Sigma Rules Reference

222 events across 47 providers with Sigma detection rules, 3700 rule mappings total.

Application-Error (1 event, 2 rules) #

Application - Event ID 1000 - Faulting application name: Faulting_application_name, version: version, time stamp: 0xFaulting_module_name. #

LSASS Process Crashed - Application - Detects Windows error reporting events where the process that crashed is LSASS (Local Security Authority Subsystem Service). This could be the cause of a provoked crash by techniques such as Lsass-Shtinkering to dump credentials.
Microsoft Malware Protection Engine Crash - This rule detects a suspicious crash of the Microsoft Malware Protection Engine

ESENT (4 events, 5 rules) #

Application - Event ID 216 #

Ntdsutil Abuse - Detects potential abuse of ntdsutil to dump ntds.dit database

Application - Event ID 325 #

Also fires on: ESENT EID 216, ESENT EID 326, ESENT EID 327

Ntdsutil Abuse - Detects potential abuse of ntdsutil to dump ntds.dit database
Dump Ntds.dit To Suspicious Location - Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location

Application - Event ID 326 #

Ntdsutil Abuse - Detects potential abuse of ntdsutil to dump ntds.dit database

Application - Event ID 327 #

Ntdsutil Abuse - Detects potential abuse of ntdsutil to dump ntds.dit database

LsaSrv (3 events, 3 rules) #

Operational - Event ID 300 - Groups assigned to a new logon. #

Standard User In High Privileged Group - Detect standard users login that are part of high privileged groups such as the Administrator group

System - Event ID 6038 - Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. #

NTLMv1 Logon Between Client and Server - Detects the reporting of NTLMv1 being used between a client and server. NTLMv1 is insecure as the underlying encryption algorithms can be brute-forced by modern hardware.

System - Event ID 6039 - Microsoft Windows Server has detected that NTLM authentication is being used between clients and this server. #

Microsoft-Windows-AppLocker (4 events, 4 rules) #

EXE and DLL - Event ID 8004 - FilePathBuffer was prevented from running. #

AppLocker Prevented Application or Script from Running - Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

MSI and Script - Event ID 8007 - FilePathBuffer was prevented from running. #

AppLocker Prevented Application or Script from Running - Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Packaged app-Execution - Event ID 8022 - PackageBuffer was prevented from running. #

AppLocker Prevented Application or Script from Running - Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Packaged app-Deployment - Event ID 8025 - PackageBuffer was prevented from running. #

AppLocker Prevented Application or Script from Running - Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Microsoft-Windows-AppModel-Runtime (1 event, 1 rule) #

Admin - Event ID 201 - Created process ProcessID for application ApplicationName in package PackageName. #

Sysinternals Tools AppX Versions Execution - Detects execution of Sysinternals tools via an AppX package. Attackers could install the Sysinternals Suite to get access to tools such as psexec and procdump to avoid detection based on System paths.

Microsoft-Windows-AppXDeployment-Server (9 events, 13 rules) #

Operational - Event ID 400 - Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path finished successfully. #

Also fires on: AppXDeployment-Server EID 401

Potential Malicious AppX Package Installation Attempts - Detects potential installation or installation attempts of known malicious appx packages
Windows AppX Deployment Full Trust Package Installation - Detects the installation of MSIX/AppX packages with full trust privileges which run with elevated privileges outside normal AppX container restrictions

Operational - Event ID 401 - Deployment DeploymentOperation operation with target volume MountPoint on Package PackageFullName from: Path failed with error ErrorCode. #

Also fires on: AppXDeployment-Server EID 400

AppX Package Deployment Failed Due to Signing Requirements - Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.
Potential Malicious AppX Package Installation Attempts - Detects potential installation or installation attempts of known malicious appx packages

Operational - Event ID 412 - error ErrorCode: Deployment of package PackageFullName was blocked by AppLocker. #

Deployment AppX Package Was Blocked By AppLocker - Detects an appx package deployment that was blocked by AppLocker policy.

Operational - Event ID 441 - The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy. #

Deployment Of The AppX Package Was Blocked By The Policy - Detects an appx package deployment that was blocked by the local computer policy. The following events indicate that an AppX package deployment was blocked by a policy: - Event ID 441: The package deployment operation is blocked by the "Allow deployment operations in special profiles" policy - Event ID 442: Deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps to non-system volumes" policy." - Event ID 453: Package blocked by a platform policy. - Event ID 454: Package blocked by a platform policy.

Operational - Event ID 442 - Deployment of package PackageFullName to volume MountPoint failed because deployments to non-system volumes are blocked by the "Disable deployment of Windows Store apps... #

Operational - Event ID 453 - Package PackageFullName is blocked by a platform policy: PolicyReason. #

Operational - Event ID 454 - Package PackageFullName is blocked by a platform policy: PolicyReason. #

Operational - Event ID 603 - Started deployment DeploymentOperation operation on a package with main parameter Path and Options Flags and FlagsHigh. #

Windows AppX Deployment Unsigned Package Installation - Detects attempts to install unsigned MSIX/AppX packages using the -AllowUnsigned parameter via AppXDeployment-Server events

Operational - Event ID 854 - Successfully added the following uri(s) to be processed: Path. #

Remote AppX Package Downloaded from File Sharing or CDN Domain - Detects an appx package that was added to the pipeline of the "to be processed" packages which was downloaded from a file sharing or CDN domain.
AppX Located in Known Staging Directory Added to Deployment Pipeline - Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
AppX Located in Uncommon Directory Added to Deployment Pipeline - Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.

Microsoft-Windows-AppxPackagingOM (1 event, 1 rule) #

Operational - Event ID 157 - The app package signature was validated for core content of the app package published by subjectName. #

Suspicious Digital Signature Of AppX Package - Detects execution of AppX packages with known suspicious or malicious signature

Microsoft-Windows-Audit-CVE (1 event, 1 rule) #

Application - Event ID 1 - Possible detection of CVE: PossibleDetectionOfCVE. #

Audit CVE Event - Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.

Microsoft-Windows-Backup (1 event, 1 rule) #

Application - Event ID 524 - The system catalog has been deleted. #

Backup Catalog Deleted - Detects backup catalog deletions

Microsoft-Windows-Bits-Client (2 events, 7 rules) #

Operational - Event ID 3 - The BITS service created a new job: jobTitle, with owner jobId. #

New BITS Job Created Via Bitsadmin - Detects the creation of a new bits job by Bitsadmin
New BITS Job Created Via PowerShell - Detects the creation of a new bits job by PowerShell

Operational - Event ID 16403 #

BITS Transfer Job Downloading File Potential Suspicious Extension - Detects new BITS transfer job saving local files with potential suspicious extensions
BITS Transfer Job Download From File Sharing Domains - Detects BITS transfer job downloading files from a file sharing domain.
BITS Transfer Job Download From Direct IP - Detects a BITS transfer job downloading file(s) from a direct IP address.
BITS Transfer Job With Uncommon Or Suspicious Remote TLD - Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
BITS Transfer Job Download To Potential Suspicious Folder - Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location

Microsoft-Windows-CAPI2 (1 event, 1 rule) #

Operational - Event ID 70 - For more details for this event, please refer to the "Details" section #

Certificate Private Key Acquired - Detects when an application acquires a certificate private key

Microsoft-Windows-CertificateServicesClient-Lifecycle-System (1 event, 1 rule) #

Operational - Event ID 1007 - A certificate has been exported. #

Certificate Exported From Local Certificate Store - Detects when an application exports a certificate (and potentially the private key as well) from the local Windows certificate store.

Microsoft-Windows-CertificationAuthority (1 event, 1 rule) #

Operational - Event ID 53 #

Active Directory Certificate Services Denied Certificate Enrollment Request - Detects denied requests by Active Directory Certificate Services. Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

Microsoft-Windows-CodeIntegrity (14 events, 14 rules) #

Operational - Event ID 3001 - Code Integrity determined an unsigned kernel module FileNameBuffer is loaded into the system. #

CodeIntegrity - Unsigned Kernel Module Loaded - Detects the presence of a loaded unsigned kernel module on the system.

Operational - Event ID 3021 - Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system. #

CodeIntegrity - Revoked Kernel Driver Loaded - Detects the load of a revoked kernel driver

Operational - Event ID 3022 - Code Integrity determined a revoked kernel module FileNameBuffer is loaded into the system. #

CodeIntegrity - Revoked Kernel Driver Loaded - Detects the load of a revoked kernel driver

Operational - Event ID 3023 - The driver FileNameBuffer is blocked from loading as the driver has been revoked by Microsoft. #

CodeIntegrity - Blocked Driver Load With Revoked Certificate - Detects blocked load attempts of revoked drivers

Operational - Event ID 3032 - Code Integrity determined a revoked image FileNameBuffer is loaded into the system. #

CodeIntegrity - Revoked Image Loaded - Detects image load events with revoked certificates by code integrity.

Operational - Event ID 3033 - Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements. #

CodeIntegrity - Unmet Signing Level Requirements By File Under Validation - Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired. This event is best correlated with EID 3089 to determine the error of the validation.

Operational - Event ID 3034 - Code Integrity determined that a process (ProcessNameBuffer) attempted to load FileNameBuffer that did not meet the RequestedPolicy signing level requirements or violated code integrity p... #

Operational - Event ID 3035 - Code Integrity determined a revoked image FileNameBuffer is loaded into the system. #

CodeIntegrity - Revoked Image Loaded - Detects image load events with revoked certificates by code integrity.

Operational - Event ID 3036 - Windows is unable to verify the integrity of the file FileNameBuffer because the signing certificate has been revoked. #

CodeIntegrity - Blocked Image Load With Revoked Certificate - Detects blocked image load events with revoked certificates by code integrity.

Operational - Event ID 3037 - Code Integrity determined an unsigned image FileNameBuffer is loaded into the system. #

CodeIntegrity - Unsigned Image Loaded - Detects loaded unsigned image on the system

Operational - Event ID 3077 - Code Integrity determined that a process (Process Name) attempted to load File Name that did not meet the Requested Signing Level signing level requirements or violated code integrity p... #

CodeIntegrity - Blocked Image/Driver Load For Policy Violation - Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.

Operational - Event ID 3082 - Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system. #

CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module - Detects loaded kernel modules that did not meet the WHQL signing requirements.

Operational - Event ID 3083 - Code Integrity determined kernel module FileNameBuffer that did not meet the WHQL requirements is loaded into the system. #

CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module - Detects loaded kernel modules that did not meet the WHQL signing requirements.

Operational - Event ID 3104 - Windows blocked file FileNameBuffer which has been disallowed for protected processes. #

CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked - Detects block events for files that are disallowed by code integrity for protected processes

Microsoft-Windows-DHCP-Server (4 events, 4 rules) #

Operational - Event ID 1031 - [EVENT_SERVER_CALLOUT_UNHANDLED_EXCEPTION] The installed server callout .dll file has caused an exception. #

DHCP Server Error Failed Loading the CallOut DLL - This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Operational - Event ID 1032 - [EVENT_SERVER_CALLOUT_LOAD_EXCEPTION] The installed server callout .dll file has caused an exception. The .dll file couldn't be loaded. #

DHCP Server Error Failed Loading the CallOut DLL - This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Operational - Event ID 1033 - [EVENT_SERVER_CALLOUT_LOAD_SUCCESS] The DHCP service has successfully loaded one or more callout DLLs. #

DHCP Server Loaded the CallOut DLL - This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded

Operational - Event ID 1034 - [EVENT_SERVER_READ_ONLY_GROUP_ERROR] The DHCP service has failed to load one or more callout DLLs. #

DHCP Server Error Failed Loading the CallOut DLL - This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded

Microsoft-Windows-Diagnosis-Scripted (1 event, 1 rule) #

Operational - Event ID 101 - The scripted diagnostic engine started initializing a diagnostic package located at PackagePath. #

Loading Diagcab Package From Remote Path - Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability

Microsoft-Windows-DistributedCOM (1 event, 1 rule) #

Operational - Event ID 10001 - Unable to start a DCOM Server: param3 as param4/param5. #

Local Privilege Escalation Indicator TabTip - Detects the invocation of TabTip via CLSID as seen when JuicyPotatoNG is used on a system in brute force mode

Microsoft-Windows-DNS-Client (1 event, 6 rules) #

Operational - Event ID 3008 - DNS query is completed for the name QueryName, type QueryType, query options QueryOptions with status QueryStatus Results QueryResults. #

DNS Query for Anonfiles.com Domain - DNS Client - Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Suspicious Cobalt Strike DNS Beaconing - DNS Client - Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
DNS Query To MEGA Hosting Website - DNS Client - Detects DNS queries for subdomains related to MEGA sharing website
DNS Query To Put.io - DNS Client - Detects DNS queries for subdomains related to "Put.io" sharing website.
Query Tor Onion Address - DNS Client - Detects DNS resolution of an .onion address related to Tor routing networks
DNS Query To Ufile.io - DNS Client - Detects DNS queries to "ufile.io", which was seen abused by malware and threat actors as a method for data exfiltration

Microsoft-Windows-DNS-Server-Service (4 events, 4 rules) #

DNS Server - Event ID 150 - The DNS server could not load or initialize the plug-in DLL Name. #

DNS Server Error Failed Loading the ServerLevelPluginDLL - Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

DNS Server - Event ID 770 - A DNS server plugin DLL has been loaded from location param1 on server param2. #

DNS Server Error Failed Loading the ServerLevelPluginDLL - Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

DNS Server - Event ID 771 - The V1 plugin interface has been implemented in server level plugin DLL. #

DNS Server Error Failed Loading the ServerLevelPluginDLL - Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded

DNS Server - Event ID 6004 - The DNS server received a zone transfer request from param1 for a non-existent or non-authoritative zone param2. #

Failed DNS Zone Transfer - Detects when a DNS zone transfer failed.

Microsoft-Windows-DriverFrameworks-UserMode (3 events, 3 rules) #

Operational - Event ID 2003 - The UMDF Host Process (UMDFHostDeviceArrivalBegin.LifetimeId) has been asked to load drivers for device UMDFHostDeviceArrivalBegin.InstanceId. #

USB Device Plugged - Detects plugged/unplugged USB devices

Operational - Event ID 2100 - Received a Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) for device UMDFHostDeviceRequest.InstanceId. #

USB Device Plugged - Detects plugged/unplugged USB devices

Operational - Event ID 2102 - Forwarded a finished Pnp or Power operation (UMDFHostDeviceRequest.RequestMajorCode, UMDFHostDeviceRequest.RequestMinorCode) to the lower driver for device UMDFHostDeviceRequest.InstanceId with status UMDFHostDeviceRequest.Status. #

USB Device Plugged - Detects plugged/unplugged USB devices

Microsoft-Windows-Eventlog (1 event, 2 rules) #

System - Event ID 104 - The LogFileCleared.Channel log file was cleared. #

Eventlog Cleared - One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
Important Windows Eventlog Cleared - Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution

Microsoft-Windows-IIS-Configuration (1 event, 4 rules) #

Operational - Event ID 29 #

ETW Logging/Processing Option Disabled On IIS Server - Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
HTTP Logging Disabled On IIS Server - Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
New Module Module Added To IIS Server - Detects the addition of a new module to an IIS server.
Previously Installed IIS Module Was Removed - Detects the removal of a previously installed IIS module.

Microsoft-Windows-Iphlpsvc (1 event, 1 rule) #

System - Event ID 4100 - ISATAP router address IsatapRouter was set with status ErrorCode. #

ISATAP Router Address Was Set - Detects the configuration of a new ISATAP router on a Windows host. While ISATAP is a legitimate Microsoft technology for IPv6 transition, unexpected or unauthorized ISATAP router configurations could indicate a potential IPv6 DNS Takeover attack using tools like mitm6. In such attacks, adversaries advertise themselves as DHCPv6 servers and set malicious ISATAP routers to intercept traffic. This detection should be correlated with network baselines and known legitimate ISATAP deployments in your environment.

Microsoft-Windows-Kernel-General (1 event, 1 rule) #

System - Event ID 16 - The access history in hive HiveName was cleared updating KeysUpdated keys and creating DirtyPages modified pages. #

Critical Hive In Suspicious Location Access Bits Cleared - Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset. This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default). Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.

Microsoft-Windows-LDAP-Client (1 event, 1 rule) #

Debug - Event ID 30 #

Potential Active Directory Reconnaissance/Enumeration Via LDAP - Detects potential Active Directory enumeration via LDAP

Microsoft-Windows-Ntfs (1 event, 1 rule) #

System - Event ID 98 - Volume DriveName (DeviceName) CorruptionActionState. #

Volume Shadow Copy Mount - Detects volume shadow copy mount via Windows event log

Microsoft-Windows-NTLM (2 events, 2 rules) #

Operational - Event ID 8001 - NTLM client blocked audit: Audit outgoing NTLM authentication traffic that would be blocked. #

Potential Remote Desktop Connection to Non-Domain Host - Detects logons using NTLM to hosts that are potentially not part of the domain.

