets. This could be an indication of a ransomware infection or an attacker trying to cause damage.

Suspicious PowerShell Argument

PowerShell was executed with suspicious command line argument. The script is likely attempting to download files from a remote server. This could be an indication of malicious activity.

Windows UAC bypass - UACME tool

User Account Control Bypass activity was detected. This can be due to either a regular operation or because an attacker is trying to escalate privileges.

Ransomware Decryption Instructions File Detected

After a ransomware malware infects a host machine, a file with instructions to recover the encrypted files is created. A file with these characteristics was opened in the system, what is an indicator of ransomware infection.

Windows Autorun Registry Entry Added via reg.exe

An executable was added to the Windows Autorun registry. While this may have occurred due to normal software installation, this is a common technique used by malware to ensure it is started after reboots.

File Deletion Backup Catalog Deletion

If the backup catalog is deleted for a computer, you will not be able to access the backups created of that computer using the Windows Server Backup snap-in. This could be an indication of a ransomware infection or an attacker trying to cause damage.

Wireless Network Password Retrieval

The password of a wireless network was accessed. This could be an indication of malicious activity.

Metasploit MSSQL Command Execution

An attacked gained access to the MSSQL Server database and is executing the Metasploit module mssql_exec.

Internet Explorer executing suspicious wmic command

An attacker can execute code after a successful exploit attack. Internet Explorer is a commonly targeted software in Exploit Kit campaigns.

File Deletion Windows Shadow Copies Deletion via Powershell

An attempt to delete all shadow copies using the Windows Volume Shadow Copy Service (VSS) via Powershell has been detected. This could be an indication of a ransomware infection or an attacker trying to cause damage.