Operational - Event ID 8002 - NTLM server blocked audit: Audit Incoming NTLM Traffic that would be blocked. #

NTLM Logon - Detects logons using NTLM, which could be caused by a legacy source or attackers

Microsoft-Windows-PowerShell (2 events, 193 rules) #

Operational - Event ID 4103 - Payload Context: ContextInfo User Data: UserData. #

Potential Active Directory Enumeration Using AD Module - PsModule - Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Alternate PowerShell Hosts - PowerShell Module - Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Bad Opsec Powershell Code Artifacts - focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
Clear PowerShell History - PowerShell Module - Detects keywords that could indicate clearing PowerShell history
PowerShell Decompress Commands - A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
Malicious PowerShell Scripts - PoshModule - Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
Suspicious Get-ADDBAccount Usage - Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
PowerShell Get Clipboard - A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
HackTool - Evil-WinRm Execution - PowerShell Module - Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module - Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module - Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module - Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell Module - Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module - Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module - Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - PowerShell Module - Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - PowerShell Module - Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShell Module - Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module - Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module - Detects Obfuscated Powershell via VAR++ LAUNCHER
Malicious PowerShell Commandlets - PoshModule - Detects Commandlet names from well-known PowerShell exploitation frameworks
Remote PowerShell Session (PS Module) - Detects remote PowerShell sessions
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module - Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
AD Groups Or Users Enumeration Using PowerShell - PoshModule - Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Suspicious PowerShell Download - PoshModule - Detects suspicious PowerShell download command
Use Get-NetTCPConnection - PowerShell Module - Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Suspicious PowerShell Invocations - Generic - PowerShell Module - Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific - PowerShell Module - Detects suspicious PowerShell invocation command parameters
Suspicious Get Local Groups Information - Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Suspicious Computer Machine Password by PowerShell - The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
Suspicious Get Information for SMB Share - PowerShell Module - Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module - Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Operational - Event ID 4104 - Creating Scriptblock text (MessageNumber of MessageTotal). 160 rules#

Show 160 rules

AADInternals PowerShell Cmdlets Execution - PsScript - Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Access to Browser Login Data - Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Potential Active Directory Enumeration Using AD Module - PsScript - Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Powershell Add Name Resolution Policy Table Rule - Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
Add Windows Capability Via PowerShell Script - Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
PowerShell ADRecon Execution - Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
AMSI Bypass Pattern Assembly GetType - Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Potential AMSI Bypass Script Using NULL Bits - Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Silence.EDA Detection - Detects Silence EmpireDNSAgent as described in the Group-IP report
Get-ADUser Enumeration Using UserAccountControl Flags - Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
Potential Data Exfiltration Via Audio File - Detects potential exfiltration attempt via audio file using PowerShell
Automated Collection Command PowerShell - Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Windows Screen Capture with CopyFromScreen - Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
Clear PowerShell History - PowerShell - Detects keywords that could indicate clearing PowerShell history
Clearing Windows Console History - Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Powershell Create Scheduled Task - Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell - Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Powershell Install a DLL in System Directory - Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
Registry-Free Process Scope COR_PROFILER - Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
PowerShell Create Local User - Detects creation of a local user via PowerShell
Create Volume Shadow Copy with Powershell - Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Powershell Detect Virtualization Environment - Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
DirectorySearcher Powershell Exploitation - Enumerates Active Directory to determine computers that are joined to the domain
Manipulation of User Computer or Group Security Principals Across AD - Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
Disable Powershell Command History - Detects scripts or commands that disabled the Powershell command history by removing psreadline module
Disable-WindowsOptionalFeature Command PowerShell - Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Potential In-Memory Execution Using Reflection.Assembly - Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
Potential COM Objects Download Cradles Usage - PS Script - Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock - Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Dump Credentials from Windows Credential Manager With PowerShell - Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Enable Windows Remote Management - Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Potential Suspicious Windows Feature Enabled - Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Enumerate Credentials from Windows Credential Manager With PowerShell - Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
Disable of ETW Trace - Powershell - Detects usage of powershell cmdlets to disable or remove ETW trace sessions
Certificate Exported Via PowerShell - ScriptBlock - Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Suspicious FromBase64String Usage On Gzip Archive - Ps Script - Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
Service Registry Permissions Weakness Check - Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Active Directory Computers Enumeration With Get-AdComputer - Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
Active Directory Group Enumeration With Get-AdGroup - Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
Suspicious Get-ADReplAccount - The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Automated Collection Bookmarks Using Get-ChildItem PowerShell - Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Security Software Discovery Via Powershell Script - Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
HackTool - Rubeus Execution - ScriptBlock - Detects the execution of the hacktool Rubeus using specific command line flags
HackTool - WinPwn Execution - ScriptBlock - Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
PowerShell Hotfix Enumeration - Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
PowerShell ICMP Exfiltration - Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
Import PowerShell Modules From Suspicious Directories - Detects powershell scripts that import modules from suspicious directories
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript - Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Execute Invoke-command on Remote Host - Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Powershell DNSExfiltration - DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
Invoke-Obfuscation CLIP+ Launcher - PowerShell - Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell - Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
Invoke-Obfuscation STDIN+ Launcher - Powershell - Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell - Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell - Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell - Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - Powershell - Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - Powershell - Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShell - Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShell - Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell - Detects Obfuscated Powershell via VAR++ LAUNCHER
Powershell Keylogging - Adversaries may log user keystrokes to intercept credentials as the user types them.
Powershell LocalAccount Manipulation - Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
Suspicious PowerShell Mailbox Export to Share - PS - Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Malicious PowerShell Commandlets - ScriptBlock - Detects Commandlet names from well-known PowerShell exploitation frameworks
Malicious PowerShell Keywords - Detects keywords from well-known PowerShell exploitation frameworks
Live Memory Dump Using Powershell - Detects usage of a PowerShell command to dump the live memory of a Windows machine
Modify Group Policy Settings - ScriptBlockLogging - Detect malicious GPO modifications can be used to implement many other malicious behaviors.
Powershell MsXml COM Object - Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
Malicious Nishang PowerShell Commandlets - Detects Commandlet names and arguments from the Nishang exploitation framework
NTFS Alternate Data Stream - Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
Code Executed Via Office Add-in XLL File - Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock - Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
Potential Invoke-Mimikatz PowerShell Script - Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock - Detects the use of the "Get-ADComputer" cmdlet in order to identify systems which are configured for unconstrained delegation.
PowerShell Web Access Installation - PsScript - Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
PowerView PowerShell Cmdlets - ScriptBlock - Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
PowerShell Credential Prompt - Detects PowerShell calling a credential prompt
PSAsyncShell - Asynchronous TCP Reverse Shell - Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
PowerShell PSAttack - Detects the use of PSAttack PowerShell hack tool
PowerShell Remote Session Creation - Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock - Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock - Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets. This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
PowerShell Script With File Hostname Resolving Capabilities - Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.
Root Certificate Installed - PowerShell - Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Suspicious Invoke-Item From Mount-DiskImage - Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
PowerShell Script With File Upload Capabilities - Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
Powershell Sensitive File Discovery - Detect adversaries enumerate sensitive files
PowerShell Script Change Permission Via Set-Acl - PsScript - Detects PowerShell scripts set ACL to of a file or a folder
PowerShell Set-Acl On Windows Folder - PsScript - Detects PowerShell scripts to set the ACL to a file in the Windows folder
Change PowerShell Policies to an Insecure Level - PowerShell - Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
PowerShell ShellCode - Detects Base64 encoded Shellcode
Malicious ShellIntel PowerShell Commandlets - Detects Commandlet names from ShellIntel exploitation scripts.
Detected Windows Software Discovery - PowerShell - Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
Powershell Store File In Alternate Data Stream - Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Potential Persistence Via Security Descriptors - ScriptBlock - Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock - Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Potential PowerShell Obfuscation Using Character Join - Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
Suspicious Eventlog Clear - Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
Powershell Directory Enumeration - Detects technique used by MAZE ransomware to enumerate directories using Powershell
Suspicious PowerShell Download - Powershell Script - Detects suspicious PowerShell download command
Powershell Execute Batch Script - Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
Extracting Information with PowerShell - Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Troubleshooting Pack Cmdlet Execution - Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy - Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
Suspicious PowerShell Get Current User - Detects the use of PowerShell to identify the current logged user.
Suspicious GPO Discovery With Get-GPO - Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
Suspicious Process Discovery With Get-Process - Get the processes that are running on the local computer.
PowerShell Get-Process LSASS in ScriptBlock - Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Suspicious GetTypeFromCLSID ShellExecute - Detects suspicious Powershell code that execute COM Objects
Suspicious Hyper-V Cmdlets - Adversaries may carry out malicious operations using a virtual instance to avoid detection
Suspicious PowerShell Invocations - Generic - Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific - Detects suspicious PowerShell invocation command parameters
Change User Agents with WebRequest - Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Suspicious IO.FileStream - Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
Potential Keylogger Activity - Detects PowerShell scripts that contains reference to keystroke capturing functions
Potential Suspicious PowerShell Keywords - Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
Suspicious Get Local Groups Information - PowerShell - Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Powershell Local Email Collection - Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
Suspicious Mount-DiskImage - Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
PowerShell Deleted Mounted Share - Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Suspicious Connection to Remote Account - Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Suspicious New-PSDrive to Admin Share - Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Suspicious TCP Tunnel Via PowerShell Script - Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
Recon Information for Export with PowerShell - Once established within a system or network, an adversary may use automated techniques for collecting internal data
Remove Account From Domain Admin Group - Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS - Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Potential PowerShell Obfuscation Using Alias Cmdlets - Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
Suspicious Get Information for SMB Share - Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Suspicious SSL Connection - Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
Suspicious Start-Process PassThru - Powershell use PassThru option to start in background
Suspicious Unblock-File - Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
Replace Desktop Wallpaper by Powershell - An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
Powershell Suspicious Win32_PnPEntity - Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script - Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Suspicious PowerShell WindowStyle Option - Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
PowerShell Write-EventLog Usage - Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use
Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
SyncAppvPublishingServer Execution to Bypass Powershell Restriction - Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging - Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
Tamper Windows Defender - ScriptBlockLogging - Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Testing Usage of Uncommonly Used Port - Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
Powershell Timestomp - Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell - Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Potential Persistence Via PowerShell User Profile Using Add-Content - Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
Abuse of Service Permissions to Hide Services Via Set-Service - PS - Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Registry Modification Attempt Via VBScript - PowerShell - Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods embedded within PowerShell scripts or commands. Threat actors commonly embed VBScript code within PowerShell to perform registry modifications, attempting to evade detection that monitors for direct registry access through traditional tools. This technique can be used for persistence, defense evasion, and privilege escalation by modifying registry keys without using regedit.exe, reg.exe, or PowerShell's native registry cmdlets.
Veeam Backup Servers Credential Dumping Script Execution - Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
Usage Of Web Request Commands And Cmdlets - ScriptBlock - Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript - Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
PowerShell WMI Win32_Product Install MSI - Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class
Potential WinAPI Calls Via PowerShell Scripts - Detects use of WinAPI functions in PowerShell scripts
Windows Defender Exclusions Added - PowerShell - Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions
Windows Firewall Profile Disabled - Detects when a user disables the Windows Firewall via a Profile to help evade defense.
Winlogon Helper DLL - Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.
Powershell WMI Persistence - Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
WMIC Unquoted Services Path Lookup - PowerShell - Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts
WMImplant Hack Tool - Detects parameters used by WMImplant
Suspicious X509Enrollment - Ps Script - Detect use of X509Enrollment
Powershell XML Execute Command - Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Microsoft-Windows-Security-Auditing (63 events, 1346 rules) #

Security - Event ID 4611 - A trusted logon process has been registered with the Local Security Authority. #

Security - Event ID 4616 - The system time was changed. #

Unauthorized System Time Modification - Detect scenarios where a potentially unauthorized application or user is modifying the system time.

Security - Event ID 4624 - An account was successfully logged on. #

Also fires on: Security-Auditing EID 4625, Security-Auditing EID 4776

Potential Access Token Abuse - Detects potential token impersonation and theft. Example, when using "DuplicateToken(Ex)" and "ImpersonateLoggedOnUser" with the "LOGON32_LOGON_NEW_CREDENTIALS flag".
Admin User Remote Logon - Detect remote login by Administrator user (depending on internal pattern).
DiagTrackEoP Default Login Username - Detects the default "UserName" used by the DiagTrackEoP POC
Successful Overpass the Hash Attempt - Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
Pass the Hash Activity 2 - Detects the attack technique pass the hash which is used to move laterally inside the network
RDP Login from Localhost - RDP login with localhost source address may be a tunnelled login
External Remote RDP Logon from Public IP - Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.
External Remote SMB Logon from Public IP - Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.
Outgoing Logon with New Credentials - Detects logon events that specify new credentials
Potential Privilege Escalation via Local Kerberos Relay over LDAP - Detects a suspicious local successful logon event where the Logon Package is Kerberos, the remote address is set to localhost, and the target user SID is the built-in local Administrator account. This may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from a domain joined limited user to local System privileges.
RottenPotato Like Attack Pattern - Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Successful Account Login Via WMI - Detects successful logon attempts performed with WMI
Hacktool Ruler - This events that are generated when using the hacktool Ruler by Sensepost
Metasploit SMB Authentication - Alerts on Metasploit host's authentications on the domain.

Security - Event ID 4625 - An account failed to log on. #

Failed Logon From Public IP - Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Hacktool Ruler - This events that are generated when using the hacktool Ruler by Sensepost↳ also fires on: Security-Auditing EID 4624, Security-Auditing EID 4776
Metasploit SMB Authentication - Alerts on Metasploit host's authentications on the domain.↳ also fires on: Security-Auditing EID 4624, Security-Auditing EID 4776
Account Tampering - Suspicious Failed Logon Reasons - This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.↳ also fires on: Security-Auditing EID 4776

Security - Event ID 4634 - An account was logged off. #

User Logoff Event - Detects a user log-off activity. Could be used for example to correlate information during forensic investigations

Security - Event ID 4647 - User initiated logoff. #

User Logoff Event - Detects a user log-off activity. Could be used for example to correlate information during forensic investigations

Security - Event ID 4648 - A logon was attempted using explicit credentials. #

Suspicious Remote Logon with Explicit Credentials - Detects suspicious processes logging on with explicit credentials

Security - Event ID 4649 - A replay attack was detected. #

Replay Attack Detected - Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

Security - Event ID 4656 - A handle to an object was requested. #

Azure AD Health Monitoring Agent Registry Keys Access - This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.↳ also fires on: Security-Auditing EID 4663
Azure AD Health Service Agents Registry Keys Access - This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.↳ also fires on: Security-Auditing EID 4663
Processes Accessing the Microphone and Webcam - Potential adversaries accessing the microphone and webcam in an endpoint.↳ also fires on: Security-Auditing EID 4657, Security-Auditing EID 4663
LSASS Access From Non System Account - Detects potential mimikatz-like tools accessing LSASS from non system account↳ also fires on: Security-Auditing EID 4663
WCE wceaux.dll Access - Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host↳ also fires on: Security-Auditing EID 4663
SAM Registry Hive Handle Request - Detects handles requested to SAM registry hive
SCM Database Handle Failure - Detects non-system users failing to get a handle of the SCM database.
Potential Secure Deletion with SDelete - Detects files that have extensions commonly seen while SDelete is used to wipe files.↳ also fires on: Security-Auditing EID 4658, Security-Auditing EID 4663
Password Dumper Activity on LSASS - Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN
Potentially Suspicious AccessMask Requested From LSASS - Detects process handle on LSASS process with certain access mask↳ also fires on: Security-Auditing EID 4663
SysKey Registry Keys Access - Detects handle requests and access operations to specific registry keys to calculate the SysKey↳ also fires on: Security-Auditing EID 4663
Windows Defender Exclusion Registry Key - Write Access Requested - Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.↳ also fires on: Security-Auditing EID 4663

Security - Event ID 4657 - A registry value was modified. #

Processes Accessing the Microphone and Webcam - Potential adversaries accessing the microphone and webcam in an endpoint.↳ also fires on: Security-Auditing EID 4656, Security-Auditing EID 4663
ETW Logging Disabled In .NET Processes - Registry - Potential adversaries stopping ETW providers recording loaded .NET assemblies.
NetNTLM Downgrade Attack - Detects NetNTLM downgrade attack
Sysmon Channel Reference Deletion - Potential threat actor tampering with Sysmon manifest and eventually disabling it↳ also fires on: Security-Auditing EID 4663
Windows Defender Exclusion List Modified - Detects modifications to the Windows Defender exclusion registry key. This could indicate a potentially suspicious or even malicious activity by an attacker trying to add a new exclusion in order to bypass security.

Security - Event ID 4658 - The handle to an object was closed. #

Potential Secure Deletion with SDelete - Detects files that have extensions commonly seen while SDelete is used to wipe files.

Security - Event ID 4661 - A handle to an object was requested. #

AD Privileged Users or Groups Reconnaissance - Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Password Policy Enumerated - Detects when the password policy is enumerated.
Reconnaissance Activity - Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Security - Event ID 4662 - An operation was performed on an object. #

Also fires on: Security-Auditing EID 5136, Security-Auditing EID 5137

AD Object WriteDAC Access - Detects WRITE_DAC access to a domain object
Active Directory Replication from Non Machine Account - Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
Potential AD User Enumeration From Non-Machine Account - Detects read access to a domain user from a non-machine account
Mimikatz DC Sync - Detects Mimikatz DC sync security events
DPAPI Domain Backup Key Extraction - Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation - Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.
WMI Persistence - Security - Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs.

Security - Event ID 4663 - An attempt was made to access an object. #

Azure AD Health Monitoring Agent Registry Keys Access - This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.↳ also fires on: Security-Auditing EID 4656
Azure AD Health Service Agents Registry Keys Access - This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS). Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation). This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent. Make sure you set the SACL to propagate to its sub-keys.↳ also fires on: Security-Auditing EID 4656
Processes Accessing the Microphone and Webcam - Potential adversaries accessing the microphone and webcam in an endpoint.↳ also fires on: Security-Auditing EID 4656, Security-Auditing EID 4657
ISO Image Mounted - Detects the mount of an ISO image on an endpoint
LSASS Access From Non System Account - Detects potential mimikatz-like tools accessing LSASS from non system account↳ also fires on: Security-Auditing EID 4656
WCE wceaux.dll Access - Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host↳ also fires on: Security-Auditing EID 4656
Service Registry Key Read Access Request - Detects "read access" requests on the services registry key. Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts.
Potential Secure Deletion with SDelete - Detects files that have extensions commonly seen while SDelete is used to wipe files.↳ also fires on: Security-Auditing EID 4656, Security-Auditing EID 4658
File Access Of Signal Desktop Sensitive Data - Detects access to Signal Desktop's sensitive data files: db.sqlite and config.json. The db.sqlite file in Signal Desktop stores all locally saved messages in an encrypted SQLite database, while the config.json contains the decryption key needed to access that data. Since the key is stored in plain text, a threat actor who gains access to both files can decrypt and read sensitive messages without needing the users credentials. Currently the rule only covers the default Signal installation path in AppData\Roaming. Signal Portable installations may use different paths based on user configuration. Additional paths can be added to the selection as needed.
Potentially Suspicious AccessMask Requested From LSASS - Detects process handle on LSASS process with certain access mask↳ also fires on: Security-Auditing EID 4656
SysKey Registry Keys Access - Detects handle requests and access operations to specific registry keys to calculate the SysKey↳ also fires on: Security-Auditing EID 4656
Sysmon Channel Reference Deletion - Potential threat actor tampering with Sysmon manifest and eventually disabling it↳ also fires on: Security-Auditing EID 4657
Suspicious Teams Application Related ObjectAcess Event - Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Windows Defender Exclusion Registry Key - Write Access Requested - Detects write access requests to the Windows Defender exclusions registry keys. This could be an indication of an attacker trying to request a handle or access the object to write new exclusions in order to bypass security.↳ also fires on: Security-Auditing EID 4656

Security - Event ID 4673 - A privileged service was called. #

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' - The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.
Potential Privileged System Service Operation - SeLoadDriverPrivilege - Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.

Security - Event ID 4674 - An operation was attempted on a privileged object. #

SCM Database Privileged Operation - Detects non-system users performing privileged operation os the SCM database

Security - Event ID 4688 - A new process has been created. 1167 rules#

Also fires on: Sysmon EID 1

Show 1167 rules

7Zip Compressing Dump Files - Detects execution of 7z in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Compress Data and Lock With Password for Exfiltration With 7-ZIP - An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Potential DLL Injection Via AccCheckConsole - Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Suspicious AddinUtil.EXE CommandLine Execution - Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
Uncommon Child Process Of AddinUtil.EXE - Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Uncommon AddinUtil.EXE CommandLine Execution - Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
AddinUtil.EXE Execution From Uncommon Directory - Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
Potential Adplus.EXE Abuse - Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
AgentExecutor PowerShell Execution - Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Suspicious AgentExecutor PowerShell Execution - Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th positional argument
Windows AMSI Related Registry Tampering Via CommandLine - Detects tampering of AMSI (Anti-Malware Scan Interface) related registry values via command line tools such as reg.exe or PowerShell. AMSI provides a generic interface for applications and services to integrate with antimalware products. Adversaries may disable AMSI to evade detection of malicious scripts and code execution.
Uncommon Child Process Of Appvlp.EXE - Detects uncommon child processes of Appvlp.EXE Appvlp or the Application Virtualization Utility is included with Microsoft Office. Attackers are able to abuse "AppVLP" to execute shell commands. Normally, this binary is used for Application Virtualization, but it can also be abused to circumvent the ASR file path rule folder or to mark a file as a system file.
Suspicious ArcSOC.exe Child Process - Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.
AspNetCompiler Execution - Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
Suspicious Child Process of AspNetCompiler - Detects potentially suspicious child processes of "aspnet_compiler.exe".
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler - Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
Interactive AT Job - Detects an interactive AT job, which may be used as a form of privilege escalation.
Uncommon Assistive Technology Applications Execution Via AtBroker.EXE - Detects the start of a non built-in assistive technology applications via "Atbroker.EXE".
Hiding Files with Attrib.exe - Detects usage of attrib.exe to hide files from users.
Set Suspicious Files as System Files Using Attrib.EXE - Detects the usage of attrib with the "+s" option to set scripts or executables located in suspicious locations as system files to hide them from users and make them unable to be deleted with simple rights. The rule limits the search to specific extensions and directories to avoid FPs
Audit Policy Tampering Via NT Resource Kit Auditpol - Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Audit Policy Tampering Via Auditpol - Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Suspicious Autorun Registry Modified via WMI - Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
Suspicious BitLocker Access Agent Update Utility Execution - Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
Indirect Inline Command Execution Via Bash.EXE - Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Indirect Command Execution From Script File Via Bash.EXE - Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Boot Configuration Tampering Via Bcdedit.EXE - Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Potential Ransomware or Unauthorized MBR Tampering Via Bcdedit.EXE - Detects potential malicious and unauthorized usage of bcdedit.exe
Data Export From MSSQL Table Via BCP.EXE - Detects the execution of the BCP utility in order to export data from the database. Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
Suspicious Child Process Of BgInfo.EXE - Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Uncommon Child Process Of BgInfo.EXE - Detects uncommon child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
BitLockerTogo.EXE Execution - Detects the execution of "BitLockerToGo.EXE". BitLocker To Go is BitLocker Drive Encryption on removable data drives. This feature includes the encryption of, USB flash drives, SD cards, External hard disk drives, Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. This is a rarely used application and usage of it at all is worth investigating. Malware such as Lumma stealer has been seen using this process as a target for process hollowing.
File Download Via Bitsadmin - Detects usage of bitsadmin downloading a file
Suspicious Download From Direct IP Via Bitsadmin - Detects usage of bitsadmin downloading a file using an URL that contains an IP
Suspicious Download From File-Sharing Website Via Bitsadmin - Detects usage of bitsadmin downloading a file from a suspicious domain
File With Suspicious Extension Downloaded Via Bitsadmin - Detects usage of bitsadmin downloading a file with a suspicious extension
File Download Via Bitsadmin To A Suspicious Target Folder - Detects usage of bitsadmin downloading a file to a suspicious target folder
Monitoring For Persistence Via BITS - BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded.
Potential Data Stealing Via Chromium Headless Debugging - Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control
Browser Execution In Headless Mode - Detects execution of Chromium based browser in headless mode
File Download with Headless Browser - Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
Chromium Browser Instance Executed With Custom Extension - Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
Chromium Browser Headless Execution To Mockbin Like Site - Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Suspicious Chromium Browser Instance Executed With Custom Extension - Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
File Download From Browser Process Via Inline URL - Detects execution of a browser process with a URL argument pointing to a file with a potentially interesting extension. This can be abused to download arbitrary files or to hide from the user for example by launching the browser in a minimized state.
Browser Started with Remote Debugging - Detects browsers starting with the remote debugging flags. Which is a technique often used to perform browser injection attacks
Tor Client/Browser Execution - Detects the use of Tor or Tor-Browser to connect to onion routing networks
Suspicious Calculator Usage - Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
Potential Binary Proxy Execution Via Cdb.EXE - Detects usage of "cdb.exe" to launch arbitrary processes or commands from a debugger script file
New Root Certificate Installed Via CertMgr.EXE - Detects execution of "certmgr" with the "add" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
File Download via CertOC.EXE - Detects when a user downloads a file by using CertOC.exe
File Download From IP Based URL Via CertOC.EXE - Detects when a user downloads a file from an IP based URL using CertOC.exe
DLL Loaded via CertOC.EXE - Detects when a user installs certificates by using CertOC.exe to loads the target DLL file.
Suspicious DLL Loaded via CertOC.EXE - Detects when a user installs certificates by using CertOC.exe to load the target DLL file.
Suspicious CertReq Command to Download - Detects a suspicious CertReq execution downloading a file. This behavior is often used by attackers to download additional payloads or configuration files. Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.
New Root Certificate Installed Via Certutil.EXE - Detects execution of "certutil" with the "addstore" flag in order to install a new certificate on the system. Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
File Decoded From Base64/Hex Via Certutil.EXE - Detects the execution of certutil with either the "decode" or "decodehex" flags to decode base64 or hex encoded files. This can be abused by attackers to decode an encoded payload before execution
Suspicious Download Via Certutil.EXE - Detects the execution of certutil with certain flags that allow the utility to download files.
Suspicious File Downloaded From Direct IP Via Certutil.EXE - Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
File Encoded To Base64 Via Certutil.EXE - Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
Suspicious File Encoded To Base64 Via Certutil.EXE - Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
File In Suspicious Location Encoded To Base64 Via Certutil.EXE - Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
Certificate Exported Via Certutil.EXE - Detects the execution of the certutil with the "exportPFX" flag which allows the utility to export certificates.
Potential NTLM Coercion Via Certutil.EXE - Detects possible NTLM coercion via certutil using the 'syncwithWU' flag
Console CodePage Lookup Via CHCP - Detects use of chcp to look up the system locale value as part of host discovery
Suspicious CodePage Switch Via CHCP - Detects a code page switch in command line or batch scripts to a rare language
Deleted Data Overwritten Via Cipher.EXE - Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
Process Access via TrolleyExpress Exclusion - Detects a possible process memory dump that uses the white-listed Citrix TrolleyExpress.exe filename as a way to dump the lsass process memory
Data Copied To Clipboard Via Clip.EXE - Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Cloudflared Portable Execution - Detects the execution of the "cloudflared" binary from a non standard location.
Cloudflared Quick Tunnel Execution - Detects creation of an ad-hoc Cloudflare Quick Tunnel, which can be used to tunnel local services such as HTTP, RDP, SSH and SMB. The free TryCloudflare Quick Tunnel will generate a random subdomain on trycloudflare[.]com, following a call to api[.]trycloudflare[.]com. The tool has been observed in use by threat groups including Akira ransomware.
Cloudflared Tunnel Connections Cleanup - Detects execution of the "cloudflared" tool with the tunnel "cleanup" flag in order to cleanup tunnel connections.
Cloudflared Tunnel Execution - Detects execution of the "cloudflared" tool to connect back to a tunnel. This was seen used by threat actors to maintain persistence and remote access to compromised networks.
Change Default File Association Via Assoc - Detects file association changes using the builtin "assoc" command. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Change Default File Association To Executable Via Assoc - Detects when a program changes the default file association of any extension to an executable. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE - Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
Curl Download And Execute Combination - Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
File Deletion Via Del - Detects execution of the builtin "del"/"erase" commands in order to delete files. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Greedy File Deletion Using Del - Detects execution of the "del" builtin command to remove files using greedy/wildcard expression. This is often used by malware to delete content of folders that perhaps contains the initial malware infection or to delete evidence.
File And SubFolder Enumeration Via Dir Command - Detects usage of the "dir" command part of Windows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories.
Potential Dosfuscation Activity - Detects possible payload obfuscation via the commandline
Command Line Execution with Suspicious URL and AppData Strings - Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)
Cmd Launched with Hidden Start Flags to Suspicious Targets - Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
Potential Privilege Escalation Using Symlink Between Osk and Cmd - Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in.
VolumeShadowCopy Symlink Creation Via Mklink - Shadow Copies storage symbolic link creation using operating systems utilities
Suspicious File Execution From Internet Hosted WebDav Share - Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
Cmd.EXE Missing Space Characters Execution Anomaly - Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).
NtdllPipe Like Activity Execution - Detects command that type the content of ntdll.dll to a different file or a pipe in order to evade AV / EDR detection. As seen being used in the POC NtdllPipe
Potential CommandLine Path Traversal Via Cmd.EXE - Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
Potentially Suspicious Ping/Copy Command Combination - Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
Suspicious Ping/Del Command Combination - Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
Potentially Suspicious CMD Shell Output Redirect - Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
Directory Removal Via Rmdir - Detects execution of the builtin "rmdir" command in order to delete directories. Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Copy From VolumeShadowCopy Via Cmd.EXE - Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Read Contents From Stdin Via Cmd.EXE - Detect the use of "<" to read and potentially execute a file via cmd.exe
Sticky Key Like Backdoor Execution - Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Persistence Via Sticky Key Backdoor - By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.
Potential Download/Upload Activity Using Type Command - Detects usage of the "type" command to download/upload data from WebDAV server
Unusual Parent Process For Cmd.EXE - Detects suspicious parent process for cmd.exe
New Generic Credentials Added Via Cmdkey.EXE - Detects usage of "cmdkey.exe" to add generic credentials. As an example, this can be used before connecting to an RDP session via command line interface.
Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE - Detects usage of cmdkey to look for cached credentials on the system
Potential Arbitrary File Download Via Cmdl32.EXE - Detects execution of Cmdl32 with the "/vpn" and "/lan" flags. Attackers can abuse this utility in order to download arbitrary files via a configuration file. Inspect the location and the content of the file passed as an argument in order to determine if it is suspicious.
CMSTP Execution Process Creation - Detects various indicators of Microsoft Connection Manager Profile Installer execution
OpenEDR Spawning Command Shell - Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool. Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
Arbitrary File Download Via ConfigSecurityPolicy.EXE - Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
Powershell Executed From Headless ConHost Process - Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
Suspicious High IntegrityLevel Conhost Legacy Option - ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Conhost.exe CommandLine Path Traversal - detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Uncommon Child Process Of Conhost.EXE - Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
Potentially Suspicious Child Processes Spawned by ConHost - Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
Conhost Spawned By Uncommon Parent Process - Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
Control Panel Items - Detects the malicious use of a control panel item
CreateDump Process Dump - Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Windows Credential Guard Registry Tampering Via CommandLine - Detects attempts to add, modify, or delete Windows Credential Guard related registry keys or values via command line tools such as Reg.exe or PowerShell. Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Adversaries may disable Credential Guard to gain access to sensitive credentials stored in the system, such as NTLM hashes and Kerberos tickets, which can be used for lateral movement and privilege escalation. The rule matches suspicious command lines that target DeviceGuard or LSA registry paths and manipulate keys like EnableVirtualizationBasedSecurity, RequirePlatformSecurityFeatures, or LsaCfgFlags. Such activity may indicate an attempt to disable or tamper with Credential Guard, potentially exposing sensitive credentials for misuse.
Dynamic .NET Compilation Via Csc.EXE - Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
Csc.EXE Execution Form Potentially Suspicious Parent - Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Suspicious Csi.exe Usage - Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
Suspicious Use of CSharp Interactive Console - Detects the execution of CSharp interactive console by PowerShell
Active Directory Structure Export Via Csvde.EXE - Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
Potential Cookies Session Hijacking - Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
Curl Web Request With Potential Custom User-Agent - Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
File Download From IP URL Via Curl.EXE - Detects file downloads directly from IP address URL using curl.exe
Suspicious File Download From IP Via Curl.EXE - Detects potentially suspicious file downloads directly from IP addresses using curl.exe
Suspicious File Download From File Sharing Domain Via Curl.EXE - Detects potentially suspicious file download from file sharing domains using curl.exe
Insecure Transfer Via Curl.EXE - Detects execution of "curl.exe" with the "--insecure" flag.
Insecure Proxy/DOH Transfer Via Curl.EXE - Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
Local File Read Using Curl.EXE - Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
Suspicious Curl.EXE Download - Detects a suspicious curl process start on Windows and outputs the requested document to a local file
Suspicious CustomShellHost Execution - Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
ManageEngine Endpoint Central Dctask64.EXE Potential Abuse - Detects the execution of "dctask64.exe", a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Uncommon Child Process Of Defaultpack.EXE - Detects uncommon child processes of "DefaultPack.EXE" binary as a proxy to launch other programs
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction' - Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.
Windows Defender Context Menu Removed - Detects the use of reg.exe or PowerShell to delete the Windows Defender context menu handler registry keys. This action removes the "Scan with Microsoft Defender" option from the right-click menu for files, directories, and drives. Attackers may use this technique to hinder manual, on-demand scans and reduce the visibility of the security product.
Remote File Download Via Desktopimgdownldr Utility - Detects the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to download arbitrary files as an alternative to certutil.
Suspicious Desktopimgdownldr Command - Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Devcon Execution Disabling VMware VMCI Device - Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device. This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device. This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
DeviceCredentialDeployment Execution - Detects the execution of DeviceCredentialDeployment to hide a process from view.
Potential DLL Sideloading Via DeviceEnroller.EXE - Detects the use of the PhoneDeepLink parameter to potentially sideload a DLL file that does not exist. This non-existent DLL file is named "ShellChromeAPI.dll". Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Arbitrary MSI Download Via Devinit.EXE - Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
Potentially Suspicious Child Process Of ClickOnce Application - Detects potentially suspicious child processes of a ClickOnce deployment application
DirLister Execution - Detect the usage of "DirLister.exe" a utility for quickly listing folder or drive contents. It was seen used by BlackCat ransomware to create a list of accessible directories and files.
System Information Discovery via Registry Queries - Detects attempts to query system information directly from the Windows Registry.
Potentially Suspicious Child Process Of DiskShadow.EXE - Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
Diskshadow Script Mode - Uncommon Script Extension Execution - Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension. Initial baselining of the allowed extension list is required.
Diskshadow Script Mode - Execution From Potential Suspicious Location - Detects execution of "Diskshadow.exe" in script mode using the "/s" flag where the script is located in a potentially suspicious location.
PowerShell Web Access Feature Enabled Via DISM - Detects the use of DISM to enable the PowerShell Web Access feature, which could be used for remote access and potential abuse
Dism Remove Online Package - Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
DLL Sideloading by VMware Xfer Utility - Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
Dllhost.EXE Execution Anomaly - Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
DNS Exfiltration and Tunneling Tools Execution - Well-known DNS Exfiltration tools execution
Unusual Child Process of dns.exe - Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Potential Discovery Activity Via Dnscmd.EXE - Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE - Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Potential Application Whitelisting Bypass via Dnx.EXE - Detects the execution of Dnx.EXE. The Dnx utility allows for the execution of C# code. Attackers might abuse this in order to bypass application whitelisting.
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE - Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
Binary Proxy Execution Via Dotnet-Trace.EXE - Detects commandline arguments for executing a child process via dotnet-trace.exe
Process Memory Dump Via Dotnet-Dump - Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
Potential Recon Activity Using DriverQuery.EXE - Detect usage of the "driverquery" utility to perform reconnaissance on installed drivers
DriverQuery.EXE Execution - Detect usage of the "driverquery" utility. Which can be used to perform reconnaissance on installed drivers
Potentially Over Permissive Permissions Granted Using Dsacls.EXE - Detects usage of Dsacls to grant over permissive permissions
Potential Password Spraying Attempt Using Dsacls.EXE - Detects possible password spraying attempts using Dsacls
Domain Trust Discovery Via Dsquery - Detects execution of "dsquery.exe" for domain trust discovery
Suspicious Kernel Dump Using Dtrace - Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
Potential Windows Defender AV Bypass Via Dump64.EXE Rename - Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
DumpMinitool Execution - Detects the use of "DumpMinitool.exe" a tool that allows the dump of process memory via the use of the "MiniDumpWriteDump"
Suspicious DumpMinitool Execution - Detects suspicious ways to use the "DumpMinitool.exe" binary
New Capture Session Launched Via DXCap.EXE - Detects the execution of "DXCap.EXE" with the "-c" flag, which allows a user to launch any arbitrary binary or windows package through DXCap itself. This can be abused to potentially bypass application whitelisting.
Esentutl Gather Credentials - Conti recommendation to its affiliates to use esentutl to access NTDS dumped file. Trickbot also uses this utilities to get MSEdge info via its module pwgrab.
Copying Sensitive Files with Credential Data - Files with well-known filenames (sensitive files with credential data) copying
Esentutl Steals Browser Information - One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe
Security Event Logging Disabled via MiniNt Registry Key - Process - Detects attempts to disable security event logging by adding the `MiniNt` registry key. This key is used to disable the Windows Event Log service, which collects and stores event logs from the operating system and applications. Adversaries may want to disable this service to prevent logging of security events that could be used to detect their activities.
Potentially Suspicious Event Viewer Child Process - Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
Potentially Suspicious Cabinet File Expansion - Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
Explorer Process Tree Break - Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell - Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
Explorer NOUACCHECK Flag - Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Remote File Download Via Findstr.EXE - Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
Findstr GPP Passwords - Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
Findstr Launching .lnk File - Detects usage of findstr to identify and execute a lnk file as seen within the HHS redirect attack
LSASS Process Reconnaissance Via Findstr.EXE - Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
Permission Misconfiguration Reconnaissance Via Findstr.EXE - Detects usage of findstr with the "EVERYONE" or "BUILTIN" keywords. This was seen being used in combination with "icacls" and other utilities to spot misconfigured files or folders permissions.
Recon Command Output Piped To Findstr.EXE - Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example. Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
Security Tools Keyword Lookup Via Findstr.EXE - Detects execution of "findstr" to search for common names of security tools. Attackers often pipe the results of recon commands such as "tasklist" or "whoami" to "findstr" in order to filter out the results. This detection focuses on the keywords that the attacker might use as a filter.
Insensitive Subfolder Search Via Findstr.EXE - Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE - Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
Finger.EXE Execution - Detects execution of the "finger.exe" utility. Finger.EXE or "TCPIP Finger Command" is an old utility that is still present on modern Windows installation. It Displays information about users on a specified remote computer (typically a UNIX computer) that is running the finger service or daemon. Due to the old nature of this utility and the rareness of machines having the finger service. Any execution of "finger.exe" can be considered "suspicious" and worth investigating.
Filter Driver Unloaded Via Fltmc.EXE - Detect filter driver unloading activity via fltmc.exe
Sysmon Driver Unloaded Via Fltmc.EXE - Detects possible Sysmon filter driver unloaded via fltmc.exe
Forfiles.EXE Child Process Masquerading - Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
Forfiles Command Execution - Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
Uncommon FileSystem Load Attempt By Format.com - Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
Use of FSharp Interpreters - Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
Fsutil Drive Enumeration - Attackers may leverage fsutil to enumerated connected drives.
Potentially Suspicious NTFS Symlink Behavior Modification - Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
Fsutil Suspicious Invocation - Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others).
Potential Arbitrary Command Execution Via FTP.EXE - Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
Arbitrary File Download Via GfxDownloadWrapper.EXE - Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
Suspicious Git Clone - Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
Github Self-Hosted Runner Execution - Detects GitHub self-hosted runners executing workflows on local infrastructure that could be abused for persistence and code execution. Shai-Hulud is an npm supply chain worm targeting CI/CD environments. It installs runners on compromised systems to maintain access after credential theft, leveraging their access to secrets and internal networks.
Potentially Suspicious GoogleUpdate Child Process - Detects potentially suspicious child processes of "GoogleUpdate.exe"
File Decryption Using Gpg4win - Detects usage of Gpg4win to decrypt files
File Encryption Using Gpg4win - Detects usage of Gpg4win to encrypt files
Portable Gpg.EXE Execution - Detects the execution of "gpg.exe" from uncommon location. Often used by ransomware and loaders to decrypt/encrypt data.
File Encryption/Decryption Via Gpg4win From Suspicious Locations - Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
Gpresult Display Group Policy Information - Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
Arbitrary Binary Execution Using GUP Utility - Detects execution of the Notepad++ updater (gup) to launch other commands or executables
File Download Using Notepad++ GUP Utility - Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
Suspicious Child Process of Notepad++ Updater - GUP.Exe - Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
Suspicious GUP Usage - Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
HH.EXE Execution - Detects the execution of "hh.exe" to open ".chm" files.
Remote CHM File Download/Execution Via HH.EXE - Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
HTML Help HH.EXE Suspicious Child Process - Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
Suspicious HH.EXE Execution - Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
HackTool - ADCSPwn Execution - Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service
HackTool - Bloodhound/Sharphound Execution - Detects command line parameters used by Bloodhound and Sharphound hack tools
HackTool - F-Secure C3 Load by Rundll32 - F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
HackTool - Certify Execution - Detects Certify a tool for Active Directory certificate abuse based on PE metadata characteristics and common command line arguments.
HackTool - Certipy Execution - Detects Certipy execution, a tool for Active Directory Certificate Services enumeration and abuse based on PE metadata characteristics and common command line arguments.
Operator Bloopers Cobalt Strike Commands - Detects use of Cobalt Strike commands accidentally entered in the CMD shell
Operator Bloopers Cobalt Strike Modules - Detects Cobalt Strike module/commands accidentally entered in CMD shell
CobaltStrike Load by Rundll32 - Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
Potential CobaltStrike Process Patterns - Detects potential process patterns related to Cobalt Strike beacon activity
HackTool - CoercedPotato Execution - Detects the use of CoercedPotato, a tool for privilege escalation
HackTool - Covenant PowerShell Launcher - Detects suspicious command lines used in Covenant luanchers
HackTool - CrackMapExec Execution - This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.
HackTool - CrackMapExec Execution Patterns - Detects various execution patterns of the CrackMapExec pentesting framework
HackTool - CrackMapExec Process Patterns - Detects suspicious process patterns found in logs when CrackMapExec is used
HackTool - CrackMapExec PowerShell Obfuscation - The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
HackTool - CreateMiniDump Execution - Detects the use of CreateMiniDump hack tool used to dump the LSASS process memory for credential extraction on the attacker's machine
HackTool - DInjector PowerShell Cradle Execution - Detects the use of the Dinject PowerShell cradle based on the specific flags
HackTool - Doppelanger LSASS Dumper Execution - Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
HackTool - Dumpert Process Dumper Execution - Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Hacktool - EDR-Freeze Execution - Detects execution of EDR-Freeze, a tool that exploits the MiniDumpWriteDump function and WerFaultSecure.exe to suspend EDR and Antivirus processes on Windows. EDR-Freeze leverages a race-condition attack to put security processes into a dormant state by suspending WerFaultSecure at the moment it freezes the target process. This technique does not require kernel-level exploits or BYOVD, but instead abuses user-mode functionality to temporarily disable monitoring by EDR or Antimalware solutions.
HackTool - EDRSilencer Execution - Detects the execution of EDRSilencer, a tool that leverages Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server based on PE metadata information.
HackTool - Empire PowerShell Launch Parameters - Detects suspicious powershell command line parameters used in Empire
HackTool - Empire PowerShell UAC Bypass - Detects some Empire PowerShell UAC bypass methods
HackTool - WinRM Access Via Evil-WinRM - Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Hacktool Execution - Imphash - Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Hacktool Execution - PE Metadata - Detects the execution of different Windows based hacktools via PE metadata (company, product, etc.) even if the files have been renamed
HackTool - GMER Rootkit Detector and Remover Execution - Detects the execution GMER tool based on image and hash fields.
HackTool - HandleKatz LSASS Dumper Execution - Detects the use of HandleKatz, a tool that demonstrates the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same
HackTool - Hashcat Password Cracker Execution - Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
HackTool - HollowReaper Execution - Detects usage of HollowReaper, a process hollowing shellcode launcher used for stealth payload execution through process hollowing. It replaces the memory of a legitimate process with custom shellcode, allowing the attacker to execute payloads under the guise of trusted binaries.
HackTool - Htran/NATBypass Execution - Detects executable names or flags used by Htran or Htran-like tools (e.g. NATBypass)
HackTool - Hydra Password Bruteforce Execution - Detects command line parameters used by Hydra password guessing hack tool
HackTool - Potential Impacket Lateral Movement Activity - Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework
HackTool - Impacket Tools Execution - Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
HackTool - Impersonate Execution - Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - Inveigh Execution - Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
Invoke-Obfuscation CLIP+ Launcher - Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
Invoke-Obfuscation STDIN+ Launcher - Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation Via Stdin - Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Detects Obfuscated Powershell via VAR++ LAUNCHER
HackTool - Jlaive In-Memory Assembly Execution - Detects the use of Jlaive to execute assemblies in a copied PowerShell
HackTool - Koadic Execution - Detects command line parameters used by Koadic hack tool
HackTool - KrbRelay Execution - Detects the use of KrbRelay, a Kerberos relaying tool
HackTool - RemoteKrbRelay Execution - Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
HackTool - KrbRelayUp Execution - Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced
HackTool - LaZagne Execution - Detects the execution of the LaZagne. A utility used to retrieve multiple types of passwords stored on a local computer. LaZagne has been leveraged multiple times by threat actors in order to dump credentials.
HackTool - LocalPotato Execution - Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
Potential Meterpreter/CobaltStrike Activity - Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
HackTool - Mimikatz Execution - Detection well-known mimikatz command line arguments
HackTool - PCHunter Execution - Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
HackTool - Default PowerSploit/Empire Scheduled Task Creation - Detects the creation of a schtask via PowerSploit or Empire Default Configuration.
HackTool - PowerTool Execution - Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files
HackTool - PurpleSharp Execution - Detects the execution of the PurpleSharp adversary simulation tool
HackTool - Pypykatz Credentials Dumping Activity - Detects the usage of "pypykatz" to obtain stored credentials. Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database through Windows registry where the SAM database is stored
HackTool - Quarks PwDump Execution - Detects usage of the Quarks PwDump tool via commandline arguments
HackTool - RedMimicry Winnti Playbook Execution - Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
Potential SMB Relay Attack Tool Execution - Detects different hacktools used for relay attacks on Windows for privilege escalation
HackTool - Rubeus Execution - Detects the execution of the hacktool Rubeus via PE information of command line parameters
HackTool - SafetyKatz Execution - Detects the execution of the hacktool SafetyKatz via PE information and default Image name
HackTool - SecurityXploded Execution - Detects the execution of SecurityXploded Tools
HackTool - PPID Spoofing SelectMyParent Tool Execution - Detects the use of parent process ID spoofing tools like Didier Stevens tool SelectMyParent
HackTool - SharpChisel Execution - Detects usage of the Sharp Chisel via the commandline arguments
HackTool - SharpDPAPI Execution - Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata. SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
HackTool - SharpImpersonation Execution - Detects execution of the SharpImpersonation tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively
HackTool - SharpLDAPmonitor Execution - Detects execution of the SharpLDAPmonitor. Which can monitor the creation, deletion and changes to LDAP objects.
HackTool - SharPersist Execution - Detects the execution of the hacktool SharPersist - used to deploy various different kinds of persistence mechanisms
HackTool - SharpEvtMute Execution - Detects the use of SharpEvtHook, a tool that tampers with the Windows event logs
HackTool - SharpLdapWhoami Execution - Detects SharpLdapWhoami, a whoami alternative that queries the LDAP service on a domain controller
HackTool - SharpMove Tool Execution - Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
HKTL - SharpSuccessor Privilege Escalation Tool Execution - Detects the execution of SharpSuccessor, a tool used to exploit the BadSuccessor attack for privilege escalation in WinServer 2025 Active Directory environments. Successful usage of this tool can let the attackers gain the domain admin privileges by exploiting the BadSuccessor vulnerability.
HackTool - SharpUp PrivEsc Tool Execution - Detects the use of SharpUp, a tool for local privilege escalation
HackTool - SharpView Execution - Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
HackTool - SharpWSUS/WSUSpendu Execution - Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS. Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
HackTool - SILENTTRINITY Stager Execution - Detects SILENTTRINITY stager use via PE metadata
HackTool - Sliver C2 Implant Activity Pattern - Detects process activity patterns as seen being used by Sliver C2 framework implants
HackTool - SOAPHound Execution - Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
HackTool - Stracciatella Execution - Detects Stracciatella which executes a Powershell runspace from within C# (aka SharpPick technique) with AMSI, ETW and Script Block Logging disabled based on PE metadata characteristics.
HackTool - SysmonEOP Execution - Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
HackTool - TruffleSnout Execution - Detects the use of TruffleSnout.exe an iterative AD discovery toolkit for offensive operators, situational awareness and targeted low noise enumeration.
HackTool - UACMe Akagi Execution - Detects the execution of UACMe, a tool used for UAC bypasses, via default PE metadata
HackTool - Windows Credential Editor (WCE) Execution - Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory. It is often used by threat actors for credential dumping and lateral movement within compromised networks.
HackTool - winPEAS Execution - WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz
HackTool - WinPwn Execution - Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
HackTool - Wmiexec Default Powershell Command - Detects the execution of PowerShell with a specific flag sequence that is used by the Wmiexec script
HackTool - WSASS Execution - Detects execution of WSASS, a tool used to dump LSASS memory on Windows systems by leveraging WER's (Windows Error Reporting) WerFaultSecure.EXE to bypass PPL (Protected Process Light) protections.
HackTool - XORDump Execution - Detects suspicious use of XORDump process memory dumping utility
Suspicious ZipExec Execution - ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.
Suspicious Execution of Hostname - Use of hostname to get information
Hypervisor-protected Code Integrity (HVCI) Related Registry Tampering Via CommandLine - Detects the tampering of Hypervisor-protected Code Integrity (HVCI) related registry values via command line tool reg.exe. HVCI uses virtualization-based security to protect code integrity by ensuring that only trusted code can run in kernel mode. Adversaries may tamper with HVCI to load malicious or unsigned drivers, which can be used to escalate privileges, maintain persistence, or evade security mechanisms.
Suspicious HWP Sub Processes - Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
Potential Fake Instance Of Hxtsr.EXE Executed - HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications. HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
Use Icacls to Hide File to Everyone - Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
File Download And Execution Via IEExec.EXE - Detects execution of the IEExec utility to download and execute files
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location - Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
Disable Windows IIS HTTP Logging - Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union)
Microsoft IIS Service Account Password Dumped - Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords
IIS Native-Code Module Command Line Installation - Detects suspicious IIS native-code module installations via command line
Suspicious IIS URL GlobalRules Rewrite Via AppCmd - Detects usage of "appcmd" to create new global URL rewrite rules. This behaviour has been observed being used by threat actors to add new rules so they can access their webshells.
Microsoft IIS Connection Strings Decryption - Detects use of aspnet_regiis to decrypt Microsoft IIS connection strings. An attacker with Microsoft IIS web server access via a webshell or alike can decrypt and dump any hardcoded connection strings, such as the MSSQL service account password using aspnet_regiis command.
IIS WebServer Log Deletion via CommandLine Utilities - Detects attempts to delete Internet Information Services (IIS) log files via command line utilities, which is a common defense evasion technique used by attackers to cover their tracks. Threat actors often abuse vulnerabilities in web applications hosted on IIS servers to gain initial access and later delete IIS logs to evade detection.
Suspicious IIS Module Registration - Detects a suspicious IIS module registration as described in Microsoft threat report on IIS backdoors
C# IL Code Compilation Via Ilasm.EXE - Detects the use of "Ilasm.EXE" in order to compile C# intermediate (IL) code to EXE or DLL.
ImagingDevices Unusual Parent/Child Processes - Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) process as seen being used with Bumblebee activity
Arbitrary File Download Via IMEWDBLD.EXE - Detects usage of "IMEWDBLD.exe" to download arbitrary files
InfDefaultInstall.exe .inf Execution - Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
File Download Via InstallUtil.EXE - Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
Suspicious Execution of InstallUtil Without Log - Uses the .NET InstallUtil.exe application in order to execute image without log
Suspicious Shells Spawn by Java Utility Keytool - Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Suspicious Child Process Of Manage Engine ServiceDesk - Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
Java Running with Remote Debugging - Detects a JAVA process running with remote debugging allowing more than just localhost to connect
Suspicious Processes Spawned by Java.EXE - Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Shell Process Spawned by Java.EXE - Detects shell spawned from Java host process, which could be a sign of exploitation (e.g. log4j exploitation)
Suspicious SysAidServer Child - Detects suspicious child processes of SysAidServer (as seen in MERCURY threat actor intrusions)
JScript Compiler Execution - Detects the execution of the "jsc.exe" (JScript Compiler). Attacker might abuse this in order to compile JScript files on the fly and bypassing application whitelisting.
Kavremover Dropped Binary LOLBIN Usage - Detects the execution of a signed binary dropped by Kaspersky Lab Products Remover (kavremover) which can be abused as a LOLBIN to execute arbitrary commands and binaries.
Windows Kernel Debugger Execution - Detects execution of the Windows Kernel Debugger "kd.exe".
Attempts of Kerberos Coercion Via DNS SPN Spoofing - Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.
Potentially Suspicious Child Process of KeyScrambler.exe - Detects potentially suspicious child processes of KeyScrambler.exe
Computer Password Change Via Ksetup.EXE - Detects password change for the computer's domain account or host principal via "ksetup.exe"
Logged-On User Password Change Via Ksetup.EXE - Detects password change for the logged-on user's via "ksetup.exe"
Active Directory Structure Export Via Ldifde.EXE - Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
Import LDAP Data Interchange Format File Via Ldifde.EXE - Detects the execution of "Ldifde.exe" with the import flag "-i". The can be abused to include HTTP-based arguments which will allow the arbitrary download of files from a remote server.
Uncommon Link.EXE Parent Process - Detects an uncommon parent process of "LINK.EXE". Link.EXE in Microsoft incremental linker. Its a utility usually bundled with Visual Studio installation. Multiple utilities often found in the same folder (editbin.exe, dumpbin.exe, lib.exe, etc) have a hardcode call to the "LINK.EXE" binary without checking its validity. This would allow an attacker to sideload any binary with the name "link.exe" if one of the aforementioned tools get executed from a different location. By filtering the known locations of such utilities we can spot uncommon parent process of LINK.EXE that might be suspicious or malicious.
Rebuild Performance Counter Values Via Lodctr.EXE - Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
Suspicious Windows Trace ETW Session Tamper Via Logman.EXE - Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
LOLBAS Data Exfiltration by DataSvcUtil.exe - Detects when a user performs data exfiltration by using DataSvcUtil.exe
Devtoolslauncher.exe Executes Specified Binary - The Devtoolslauncher.exe executes other binary
Suspicious Diantz Alternate Data Stream Execution - Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.
Suspicious Diantz Download and Compress Into a CAB File - Download and compress a remote file and store it in a cab file on local machine.
Suspicious Extrac32 Execution - Download or Copy file with Extrac32
Suspicious Extrac32 Alternate Data Stream Execution - Extract data from cab file and hide it in an alternate data stream
Potential Reconnaissance Activity Via GatherNetworkInfo.VBS - Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Gpscript Execution - Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
Ie4uinit Lolbin Use From Invalid Path - Detect use of ie4uinit.exe to execute commands from a specially prepared ie4uinit.inf file from a directory other than the usual directories
Launch-VsDevShell.PS1 Proxy Execution - Detects the use of the 'Launch-VsDevShell.ps1' Microsoft signed script to execute commands.
Potential Manage-bde.wsf Abuse To Proxy Execution - Detects potential abuse of the "manage-bde.wsf" script as a LOLBIN to proxy execution
Mavinject Inject DLL Into Running Process - Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag
MpiExec Lolbin - Detects a certain command line flag combination used by mpiexec.exe LOLBIN from HPC pack that can be used to execute any other binary
Execute Files with Msdeploy.exe - Detects file execution using the msdeploy.exe lolbin
Use of OpenConsole - Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
OpenWith.exe Executes Specified Binary - The OpenWith.exe executes other binary
Use of Pcalua For Execution - Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
Indirect Command Execution By Program Compatibility Wizard - Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
Execute Pcwrun.EXE To Leverage Follina - Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
Code Execution via Pcwutl.dll - Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
Execute Code with Pester.bat as Parent - Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Execute Code with Pester.bat - Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
PrintBrm ZIP Creation of Extraction - Detects the execution of the LOLBIN PrintBrm.exe, which can be used to create or extract ZIP files. PrintBrm.exe should not be run on a normal workstation.
Pubprn.vbs Proxy Execution - Detects the use of the 'Pubprn.vbs' Microsoft signed script to execute commands.
DLL Execution via Rasautou.exe - Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
REGISTER_APP.VBS Proxy Execution - Detects the use of a Microsoft signed script 'REGISTER_APP.VBS' to register a VSS/VDS Provider as a COM+ application.
Use of Remote.exe - Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
Replace.exe Usage - Detects the use of Replace.exe which can be used to replace file with another file
Lolbin Runexehelper Use As Proxy - Detect usage of the "runexehelper.exe" binary as a proxy to launch other programs
Suspicious Runscripthelper.exe - Detects execution of powershell scripts via Runscripthelper.exe
Use of Scriptrunner.exe - The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
Using SettingSyncHost.exe as LOLBin - Detects using SettingSyncHost.exe to run hijacked binary
Use Of The SFTP.EXE Binary As A LOLBIN - Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
Suspicious Driver Install by pnputil.exe - Detects when a possible suspicious driver is being installed via pnputil.exe lolbin
Suspicious GrpConv Execution - Detects the suspicious execution of a utility to convert Windows 3.x .grp files or for persistence purposes by malicious software or actors
Dumping Process via Sqldumper.exe - Detects process dump via legitimate sqldumper.exe binary
SyncAppvPublishingServer Execute Arbitrary PowerShell Code - Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code - Executes arbitrary PowerShell code using SyncAppvPublishingServer.vbs
Potential DLL Injection Or Execution Using Tracker.exe - Detects potential DLL injection and execution using "Tracker.exe"
Use of TTDInject.exe - Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
Time Travel Debugging Utility Usage - Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Lolbin Unregmp2.exe Use As Proxy - Detect usage of the "unregmp2.exe" binary as a proxy to launch a custom version of "wmpnscfg.exe"
UtilityFunctions.ps1 Proxy Dll - Detects the use of a Microsoft signed script executing a managed DLL with PowerShell.
Visual Basic Command Line Compiler Usage - Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter.
Use of VisualUiaVerifyNative.exe - VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Use of VSIISExeLauncher.exe - The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
Use of Wfc.exe - The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Potential Register_App.Vbs LOLScript Abuse - Detects potential abuse of the "register_app.vbs" script that is part of the Windows SDK. The script offers the capability to register new VSS/VDS Provider as a COM+ application. Attackers can use this to install malicious DLLs for persistence and execution.
Potential Credential Dumping Via LSASS Process Clone - Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
Potential Mftrace.EXE Abuse - Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
Windows Default Domain GPO Modification via GPME - Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
MMC20 Lateral Movement - Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe
MMC Executing Files with Reversed Extensions Using RTLO Abuse - Detects malicious behavior where the MMC utility (`mmc.exe`) executes files with reversed extensions caused by Right-to-Left Override (RLO) abuse, disguising them as document formats.
MMC Spawning Windows Shell - Detects a Windows command line executable started from MMC
CodePage Modification Via MODE.COM To Russian Language - Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.
Potential Suspicious Mofcomp Execution - Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts
Potential Mpclient.DLL Sideloading Via Defender Binaries - Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
File Download Via Windows Defender MpCmpRun.EXE - Detects the use of Windows Defender MpCmdRun.EXE to download files
Windows Defender Definition Files Removed - Adversaries may disable security tools to avoid possible detection of their tools and activities by removing Windows Defender Definition Files
Suspicious Msbuild Execution By Uncommon Parent Process - Detects suspicious execution of 'Msbuild.exe' by a uncommon parent process
MSDT Execution Via Answer File - Detects execution of "msdt.exe" using an answer file which is simulating the legitimate way of calling msdt via "pcwrun.exe" (For example from the compatibility tab).
Potential Arbitrary Command Execution Using Msdt.EXE - Detects processes leveraging the "ms-msdt" handler or the "msdt.exe" binary to execute arbitrary commands as seen in the follina (CVE-2022-30190) vulnerability
Suspicious Cabinet File Execution Via Msdt.EXE - Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
Suspicious MSDT Parent Process - Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
Arbitrary File Download Via MSEDGE_PROXY.EXE - Detects usage of "msedge_proxy.exe" to download arbitrary files
Remotely Hosted HTA File Executed Via Mshta.EXE - Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
Wscript Shell Run In CommandLine - Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
Suspicious JavaScript Execution Via Mshta.EXE - Detects execution of javascript code using "mshta.exe".
Potential LethalHTA Technique Execution - Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
Suspicious MSHTA Child Process - Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
MSHTA Execution with Suspicious File Extensions - Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
Suspicious Mshta.EXE Execution Patterns - Detects suspicious mshta process execution patterns
DllUnregisterServer Function Call Via Msiexec.EXE - Detects MsiExec loading a DLL and calling its DllUnregisterServer function
Suspicious MsiExec Embedding Parent - Adversaries may abuse msiexec.exe to proxy the execution of malicious payloads
Suspicious Msiexec Execute Arbitrary DLL - Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Msiexec Quiet Installation - Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
Suspicious Msiexec Quiet Install From Remote Location - Detects usage of Msiexec.exe to install packages hosted remotely quietly
Potential MsiExec Masquerading - Detects the execution of msiexec.exe from an uncommon directory
MsiExec Web Install - Detects suspicious msiexec process starts with web addresses as parameter
Windows MSIX Package Support Framework AI_STUBS Execution - Detects execution of Advanced Installer MSIX Package Support Framework (PSF) components, specifically AI_STUBS executables with original filename 'popupwrapper.exe'. This activity may indicate malicious MSIX packages build with Advanced Installer leveraging the Package Support Framework to bypass application control restrictions.
Arbitrary File Download Via MSOHTMED.EXE - Detects usage of "MSOHTMED" to download arbitrary files
Arbitrary File Download Via MSPUB.EXE - Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
Potential Process Injection Via Msra.EXE - Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
Detection of PowerShell Execution via Sqlps.exe - This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
SQL Client Tools PowerShell Session Detection - This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
Suspicious Child Process Of SQL Server - Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Suspicious Child Process Of Veeam Dabatase - Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Potential MSTSC Shadowing Activity - Detects RDP session hijacking by using MSTSC shadowing
New Remote Desktop Connection Initiated Via Mstsc.EXE - Detects the usage of "mstsc.exe" with the "/v" flag to initiate a connection to a remote server. Adversaries may use valid accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Mstsc.EXE Execution With Local RDP File - Detects potential RDP connection via Mstsc using a local ".rdp" file
Suspicious Mstsc.EXE Execution With Local RDP File - Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Mstsc.EXE Execution From Uncommon Parent - Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Msxsl.EXE Execution - Detects the execution of the MSXSL utility. This can be used to execute Extensible Stylesheet Language (XSL) files. These files are commonly used to describe the processing and rendering of data within XML files. Adversaries can abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses.
Remote XSL Execution Via Msxsl.EXE - Detects the execution of the "msxsl" binary with an "http" keyword in the command line. This might indicate a potential remote execution of XSL files.
Suspicious Group And Account Reconnaissance Activity Using Net.EXE - Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)
Unmount Share Via Net.EXE - Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Start Windows Service Via Net.EXE - Detects the usage of the "net.exe" command to start a service using the "start" flag
Stop Windows Service Via Net.EXE - Detects the stopping of a Windows service via the "net" utility.
Windows Admin Share Mount Via Net.EXE - Detects when an admin share is mounted using net.exe
Windows Internet Hosted WebDav Share Mount Via Net.EXE - Detects when an internet hosted webdav share is mounted using the "net.exe" utility
Windows Share Mount Via Net.EXE - Detects when a share is mounted using the "net.exe" utility
System Network Connections Discovery Via Net.EXE - Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Password Provided In Command Line Of Net.EXE - Detects a when net.exe is called with a password in the command line
New User Created Via Net.EXE - Identifies the creation of local users via the net.exe command.
New User Created Via Net.EXE With Never Expire Option - Detects creation of local users via the net.exe command with the option "never expire"
Suspicious Manipulation Of Default Accounts Via Net.EXE - Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
Share And Session Enumeration Using Net.EXE - Detects attempts to enumerate file shares, printer shares and sessions using "net.exe" with the "view" flag.
New Firewall Rule Added Via Netsh.EXE - Detects the addition of a new rule to the Windows firewall via netsh
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE - Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
RDP Connection Allowed Via Netsh.EXE - Detects usage of the netsh command to open and allow connections to port 3389 (RDP). As seen used by Sarwent Malware
Firewall Rule Deleted Via Netsh.EXE - Detects the removal of a port or application rule in the Windows Firewall configuration using netsh
Firewall Disabled via Netsh.EXE - Detects netsh commands that turns off the Windows firewall
Netsh Allow Group Policy on Microsoft Defender Firewall - Adversaries may modify system firewalls in order to bypass controls limiting network usage
Firewall Configuration Discovery Via Netsh.EXE - Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Firewall Rule Update Via Netsh.EXE - Detects execution of netsh with the "advfirewall" and the "set" option in order to set new values for properties of a existing rule
Potential Persistence Via Netsh Helper DLL - Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
New Network Trace Capture Started Via Netsh.EXE - Detects the execution of netsh with the "trace" flag in order to start a network capture
New Port Forwarding Rule Added Via Netsh.EXE - Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
RDP Port Forwarding Rule Added Via Netsh.EXE - Detects the execution of netsh to configure a port forwarding of port 3389 (RDP) rule
Harvesting Of Wifi Credentials Via Netsh.EXE - Detect the harvesting of wifi credentials using netsh.exe
Nltest.EXE Execution - Detects nltest commands that can be used for information discovery
Potential Recon Activity Via Nltest.EXE - Detects nltest commands that can be used for information discovery
Potential Arbitrary Code Execution Via Node.EXE - Detects the execution node.exe which is shipped with multiple software such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc
Node Process Executions - Detects the execution of other scripts using the Node executable packaged with Adobe Creative Cloud
Notepad Password Files Discovery - Detects the execution of Notepad to open a file that has the string "password" which may indicate unauthorized access to credentials or suspicious activity.
Network Reconnaissance Activity - Detects a set of suspicious network related commands often used in recon stages
Nslookup PowerShell Download Cradle - ProcessCreation - Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) - Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) - Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Driver/DLL Installation Via Odbcconf.EXE - Detects execution of "odbcconf" with "INSTALLDRIVER" which installs a new ODBC driver. Attackers abuse this to install and run malicious DLLs.
Suspicious Driver/DLL Installation Via Odbcconf.EXE - Detects execution of "odbcconf" with the "INSTALLDRIVER" action where the driver doesn't contain a ".dll" extension. This is often used as a defense evasion method.
Odbcconf.EXE Suspicious DLL Location - Detects execution of "odbcconf" where the path of the DLL being registered is located in a potentially suspicious location.
New DLL Registered Via Odbcconf.EXE - Detects execution of "odbcconf" with "REGSVR" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.
Potentially Suspicious DLL Registered Via Odbcconf.EXE - Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
Response File Execution Via Odbcconf.EXE - Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
Suspicious Response File Execution Via Odbcconf.EXE - Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
Uncommon Child Process Spawned By Odbcconf.EXE - Detects an uncommon child process of "odbcconf.exe" binary which normally shouldn't have any child processes.
Potential Arbitrary File Download Using Office Application - Detects potential arbitrary file download using a Microsoft Office application
Potential Excel.EXE DCOM Lateral Movement Via ActivateMicrosoftApp - Detects suspicious child processes of Excel which could be an indicator of lateral movement leveraging the "ActivateMicrosoftApp" Excel DCOM object.
Potentially Suspicious Office Document Executed From Trusted Location - Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
OneNote.EXE Execution of Malicious Embedded Scripts - Detects the execution of malicious OneNote documents that contain embedded scripts. When a user clicks on a OneNote attachment and then on the malicious link inside the ".one" file, it exports and executes the malicious embedded script from specific directories.
Suspicious Microsoft OneNote Child Process - Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
Outlook EnableUnsafeClientMailRules Setting Enabled - Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros
Suspicious Execution From Outlook Temporary Folder - Detects a suspicious program execution in Outlook temp folder
Suspicious Outlook Child Process - Detects a suspicious process spawning from an Outlook process.
Suspicious Remote Child Process From Outlook - Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
Suspicious Binary In User Directory Spawned From Office Application - Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Suspicious Microsoft Office Child Process - Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Potential Arbitrary DLL Load Using Winword - Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution - Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
PDQ Deploy Remote Adminstartion Tool Execution - Detect use of PDQ Deploy remote admin tool
Potentially Suspicious Execution Of PDQDeployRunner - Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Perl Inline Command Execution - Detects execution of perl using the "-e"/"-E" flags. This is could be used as a way to launch a reverse shell or execute live perl code.
Php Inline Command Execution - Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
Ping Hex IP - Detects a ping command that uses a hex encoded IP address
PktMon.EXE Execution - Detects execution of PktMon, a tool that captures network packets.
Suspicious Plink Port Forwarding - Detects suspicious Plink tunnel port forwarding to a local port
Potential RDP Tunneling Via Plink - Execution of plink to perform data exfiltration and tunneling
Suspicious Powercfg Execution To Change Lock Screen Timeout - Detects suspicious execution of 'Powercfg.exe' to change lock screen timeout
AADInternals PowerShell Cmdlets Execution - ProccessCreation - Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Potential Active Directory Enumeration Using AD Module - ProcCreation - Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Add Windows Capability Via PowerShell Cmdlet - Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Potential AMSI Bypass Via .NET Reflection - Detects Request to "amsiInitFailed" that can be used to disable AMSI Scanning
Potential AMSI Bypass Using NULL Bits - Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Audio Capture via PowerShell - Detects audio capture via PowerShell Cmdlet.
Suspicious Encoded PowerShell Command Line - Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
Suspicious PowerShell Encoded Command Patterns - Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
Suspicious Obfuscated PowerShell Code - Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
PowerShell Base64 Encoded FromBase64String Cmdlet - Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
Malicious Base64 Encoded PowerShell Keywords in Command Lines - Detects base64 encoded strings used in hidden malicious PowerShell command lines
PowerShell Base64 Encoded IEX Cmdlet - Detects usage of a base64 encoded "IEX" cmdlet in a process command line
PowerShell Base64 Encoded Invoke Keyword - Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
Powershell Base64 Encoded MpPreference Cmdlet - Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
PowerShell Base64 Encoded Reflective Assembly Load - Detects base64 encoded .NET reflective loading of Assembly
Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call - Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
PowerShell Base64 Encoded WMI Classes - Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
Potential Process Execution Proxy Via CL_Invocation.ps1 - Detects calls to "SyncInvoke" that is part of the "CL_Invocation.ps1" script to proxy execution using "System.Diagnostics.Process"
Assembly Loading Via CL_LoadAssembly.ps1 - Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Potential Script Proxy Execution Via CL_Mutexverifiers.ps1 - Detects the use of the Microsoft signed script "CL_mutexverifiers" to proxy the execution of additional PowerShell script commands
ConvertTo-SecureString Cmdlet Usage Via CommandLine - Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity
Potential PowerShell Obfuscation Via Reversed Commands - Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers
Potential PowerShell Command Line Obfuscation - Detects the PowerShell command lines with special characters
Obfuscated PowerShell MSI Install via WindowsInstaller COM - Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`). The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
PowerShell MSI Install via WindowsInstaller COM From Remote Location - Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
Computer Discovery And Export Via Get-ADComputer Cmdlet - Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Potential PowerShell Console History Access Attempt via History File - Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
New Service Creation Using PowerShell - Detects the creation of a new service using powershell.
Gzip Archive Decode Via PowerShell - Detects attempts of decoding encoded Gzip archives via PowerShell.
PowerShell Execution With Potential Decryption Capabilities - Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
Powershell Defender Disable Scan Feature - Detects requests to disable Microsoft Defender features using PowerShell commands
Powershell Defender Exclusion - Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
Disable Windows Defender AV Security Monitoring - Detects attackers attempting to disable Windows Defender using Powershell
Windows Firewall Disabled via PowerShell - Detects attempts to disable the Windows Firewall using PowerShell
Disabled IE Security Features - Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Potential PowerShell Downgrade Attack - Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Potential COM Objects Download Cradles Usage - Process Creation - Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
Obfuscated PowerShell OneLiner Execution - Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Potential DLL File Download Via PowerShell Invoke-WebRequest - Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
PowerShell Download and Execution Cradles - Detects PowerShell download and execution cradles.
PowerShell Download Pattern - Detects a Powershell process that contains download commands in its command line string
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE - Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
DSInternals Suspicious PowerShell Cmdlets - Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Email Exifiltration Via Powershell - Detects email exfiltration via powershell cmdlets
Potential Suspicious Windows Feature Enabled - ProcCreation - Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Suspicious Execution of Powershell with Base64 - Commandline to launch powershell with a base64 payload
Potential Encoded PowerShell Patterns In CommandLine - Detects specific combinations of encoding methods in PowerShell via the commandline
Powershell Inline Execution From A File - Detects inline execution of PowerShell code from a file
Certificate Exported Via PowerShell - Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Base64 Encoded PowerShell Command Detected - Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Suspicious FromBase64String Usage On Gzip Archive - Process Creation - Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
PowerShell Get-Clipboard Cmdlet Via CLI - Detects usage of the 'Get-Clipboard' cmdlet via CLI
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet - Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
PowerShell Get-Process LSASS - Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
Abuse of Service Permissions to Hide Services Via Set-Service - Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Suspicious PowerShell IEX Execution Patterns - Detects suspicious ways to run Invoke-Execution using IEX alias
Root Certificate Installed From Susp Locations - Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Import PowerShell Modules From Suspicious Directories - ProcCreation - Detects powershell scripts that import modules from suspicious directories
Unsigned AppX Installation Attempt Using Add-AppxPackage - Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Suspicious PowerShell Invocations - Specific - ProcessCreation - Detects suspicious PowerShell invocation command parameters
Suspicious Invoke-WebRequest Execution With DirectIP - Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
Suspicious Invoke-WebRequest Execution - Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
Suspicious Kerberos Ticket Request via CLI - Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse techniques like silver ticket attacks.
Suspicious PowerShell Mailbox Export to Share - Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Malicious PowerShell Commandlets - ProcessCreation - Detects Commandlet names from well-known PowerShell exploitation frameworks
MSExchange Transport Agent Installation - Detects the Installation of a Exchange Transport Agent
Non Interactive PowerShell Process Spawned - Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
Potential PowerShell Obfuscation Via WCHAR/CHAR - Detects suspicious encoded character syntax often used for defense evasion
Execution of Powershell Script in Public Folder - This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses - Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
Tamper Windows Defender Remove-MpPreference - Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
Potential Powershell ReverseShell Connection - Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
Run PowerShell Script from ADS - Detects PowerShell script execution from Alternate Data Stream (ADS)
Run PowerShell Script from Redirected Input Stream - Detects PowerShell script execution via input stream redirect
PowerShell SAM Copy - Detects suspicious PowerShell scripts accessing SAM hives
Suspicious PowerShell Invocation From Script Engines - Detects suspicious powershell invocations from interpreters or unusual programs
Suspicious Service DACL Modification Via Set-Service Cmdlet - Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
PowerShell Script Change Permission Via Set-Acl - Detects PowerShell execution to set the ACL of a file or a folder
PowerShell Set-Acl On Windows Folder - Detects PowerShell scripts to set the ACL to a file in the Windows folder
Change PowerShell Policies to an Insecure Level - Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Service StartupType Change Via PowerShell Set-Service - Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
Deletion of Volume Shadow Copies via WMI with PowerShell - Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Exchange PowerShell Snap-Ins Usage - Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
Stop Windows Service Via PowerShell Stop-Service - Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
Suspicious PowerShell Download and Execute Pattern - Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
Suspicious PowerShell Parameter Substring - Detects suspicious PowerShell invocation with a parameter substring
Suspicious PowerShell Parent Process - Detects a suspicious or uncommon parent processes of PowerShell
PowerShell Script Run in AppData - Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
Powershell Token Obfuscation - Process Creation - Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Suspicious Uninstall of Windows Defender Feature via PowerShell - Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
User Discovery And Export Via Get-ADUser Cmdlet - Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Net WebClient Casing Anomalies - Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
Suspicious X509Enrollment - Process Creation - Detect use of X509Enrollment
Suspicious XOR Encoded PowerShell Command - Detects presence of a potentially xor encoded powershell command
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Arbitrary File Download Via PresentationHost.EXE - Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
XBAP Execution From Uncommon Locations Via PresentationHost.EXE - Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution - Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
Abusing Print Executable - Attackers can use print.exe for remote file copy
File Download Using ProtocolHandler.exe - Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Potential Provlaunch.EXE Binary Proxy Execution Abuse - Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Suspicious Provlaunch.EXE Child Process - Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Screen Capture Activity Via Psr.EXE - Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
PUA - 3Proxy Execution - Detects the use of 3proxy, a tiny free proxy server
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE - Detects active directory enumeration activity using known AdFind CLI flags
PUA - AdFind.EXE Execution - Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
PUA - AdFind Suspicious Execution - Detects AdFind execution with common flags seen used during attacks
PUA - Advanced IP Scanner Execution - Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
PUA - Advanced Port Scanner Execution - Detects the use of Advanced Port Scanner.
PUA - AdvancedRun Execution - Detects the execution of AdvancedRun utility
PUA - AdvancedRun Suspicious Execution - Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
PUA - Chisel Tunneling Tool Execution - Detects usage of the Chisel tunneling tool via the commandline arguments
PUA - CleanWipe Execution - Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
PUA - Crassus Execution - Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
PUA - CsExec Execution - Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
PUA - DefenderCheck Execution - Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
PUA - DIT Snapshot Viewer - Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
PUA - Fast Reverse Proxy (FRP) Execution - Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
PUA- IOX Tunneling Tool Execution - Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
PUA - Kernel Driver Utility (KDU) Execution - Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.
PUA - Mouse Lock Execution - In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents.
PUA - Netcat Suspicious Execution - Detects execution of Netcat. Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
PUA - SoftPerfect Netscan Execution - Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks. It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.
PUA - Ngrok Execution - Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections.
PUA - Nimgrab Execution - Detects the usage of nimgrab, a tool bundled with the Nim programming framework and used for downloading files.
PUA - NimScan Execution - Detects usage of NimScan, a portscanner utility. In early 2025, adversaries were observed using this utility to scan for open ports on remote hosts in a compromised environment. This rule identifies the execution of NimScan based on the process image name and specific hash values associated with different versions of the tool.
PUA - NirCmd Execution - Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity
PUA - NirCmd Execution As LOCAL SYSTEM - Detects the use of NirCmd tool for command execution as SYSTEM user
PUA - Nmap/Zenmap Execution - Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation
PUA - NPS Tunneling Tool Execution - Detects the use of NPS, a port forwarding and intranet penetration proxy server
PUA - NSudo Execution - Detects the use of NSudo tool for command execution
PUA - PingCastle Execution - Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
PUA - PingCastle Execution From Potentially Suspicious Parent - Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
PUA - Process Hacker Execution - Detects the execution of Process Hacker based on binary metadata information (Image, Hash, Imphash, etc). Process Hacker is a tool to view and manipulate processes, kernel options and other low level options. Threat actors abused older vulnerable versions to manipulate system processes.
PUA - Radmin Viewer Utility Execution - Detects the execution of Radmin which can be abused by an adversary to remotely control Windows machines
PUA - Potential PE Metadata Tamper Using Rcedit - Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion.
PUA - Rclone Execution - Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc
PUA - Restic Backup Tool Execution - Detects the execution of the Restic backup tool, which can be used for data exfiltration. Threat actors may leverage Restic to back up and exfiltrate sensitive data to remote storage locations, including cloud services. If not legitimately used in the enterprise environment, its presence may indicate malicious activity.
PUA - RunXCmd Execution - Detects the use of the RunXCmd tool to execute commands with System or TrustedInstaller accounts
PUA - Seatbelt Execution - Detects the execution of the PUA/Recon tool Seatbelt via PE information of command line parameters
PUA - System Informer Execution - Detects the execution of System Informer, a task manager tool to view and manipulate processes, kernel options and other low level operations
PUA - TruffleHog Execution - Detects execution of TruffleHog, a tool used to search for secrets in different platforms like Git, Jira, Slack, SharePoint, etc. that could be used maliciously. While it is a legitimate tool, intended for use in CI pipelines and security assessments, It was observed in the Shai-Hulud malware campaign targeting npm packages to steal sensitive information.
PUA - WebBrowserPassView Execution - Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
PUA - Wsudo Suspicious Execution - Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc)
PUA - Adidnsdump Execution - This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
Python Inline Command Execution - Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
Python Spawning Pretty TTY on Windows - Detects python spawning a pretty tty
Potentially Suspicious Usage Of Qemu - Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
Query Usage To Exfil Data - Detects usage of "query.exe" a system binary to exfil information such as "sessions" and "processes" for later use
QuickAssist Execution - Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
Files Added To An Archive Using Rar.EXE - Detects usage of "rar" to add files to an archive for potential compression. An adversary may compress data (e.g. sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Rar Usage with Password and Compression Level - Detects the use of rar.exe, on the command line, to create an archive with password protection or with a specific compression level. This is pretty indicative of malicious actions.
Suspicious Greedy Compression Using Rar.EXE - Detects RAR usage that creates an archive from a suspicious folder, either a system folder or one of the folders often used by attackers for staging purposes
Suspicious RASdial Activity - Detects suspicious process related to rasdial.exe
RDP Enable or Disable via Win32_TerminalServiceSetting WMI Class - Detects enabling or disabling of Remote Desktop Protocol (RDP) using alternate methods such as WMIC or PowerShell. In PowerShell one-liner commands, the "SetAllowTSConnections" method of the "Win32_TerminalServiceSetting" class may be used to enable or disable RDP. In WMIC, the "rdtoggle" alias or "Win32_TerminalServiceSetting" class may be used for the same purpose.
Process Memory Dump via RdrLeakDiag.EXE - Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
Windows Recovery Environment Disabled Via Reagentc - Detects attempts to disable windows recovery environment using Reagentc. ReAgentc.exe is a command-line tool in Windows used to manage the Windows Recovery Environment (WinRE). It allows users to enable, disable, and configure WinRE, which is used for troubleshooting and repairing common boot issues.
Potential Persistence Attempt Via Run Keys Using Reg.EXE - Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Add SafeBoot Keys Via Reg Utility - Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Suspicious Reg Add BitLocker - Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
Dropping Of Password Filter DLL - Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE - Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.
RunMRU Registry Key Deletion - Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
SafeBoot Registry Key Deleted Via Reg.EXE - Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
Service Registry Key Deleted Via Reg.EXE - Detects execution of "reg.exe" commands with the "delete" flag on services registry key. Often used by attacker to remove AV software services
Potentially Suspicious Desktop Background Change Using Reg.EXE - Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Direct Autorun Keys Modification - Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe.
Disabling Windows Defender WMI Autologger Session via Reg.exe - Detects the use of reg.exe to disable the Event Tracing for Windows (ETW) Autologger session for Windows Defender API and Audit events. By setting the 'Start' value to '0' for the 'DefenderApiLogger' or 'DefenderAuditLogger' session, an attacker can prevent these critical security events from being logged, effectively blinding monitoring tools that rely on this data. This is a powerful defense evasion technique.
Security Service Disabled Via Reg.EXE - Detects execution of "reg.exe" to disable security services such as Windows Defender.
Dumping of Sensitive Hives Via Reg.EXE - Detects the usage of "reg.exe" in order to dump sensitive registry hives. This includes SAM, SYSTEM and SECURITY hives.
Windows Recall Feature Enabled Via Reg.EXE - Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0. Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities. This rule assumes that Recall is already explicitly disabled on the host, and subsequently enabled by the adversary.
Enumeration for Credentials in Registry - Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services
Potential Suspicious Registry File Imported Via Reg.EXE - Detects the import of '.reg' files from suspicious paths using the 'reg.exe' utility
RestrictedAdminMode Registry Value Tampering - ProcCreation - Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
LSA PPL Protection Disabled Via Reg.EXE - Detects the usage of the "reg.exe" utility to disable PPL protection on the LSA process
Suspicious Query of MachineGUID - Use of reg to get MachineGuid information
Modify Group Policy Settings - Detect malicious GPO modifications can be used to implement many other malicious behaviors.
Enable LM Hash Storage - ProcCreation - Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
Potential Configuration And Service Reconnaissance Via Reg.EXE - Detects the usage of "reg.exe" in order to query reconnaissance information from the registry. Adversaries may interact with the Windows registry to gather information about credentials, the system, configuration, and installed software.
Potential Tampering With RDP Related Registry Keys Via Reg.EXE - Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values
Suspicious ScreenSave Change by Reg.exe - Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension
Changing Existing Service ImagePath Value Via Reg.EXE - Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
Detected Windows Software Discovery - Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
Reg Add Suspicious Paths - Detects when an adversary uses the reg.exe utility to add or modify new keys or subkeys
System Language Discovery via Reg.Exe - Detects the usage of Reg.Exe to query system language settings. Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions, or avoid targeting certain locales to evade detection.
Disabled Volume Snapshots - Detects commands that temporarily turn off Volume Snapshots
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE - Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Write Protect For Storage Disabled - Detects applications trying to modify the registry in order to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
RegAsm.EXE Execution Without CommandLine Flags or Files - Detects the execution of "RegAsm.exe" without a commandline flag or file, which might indicate potential process injection activity. Usually "RegAsm.exe" should point to a dedicated DLL file or call the help with the "/?" flag.
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension - Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location - Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
Exports Critical Registry Keys To a File - Detects the export of a crital Registry key to a file.
Exports Registry Key To a File - Detects the export of the target Registry key to a file.
Imports Registry Key From a File - Detects the import of the specified file to the registry with regedit.exe.
Imports Registry Key From an ADS - Detects the import of a alternate datastream to the registry with regedit.exe.
Regedit as Trusted Installer - Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe
Suspicious Registry Modification From ADS Via Regini.EXE - Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
Registry Modification Via Regini.EXE - Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files.
DLL Execution Via Register-cimprovider.exe - Detects using register-cimprovider.exe to execute arbitrary dll file.
Enumeration for 3rd Party Creds From CLI - Detects processes that query known 3rd party registry keys that holds credentials via commandline
Registry Export of Third-Party Credentials - Detects the use of reg.exe to export registry paths associated with third-party credentials. Credential stealers have been known to use this technique to extract sensitive information from the registry.
IE ZoneMap Setting Downgraded To MyComputer Zone For HTTP Protocols Via CLI - Detects changes to Internet Explorer's (IE / Windows Internet properties) ZoneMap configuration of the "HTTP" and "HTTPS" protocols to point to the "My Computer" zone. This allows downloaded files from the Internet to be granted the same level of trust as files stored locally.
Suspicious Debugger Registration Cmdline - Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Potential Persistence Via Logon Scripts - CommandLine - Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
Potential Credential Dumping Attempt Using New NetworkProvider - CLI - Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
Python Function Execution Security Warning Disabled In Excel - Detects changes to the registry value "PythonFunctionWarnings" that would prevent any warnings or alerts from showing when Python functions are about to be executed. Threat actors could run malicious code through the new Microsoft Excel feature that allows Python to run within the spreadsheet.
Potential Privilege Escalation via Service Permissions Weakness - Detect modification of services configuration (ImagePath, FailureCommand and ServiceDLL) in registry by processes with Medium integrity level
Potential Provisioning Registry Key Abuse For Binary Proxy Execution - Detects potential abuse of the provisioning registry key for indirect command execution through "Provlaunch.exe".
Potential PowerShell Execution Policy Tampering - ProcCreation - Detects changes to the PowerShell execution policy registry key in order to bypass signing requirements for script execution from the CommandLine
Hiding User Account Via SpecialAccounts Registry Key - CommandLine - Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
Persistence Via TypedPaths - CommandLine - Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt
Potential Regsvr32 Commandline Flag Anomaly - Detects a potential command line flag anomaly related to "regsvr32" in which the "/i" flag is used without the "/n" which should be uncommon.
Potentially Suspicious Regsvr32 HTTP IP Pattern - Detects regsvr32 execution to download and install DLLs located remotely where the address is an IP address.
Potentially Suspicious Regsvr32 HTTP/FTP Pattern - Detects regsvr32 execution to download/install/register new DLLs that are hosted on Web or FTP servers.
Suspicious Regsvr32 Execution From Remote Share - Detects REGSVR32.exe to execute DLL hosted on remote shares
Potentially Suspicious Child Process Of Regsvr32 - Detects potentially suspicious child processes of "regsvr32.exe".
Regsvr32 Execution From Potential Suspicious Location - Detects execution of regsvr32 where the DLL is located in a potentially suspicious location.
Regsvr32 Execution From Highly Suspicious Location - Detects execution of regsvr32 where the DLL is located in a highly suspicious locations
Regsvr32 DLL Execution With Suspicious File Extension - Detects the execution of REGSVR32.exe with DLL files masquerading as other files
Scripting/CommandLine Process Spawned Regsvr32 - Detects various command line and scripting engines/processes such as "PowerShell", "Wscript", "Cmd", etc. spawning a "regsvr32" instance.
Regsvr32 DLL Execution With Uncommon Extension - Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.
Remote Access Tool - AnyDesk Execution - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - AnyDesk Piped Password Via CLI - Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate - Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
Remote Access Tool - AnyDesk Silent Installation - Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
Remote Access Tool - Anydesk Execution From Suspicious Folder - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - GoToAssist Execution - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - LogMeIn Execution - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - Potential MeshAgent Execution - Windows - Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
Remote Access Tool - MeshAgent Command Execution via MeshCentral - Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.
Remote Access Tool - NetSupport Execution - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - NetSupport Execution From Unusual Location - Detects execution of client32.exe (NetSupport RAT) from an unusual location (outside of 'C:\Program Files')
Remote Access Tool - Renamed MeshAgent Execution - Windows - Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Remote Access Tool - RURAT Execution From Unusual Location - Detects execution of Remote Utilities RAT (RURAT) from an unusual location (outside of 'C:\Program Files')
Remote Access Tool - ScreenConnect Execution - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - ScreenConnect Installation Execution - Detects ScreenConnect program starts that establish a remote access to a system.
Remote Access Tool - ScreenConnect Remote Command Execution - Detects the execution of a system command via the ScreenConnect RMM service.
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Detects potentially suspicious child processes launched via the ScreenConnect client service.
Remote Access Tool - ScreenConnect Server Web Shell Execution - Detects potential web shell execution from the ScreenConnect server process.
Remote Access Tool - Simple Help Execution - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server - Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.
Remote Access Tool - Team Viewer Session Started On Windows Host - Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Remote Access Tool - UltraViewer Execution - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Discovery of a System Time - Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system.
Renamed AdFind Execution - Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
Renamed AutoHotkey.EXE Execution - Detects execution of a renamed autohotkey.exe binary based on PE metadata fields
Renamed AutoIt Execution - Detects the execution of a renamed AutoIt2.exe or AutoIt3.exe. AutoIt is a scripting language and automation tool for Windows systems. While primarily used for legitimate automation tasks, it can be misused in cyber attacks. Attackers can leverage AutoIt to create and distribute malware, including keyloggers, spyware, and botnets. A renamed AutoIt executable is particularly suspicious.
Potential Defense Evasion Via Binary Rename - Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Potential Defense Evasion Via Rename Of Highly Relevant Binaries - Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Renamed BOINC Client Execution - Detects the execution of a renamed BOINC binary.
Renamed BrowserCore.EXE Execution - Detects process creation with a renamed BrowserCore.exe (used to extract Azure tokens)
Renamed Cloudflared.EXE Execution - Detects the execution of a renamed "cloudflared" binary.
Renamed CreateDump Utility Execution - Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
Renamed CURL.EXE Execution - Detects the execution of a renamed "CURL.exe" binary based on the PE metadata fields
Renamed ZOHO Dctask64 Execution - Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central. This binary can be abused for DLL injection, arbitrary command and process execution.
Renamed FTP.EXE Execution - Detects the execution of a renamed "ftp.exe" binary based on the PE metadata fields
Renamed Gpg.EXE Execution - Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
Renamed Jusched.EXE Execution - Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Renamed Mavinject.EXE Execution - Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
Renamed MegaSync Execution - Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
Renamed Msdt.EXE Execution - Detects the execution of a renamed "Msdt.exe" binary
Renamed Microsoft Teams Execution - Detects the execution of a renamed Microsoft Teams binary.
Renamed NetSupport RAT Execution - Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
Renamed NirCmd.EXE Execution - Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
Renamed Office Binary Execution - Detects the execution of a renamed office binary
Renamed PAExec Execution - Detects execution of renamed version of PAExec. Often used by attackers
Renamed PingCastle Binary Execution - Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
Renamed Plink Execution - Detects the execution of a renamed version of the Plink binary
Visual Studio NodejsTools PressAnyKey Renamed Execution - Detects renamed execution of "Microsoft.NodejsTools.PressAnyKey.exe", which can be abused as a LOLBIN to execute arbitrary binaries
Potential Renamed Rundll32 Execution - Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
Renamed Remote Utilities RAT (RURAT) Execution - Detects execution of renamed Remote Utilities (RURAT) via Product PE header field
Renamed Schtasks Execution - Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks. One of the very common persistence techniques is schedule malicious tasks using schtasks.exe. Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
Renamed SysInternals DebugView Execution - Detects suspicious renamed SysInternals DebugView execution
Renamed ProcDump Execution - Detects the execution of a renamed ProcDump executable. This often done by attackers or malware in order to evade defensive mechanisms.
Renamed PsExec Service Execution - Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
Renamed Sysinternals Sdelete Execution - Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
Renamed Vmnat.exe Execution - Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
Renamed Whoami Execution - Detects the execution of whoami that has been renamed to a different name to avoid detection
Capture Credentials with Rpcping.exe - Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Ruby Inline Command Execution - Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
Potential Rundll32 Execution With DLL Stored In ADS - Detects execution of rundll32 where the DLL being called is stored in an Alternate Data Stream (ADS).
Suspicious Advpack Call Via Rundll32.EXE - Detects execution of "rundll32" calling "advpack.dll" with potential obfuscated ordinal calls in order to leverage the "RegisterOCX" function
Suspicious Rundll32 Invoking Inline VBScript - Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Rundll32 InstallScreenSaver Execution - An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
Suspicious Key Manager Access - Detects the invocation of the Stored User Names and Passwords dialogue (Key Manager)
Mshtml.DLL RunHTMLApplication Suspicious Usage - Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Rundll32 Execution Without CommandLine Parameters - Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Suspicious NTLM Authentication on the Printer Spooler Service - Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
Potential Obfuscated Ordinal Call Via Rundll32 - Detects execution of "rundll32" with potential obfuscated ordinal calls
Rundll32 Spawned Via Explorer.EXE - Detects execution of "rundll32.exe" with a parent process of Explorer.exe. This has been observed by variants of Raspberry Robin, as first reported by Red Canary.
Process Memory Dump Via Comsvcs.DLL - Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Rundll32 Registered COM Objects - load malicious registered COM objects
Suspicious Process Start Locations - Detects suspicious process run from unusual locations
Suspicious Rundll32 Setupapi.dll Activity - setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file.
Shell32 DLL Execution in Suspicious Directory - Detects shell32.dll executing a DLL in a suspicious directory
Potential ShellDispatch.DLL Functionality Abuse - Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
RunDLL32 Spawning Explorer - Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
Potentially Suspicious Rundll32 Activity - Detects suspicious execution of rundll32, with specific calls to some DLLs with known LOLBIN functionalities
Suspicious Control Panel DLL Load - Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Suspicious Rundll32 Execution With Image Extension - Detects the execution of Rundll32.exe with DLL files masquerading as image files
Suspicious Usage Of ShellExec_RunDLL - Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Suspicious ShellExec_RunDLL Call Via Ordinal - Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands. Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
ShimCache Flush - Detects actions that clear the local ShimCache and remove forensic evidence
Suspicious Rundll32 Activity Invoking Sys File - Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Potentially Suspicious Rundll32.EXE Execution of UDL File - Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file. Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
Rundll32 UNC Path Execution - Detects rundll32 execution where the DLL is located on a remote location (share)
Rundll32 Execution With Uncommon DLL Extension - Detects the execution of rundll32 with a command line that doesn't contain a common extension
Suspicious Workstation Locking via Rundll32 - Detects a suspicious call to the user32.dll function that locks the user workstation
WebDav Client Execution Via Rundll32.EXE - Detects "svchost.exe" spawning "rundll32.exe" with command arguments like "C:\windows\system32\davclnt.dll,DavSetCookie". This could be an indicator of exfiltration or use of WebDav to launch code (hosted on a WebDav server).
Suspicious WebDav Client Execution Via Rundll32.EXE - Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Rundll32 Execution Without Parameters - Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Run Once Task Execution as Configured in Registry - This rule detects the execution of Run Once task as configured in the registry
Possible Privilege Escalation via Weak Service Permissions - Detection of sc.exe utility spawning by user with Medium integrity level to change service ImagePath or FailureCommand
New Service Creation Using Sc.EXE - Detects the creation of a new service using the "sc.exe" utility.
Service StartupType Change Via Sc.EXE - Detect the use of "sc.exe" to change the startup type of a service to "disabled" or "demand"
New Kernel Driver Via SC.EXE - Detects creation of a new service (kernel driver) with the type "kernel"
Interesting Service Enumeration Via Sc.EXE - Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE - Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE - Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Service DACL Abuse To Hide Services Via Sc.EXE - Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
Service Security Descriptor Tampering Via Sc.EXE - Detection of sc.exe utility adding a new service with special permission which hides that service.
Suspicious Service Path Modification - Detects service path modification via the "sc" binary to a suspicious command or path
Potential Persistence Attempt Via Existing Service Tampering - Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Stop Windows Service Via Sc.EXE - Detects the stopping of a Windows service via the "sc.exe" utility
Suspicious Schtasks Execution AppData Folder - Detects the creation of a schtask that executes a file from C:\Users\\AppData\Local
Suspicious Modification Of Scheduled Tasks - Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on Instead they modify the task after creation to include their malicious payload
Scheduled Task Creation Via Schtasks.EXE - Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Suspicious Scheduled Task Creation Involving Temp Folder - Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Scheduled Task Creation with Curl and PowerShell Execution Combo - Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
Delete Important Scheduled Task - Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Delete All Scheduled Tasks - Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Disable Important Scheduled Task - Detects when adversaries stop services or processes by disabling their respective scheduled tasks in order to conduct data destructive activities
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE - Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Schtasks From Suspicious Folders - Detects scheduled task creations that have suspicious action command and folder combinations
Suspicious Scheduled Task Name As GUID - Detects creation of a scheduled task with a GUID like name
Uncommon One Time Only Scheduled Task At 00:00 - Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
Potential SSH Tunnel Persistence Install Using A Scheduled Task - Detects the creation of new scheduled tasks via commandline, using Schtasks.exe. This rule detects tasks creating that call OpenSSH, which may indicate the creation of reverse SSH tunnel to the attacker's server.
Potential Persistence Via Microsoft Compatibility Appraiser - Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key.
Potential Persistence Via Powershell Search Order Hijacking - Task - Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
Scheduled Task Executing Payload from Registry - Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Scheduled Task Executing Encoded Payload from Registry - Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Suspicious Schtasks Schedule Types - Detects scheduled task creations or modification on a suspicious schedule type
Suspicious Schtasks Schedule Type With High Privileges - Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
Suspicious Scheduled Task Creation via Masqueraded XML File - Detects the creation of a scheduled task using the "-XML" flag with a file without the '.xml' extension. This behavior could be indicative of potential defense evasion attempt during persistence
Suspicious Command Patterns In Scheduled Task Creation - Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
Schtasks Creation Or Modification With SYSTEM Privileges - Detects the creation or update of a scheduled task to run with "NT AUTHORITY\SYSTEM" privileges
Scheduled Task Creation Masquerading as System Processes - Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
Script Event Consumer Spawning Process - Detects a suspicious child process of Script Event Consumer (scrcons.exe).
Potential Shim Database Persistence via Sdbinst.EXE - Detects installation of a new shim using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Uncommon Extension Shim Database Installation Via Sdbinst.EXE - Detects installation of a potentially suspicious new shim with an uncommon extension using sdbinst.exe. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims
Sdclt Child Processes - A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques.
Sdiagnhost Calling Suspicious Child Process - Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
Potential Suspicious Activity Using SeCEdit - Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
NodeJS Execution of JavaScript File - Detects execution of JavaScript or JSC files using NodeJs binary node.exe, that could be potentially suspicious. Node.js is a popular open-source JavaScript runtime that runs code outside browsers and is widely used for both frontend and backend development. Adversaries have been observed abusing Node.js to disguise malware as legitimate processes, evade security defenses, and maintain persistence within target systems. Because Node.js is commonly used, this rule may generate false positives in some environments. However, if such activity is unusual in your environment, it is highly suspicious and warrants immediate investigation.
Suspicious Serv-U Process Pattern - Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
Uncommon Child Process Of Setres.EXE - Detects uncommon child process of Setres.EXE. Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution. It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
Potential SPN Enumeration Via Setspn.EXE - Detects service principal name (SPN) enumeration used for Kerberoasting
Setup16.EXE Execution With Custom .Lst File - Detects the execution of "Setup16.EXE" and old installation utility with a custom ".lst" file. These ".lst" file can contain references to external program that "Setup16.EXE" will execute. Attackers and adversaries might leverage this as a living of the land utility.
Suspicious Execution of Shutdown - Use of the commandline to shutdown or reboot windows
Suspicious Execution of Shutdown to Log Out - Detects the rare use of the command line tool shutdown to logoff a user
Uncommon Sigverif.EXE Child Process - Detects uncommon child processes spawning from "sigverif.exe", which could indicate potential abuse of the latter as a living of the land binary in order to proxy execution.
Uncommon Child Processes Of SndVol.exe - Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
Audio Capture via SoundRecorder - Detect attacker collecting audio via SoundRecorder application.
Suspicious Speech Runtime Binary Child Process - Detects suspicious Speech Runtime Binary Execution by monitoring its child processes. Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
Suspicious Splwow64 Without Params - Detects suspicious Splwow64.exe process without any command line parameters
Suspicious Spool Service Child Process - Detects suspicious print spool service (spoolsv.exe) child processes.
Veeam Backup Database Suspicious Query - Detects potentially suspicious SQL queries using SQLCmd targeting the Veeam backup databases in order to steal information.
VeeamBackup Database Credentials Dump Via Sqlcmd.EXE - Detects dump of credentials in VeeamBackup dbo
SQLite Chromium Profile Data DB Access - Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
SQLite Firefox Profile Data DB Access - Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Arbitrary File Download Via Squirrel.EXE - Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Process Proxy Execution Via Squirrel.EXE - Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Port Forwarding Activity Via SSH.EXE - Detects port forwarding activity via SSH.exe
Program Executed Using Proxy/Local Command Via SSH.EXE - Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
Potential RDP Tunneling Via SSH - Execution of ssh.exe to perform data exfiltration and tunneling through RDP
Potential Amazon SSM Agent Hijacking - Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
Execution via stordiag.exe - Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
Start of NT Virtual DOS Machine - Ntvdm.exe allows the execution of 16-bit Windows applications on 32-bit Windows operating systems, as well as the execution of both 16-bit and 32-bit DOS applications
Abused Debug Privilege by Arbitrary Parent Processes - Detection of unusual child processes by different system processes
User Added to Local Administrators Group - Detects addition of users to the local administrator group via "Net" or "Add-LocalGroupMember".
User Added To Highly Privileged Group - Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".
User Added to Remote Desktop Users Group - Detects addition of users to the local Remote Desktop Users group via "Net" or "Add-LocalGroupMember".
Execute From Alternate Data Streams - Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Always Install Elevated Windows Installer - Detects Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege
Potentially Suspicious Windows App Activity - Detects potentially suspicious child process of applications launched from inside the WindowsApps directory. This could be a sign of a rogue ".appx" package installation/execution
Arbitrary Shell Command Execution Via Settingcontent-Ms - The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Phishing Pattern ISO in Archive - Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)
Automated Collection Command Prompt - Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Bad Opsec Defaults Sacrificial Processes With Improper Arguments - Detects attackers using tooling with bad opsec defaults. E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run. One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Potential Suspicious Browser Launch From Document Reader Process - Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
Suspicious Child Process Created as System - Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
Potential Commandline Obfuscation Using Escape Characters - Detects potential commandline obfuscation using known escape characters
Potential CommandLine Obfuscation Using Unicode Characters From Suspicious Image - Detects potential commandline obfuscation using unicode characters. Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
Suspicious ClickFix/FileFix Execution Pattern - Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix). Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix - Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
Suspicious Usage of For Loop with Recursive Directory Search in CMD - Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. This behavior has been observed in various malicious lnk files.
Potential Command Line Path Traversal Evasion Attempt - Detects potential evasion or obfuscation attempts using bogus path traversal via the commandline
Potential Browser Data Stealing - Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.
Copy From Or To Admin Share Or Sysvol Folder - Detects a copy command or a copy utility execution to or from an Admin share or remote
Suspicious Copy From or To System Directory - Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
LOL-Binary Copied From System Directory - Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
Potential Crypto Mining Activity - Detects command line parameters or strings often used by crypto miners
Potential Data Exfiltration Activity Via CommandLine Tools - Detects the use of various CLI utilities exfiltrating data via web requests
Raccine Uninstall - Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool.
Suspicious Double Extension File Execution - Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
Suspicious Parent Double Extension File Execution - Detect execution of suspicious double extension files in ParentCommandLine
Suspicious Download from Office Domain - Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
DumpStack.log Defender Evasion - Detects the use of the filename DumpStack.log to evade Microsoft Defender
Always Install Elevated MSI Spawned Cmd And Powershell - Detects Windows Installer service (msiexec.exe) spawning "cmd" or "powershell"
Suspicious Electron Application Child Processes - Detects suspicious child processes of electron apps (teams, discord, slack, etc.). This could be a potential sign of ".asar" file tampering (See reference section for more information) or binary execution proxy through specific CLI arguments (see related rule)
Potentially Suspicious Electron Application CommandLine - Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
Elevated System Shell Spawned From Uncommon Parent Location - Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
Hidden Powershell in Link File Pattern - Detects events that appear when a user click on a link file with a powershell command in it
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 1 - Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 2 - Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3 - Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4 - Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
ETW Logging Tamper In .NET Processes Via CommandLine - Detects changes to environment variables related to ETW logging via the CommandLine. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies.
ETW Trace Evasion Activity - Detects command line activity that tries to clear or disable any ETW trace log which could be a sign of logging evasion.
Suspicious Eventlog Clearing or Configuration Change Activity - Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities - Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
Potentially Suspicious Execution From Parent Process In Public Folder - Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
Process Execution From A Potentially Suspicious Folder - Detects a potentially suspicious execution from an uncommon folder.
Suspicious File Characteristics Due to Missing Fields - Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
Suspicious FileFix Execution Pattern - Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms, which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content. The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS - Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Potential Hidden Directory Creation Via NTFS INDEX_ALLOCATION Stream - CLI - Detects command line containing reference to the "::$index_allocation" stream, which can be used as a technique to prevent access to folders or files from tooling such as "explorer.exe" or "powershell.exe"
Writing Of Malicious Files To The Fonts Folder - Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
Potential Homoglyph Attack Using Lookalike Characters - Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters. This is used as an obfuscation and masquerading techniques. Only "perfect" homoglyphs are included; these are characters that are indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.
Execution Of Non-Existing File - Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
Base64 MZ Header In CommandLine - Detects encoded base64 MZ header in the commandline
Potentially Suspicious Inline JavaScript Execution via NodeJS Binary - Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
Potential WinAPI Calls Via CommandLine - Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
Potentially Suspicious JWT Token Search Via CLI - Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.
Suspicious LNK Command-Line Padding with Whitespace Characters - Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. This rule flags suspicious use of such padding observed in real-world attacks.
Local Accounts Discovery - Local accounts, System Owner/User discovery using operating systems utilities
LOLBIN Execution From Abnormal Drive - Detects LOLBINs executing from an abnormal or uncommon drive such as a mounted ISO.
LSASS Dump Keyword In CommandLine - Detects the presence of the keywords "lsass" and ".dmp" in the commandline, which could indicate a potential attempt to dump or create a dump of the lsass process.
Potential File Download Via MS-AppInstaller Protocol Handler - Detects usage of the "ms-appinstaller" protocol handler via command line to potentially download arbitrary files via AppInstaller.EXE The downloaded files are temporarly stored in ":\Users\%username%\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\"
Suspicious Network Command - Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Suspicious Scan Loop Network - Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system
Potential Network Sniffing Activity Using Network Tools - Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Process Launched Without Image Name - Detect the use of processes with no name (".exe"), which can be used to evade Image-based detections.
Execution of Suspicious File Type Extension - Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.
Non-privileged Usage of Reg or Powershell - Search for usage of reg or Powershell by non-privileged users to modify service configuration in registry
Suspicious Process Patterns NTDS.DIT Exfil - Detects suspicious process patterns used in NTDS.DIT exfiltration
Potentially Suspicious Call To Win32_NTEventlogFile Class - Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Use Short Name Path in Image - Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
Use NTFS Short Name in Command Line - Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Use NTFS Short Name in Image - Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
Obfuscated IP Download Activity - Detects use of an encoded/obfuscated version of an IP address (hex, octal...) in an URL combined with a download command
Obfuscated IP Via CLI - Detects usage of an encoded/obfuscated version of an IP address (hex, octal, etc.) via command line
Suspicious Process Parents - Detects suspicious parent processes that should not have any children or should only have a single possible child program
Potential PowerShell Execution Via DLL - Detects potential PowerShell execution from a DLL instead of the usual PowerShell process as seen used in PowerShdll. This detection assumes that PowerShell commands are passed via the CommandLine.
Privilege Escalation via Named Pipe Impersonation - Detects a remote file copy attempt to a hidden network share. This may indicate lateral movement or data staging activity.
Private Keys Reconnaissance Via CommandLine Tools - Adversaries may search for private key certificate files on compromised systems for insecurely stored credential
Suspicious RunAs-Like Flag Combination - Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Windows Processes Suspicious Parent Directory - Detect suspicious parent processes of well-known Windows processes
Suspicious Program Names - Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Recon Information for Export with Command Prompt - Once established within a system or network, an adversary may use automated techniques for collecting internal data.
Suspicious Process Execution From Fake Recycle.Bin Folder - Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Suspicious Redirection to Local Admin Share - Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Registry Modification of MS-settings Protocol Handler - Detects registry modifications to the 'ms-settings' protocol handler, which is frequently targeted for UAC bypass or persistence. Attackers can modify this registry to execute malicious code with elevated privileges by hijacking the command execution path.
Potential Remote Desktop Tunneling - Detects potential use of an SSH utility to establish RDP over a reverse SSH Tunnel. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
Potential Defense Evasion Via Right-to-Left Override - Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This is used as an obfuscation and masquerading techniques.
Script Interpreter Execution From Suspicious Folder - Detects a suspicious script execution in temporary folders or folders accessible by environment variables
Suspicious Script Execution From Temp Folder - Detects a suspicious script executions from temporary folder
Sensitive File Access Via Volume Shadow Copy Backup - Detects a command that accesses the VolumeShadowCopy in order to extract sensitive files such as the Security or SAM registry hives or the AD database (ntds.dit)
Suspicious New Service Creation - Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
Suspicious Service Binary Directory - Detects a service binary running in a suspicious directory
Suspicious Windows Service Tampering - Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Shadow Copies Creation Using Operating Systems Utilities - Shadow Copies creation using operating systems utilities, possible credential access
Shadow Copies Deletion Using Operating Systems Utilities - Shadow Copies deletion using operating systems utilities
Windows Shell/Scripting Processes Spawning Suspicious Programs - Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Process Creation Using Sysnative Folder - Detects process creation events that use the Sysnative folder (common for CobaltStrike spawns)
System File Execution Location Anomaly - Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Suspicious SYSTEM User Process Creation - Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Suspicious SYSVOL Domain Group Policy Access - Detects Access to Domain Group Policies stored in SYSVOL
Tasks Folder Evasion - The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Malicious Windows Script Components File Execution by TAEF Detection - Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
Malicious PE Execution by Microsoft Visual Studio Debugger - There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package.
Suspicious Userinit Child Process - Detects a suspicious child process of userinit
Suspicious Velociraptor Child Process - Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
Weak or Abused Passwords In CLI - Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline
Usage Of Web Request Commands And Cmdlets - Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
WhoAmI as Parameter - Detects a suspicious process command line that uses whoami as first parameter (as e.g. used by EfsPotato)
Execution via WorkFolders.exe - Detects using WorkFolders.exe to execute an arbitrary control.exe
Suspect Svchost Activity - It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
Suspicious Process Masquerading As SvcHost.EXE - Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
Terminal Service Process Spawn - Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Uncommon Svchost Command Line Parameter - Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
Uncommon Svchost Parent Process - Detects an uncommon svchost parent process
Permission Check Via Accesschk.EXE - Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
Active Directory Database Snapshot Via ADExplorer - Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Suspicious Active Directory Database Snapshot Via ADExplorer - Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
Potential Execution of Sysinternals Tools - Detects command lines that contain the 'accepteula' flag which could be a sign of execution of one of the Sysinternals tools
Potential Memory Dumping Activity Via LiveKD - Detects execution of LiveKD based on PE metadata or image name
Kernel Memory Dump Via LiveKD - Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
Procdump Execution - Detects usage of the SysInternals Procdump utility
Potential SysInternals ProcDump Evasion - Detects uses of the SysInternals ProcDump utility in which ProcDump or its output get renamed, or a dump file is moved or copied to a different name
Potential LSASS Process Dump Via Procdump - Detects potential credential harvesting attempts through LSASS memory dumps using ProcDump. This rule identifies suspicious command-line patterns that combine memory dump flags (-ma, -mm, -mp) with LSASS-related process markers. LSASS (Local Security Authority Subsystem Service) contains sensitive authentication data including plaintext passwords, NTLM hashes, and Kerberos tickets in memory. Attackers commonly dump LSASS memory to extract credentials for lateral movement and privilege escalation.
Psexec Execution - Detects user accept agreement execution in psexec commandline
PsExec/PAExec Escalation to LOCAL SYSTEM - Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
Potential PsExec Remote Execution - Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
PsExec Service Execution - Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
PsExec Service Child Process Execution as LOCAL SYSTEM - Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
Suspicious Use of PsLogList - Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
Sysinternals PsService Execution - Detects usage of Sysinternals PsService which can be abused for service reconnaissance and tampering
Sysinternals PsSuspend Execution - Detects usage of Sysinternals PsSuspend which can be abused to suspend critical processes
Sysinternals PsSuspend Suspicious Execution - Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
Potential File Overwrite Via Sysinternals SDelete - Detects the use of SDelete to erase a file not the free space
Potential Privilege Escalation To LOCAL SYSTEM - Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
Sysmon Configuration Update - Detects updates to Sysmon's configuration. Attackers might update or replace the Sysmon configuration with a bare bone one to avoid monitoring without shutting down the service completely
Uninstall Sysinternals Sysmon - Detects the removal of Sysmon, which could be a potential attempt at defense evasion
Potential Binary Impersonating Sysinternals Tools - Detects binaries that use the same name as legitimate sysinternals tools to evade detection. This rule looks for the execution of binaries that are named similarly to Sysinternals tools. Adversary may rename their malicious tools as legitimate Sysinternals tools to evade detection.
Sysprep on AppData Folder - Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec)
Suspicious Execution of Systeminfo - Detects usage of the "systeminfo" command to retrieve information
Potential Signing Bypass Via Windows Developer Features - Detects when a user enable developer features such as "Developer Mode" or "Application Sideloading". Which allows the user to install untrusted packages.
Suspicious Recursive Takeown - Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
Tap Installer Execution - Well-known TAP software installation. Possible preparation for data exfiltration using tunneling techniques
Compressed File Creation Via Tar.EXE - Detects execution of "tar.exe" in order to create a compressed file. Adversaries may abuse various utilities to compress or encrypt data before exfiltration.
Compressed File Extraction Via Tar.EXE - Detects execution of "tar.exe" in order to extract compressed file. Adversaries may abuse various utilities in order to decompress data to avoid detection.
Taskkill Symantec Endpoint Protection - Detects one of the possible scenarios for disabling Symantec Endpoint Protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
Loaded Module Enumeration Via Tasklist.EXE - Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe". This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question. In order to dump the process memory or perform other nefarious actions.
Taskmgr as LOCAL_SYSTEM - Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
New Process Created Via Taskmgr.EXE - Detects the creation of a process via the Windows task manager. This might be an attempt to bypass UAC
Potentially Suspicious Command Targeting Teams Sensitive Files - Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.
New Virtual Smart Card Created Via TpmVscMgr.EXE - Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
Suspicious TSCON Start as SYSTEM - Detects a tscon.exe start as LOCAL SYSTEM
Suspicious RDP Redirect Using TSCON - Detects a suspicious RDP session redirect using tscon.exe
Potential RDP Session Hijacking Activity - Detects potential RDP Session Hijacking activity on Windows systems
UAC Bypass Using ChangePK and SLUI - Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
UAC Bypass Using Disk Cleanup - Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
Bypass UAC via CMSTP - Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
CMSTP UAC Bypass via COM Object Access - Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
UAC Bypass Tools Using ComputerDefaults - Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
UAC Bypass Using Consent and Comctl32 - Process - Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
UAC Bypass Using DismHost - Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
UAC Bypass Using Event Viewer RecentViews - Detects the pattern of UAC Bypass using Event Viewer RecentViews
Bypass UAC via Fodhelper.exe - Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
UAC Bypass via Windows Firewall Snap-In Hijack - Detects attempts to bypass User Account Control (UAC) by hijacking the Microsoft Management Console (MMC) Windows Firewall snap-in
UAC Bypass via ICMLuaUtil - Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
UAC Bypass Using IDiagnostic Profile - Detects the "IDiagnosticProfileUAC" UAC bypass technique
UAC Bypass Using IEInstal - Process - Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
UAC Bypass Using MSConfig Token Modification - Process - Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
UAC Bypass Using NTFS Reparse Point - Process - Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
UAC Bypass Using PkgMgr and DISM - Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
Potential UAC Bypass Via Sdclt.EXE - A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques.
TrustedPath UAC Bypass Pattern - Detects indicators of a UAC bypass method by mocking directories
UAC Bypass Abusing Winsat Path Parsing - Process - Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
UAC Bypass Using Windows Media Player - Process - Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Bypass UAC via WSReset.exe - Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
UAC Bypass WSReset - Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
Use of UltraVNC Remote Access Software - An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
Suspicious UltraVNC Execution - Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
Uninstall Crowdstrike Falcon Sensor - Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
User Shell Folders Registry Modification via CommandLine - Detects modifications to User Shell Folders registry values via reg.exe or PowerShell, which could indicate persistence attempts. Attackers may modify User Shell Folders registry values to point to malicious executables or scripts that will be executed during startup. This technique is often used to maintain persistence on a compromised system by ensuring that malicious payloads are executed automatically.
Uncommon Userinit Child Process - Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
Windows Credential Manager Access via VaultCmd - List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe
Registry Modification Attempt Via VBScript - Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without using straightforward methods like regedit.exe, reg.exe, or PowerShell. Threat Actors may use this technique to evade detection by security solutions that monitor for direct registry modifications through traditional tools.
Verclsid.exe Runs COM Object - Detects when verclsid.exe is used to run COM object via GUID
Virtualbox Driver Installation or Starting of VMs - Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
Suspicious VBoxDrvInst.exe Parameters - Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script - Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script - Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
VMToolsd Suspicious Child Process - Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
Potentially Suspicious Child Process Of VsCode - Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Visual Studio Code Tunnel Execution - Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Visual Studio Code Tunnel Shell Execution - Detects the execution of a shell (powershell, bash, wsl...) via Visual Studio Code tunnel. Attackers can abuse this functionality to establish a C2 channel and execute arbitrary commands on the system.
Renamed Visual Studio Code Tunnel Execution - Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Visual Studio Code Tunnel Service Installation - Detects the installation of VsCode tunnel (code-tunnel) as a service.
Potential Binary Proxy Execution Via VSDiagnostics.EXE - Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
Proxy Execution via Vshadow - Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.
Suspicious Vsls-Agent Command With AgentExtensionPath Load - Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
Vulnerable Driver Blocklist Registry Tampering Via CommandLine - Detects tampering of the Vulnerable Driver Blocklist registry via command line tools such as PowerShell or REG.EXE. The Vulnerable Driver Blocklist is a security feature that helps prevent the loading of known vulnerable drivers. Disabling this feature may indicate an attempt to bypass security controls, often targeted by threat actors to facilitate the installation of malicious or vulnerable drivers, particularly in scenarios involving Endpoint Detection and Response
Use of W32tm as Timer - When configured with suitable command line arguments, w32tm can act as a delay mechanism
Wab Execution From Non Default Location - Detects execution of wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) from non default locations as seen with bumblebee activity
Wab/Wabmig Unusual Parent Or Child Processes - Detects unusual parent or children of the wab.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
All Backups Deleted Via Wbadmin.EXE - Detects the deletion of all backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Windows Backup Deleted Via Wbadmin.EXE - Detects the deletion of backups or system state backups via "wbadmin.exe". This technique is used by numerous ransomware families and actors. This may only be successful on server platforms that have Windows Backup enabled.
Sensitive File Dump Via Wbadmin.EXE - Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
File Recovery From Backup Via Wbadmin.EXE - Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
Sensitive File Recovery From Backup Via Wbadmin.EXE - Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive. Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
Potentially Suspicious WebDAV LNK Execution - Detects possible execution via LNK file accessed on a WebDAV server.
Chopper Webshell Process Pattern - Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Webshell Hacking Activity Patterns - Detects certain parent child patterns found in cases in which a web shell is used to perform certain credential dumping or exfiltration activities on a compromised system
Webshell Detection With Command Line Keywords - Detects certain command line parameters often used during reconnaissance activity via web shells
Suspicious Process By Web Server Process - Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Webshell Tool Reconnaissance Activity - Detects processes spawned from web servers (PHP, Tomcat, IIS, etc.) that perform reconnaissance looking for the existence of popular scripting tools (perl, python, wget) on the system via the help commands
Potential Credential Dumping Via WER - Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass
Potential ReflectDebugger Content Execution Via WerFault.EXE - Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
PPL Tampering Via WerFaultSecure - Detects potential abuse of WerFaultSecure.exe to dump Protected Process Light (PPL) processes like LSASS or to freeze security solutions (EDR/antivirus). This technique is used by tools such as EDR-Freeze and WSASS to bypass PPL protections and access sensitive information or disable security software. Distinct command line patterns help identify the specific tool: - WSASS usage typically shows: "WSASS.exe WerFaultSecure.exe [PID]" in ParentCommandLine - EDR-Freeze usage typically shows: "EDR-Freeze_[version].exe [PID] [timeout]" in ParentCommandLine Legitimate debugging operations using WerFaultSecure are rare in production environments and should be investigated.
Suspicious Child Process Of Wermgr.EXE - Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
Suspicious Execution Location Of Wermgr.EXE - Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
Suspicious File Download From IP Via Wget.EXE - Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
Suspicious File Download From File Sharing Domain Via Wget.EXE - Detects potentially suspicious file downloads from file sharing domains using wget.exe
Suspicious File Download From IP Via Wget.EXE - Paths - Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
Suspicious Where Execution - Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Enumerate All Information With Whoami.EXE - Detects the execution of "whoami.exe" with the "/all" flag
Whoami.EXE Execution From Privileged Process - Detects the execution of "whoami.exe" by privileged accounts that are often abused by threat actors
Group Membership Reconnaissance Via Whoami.EXE - Detects the execution of whoami.exe with the /group command line flag to show group membership for the current user, account type, security identifiers (SID), and attributes.
Whoami.EXE Execution With Output Option - Detects the execution of "whoami.exe" with the "/FO" flag to choose CSV as output format or with redirection options to export the results to a file for later use.
Whoami.EXE Execution Anomaly - Detects the execution of whoami.exe with suspicious parent processes.
Security Privileges Enumeration Via Whoami.EXE - Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privileges. This is often used after a privilege escalation attempt.
Suspicious WindowsTerminal Child Processes - Detects suspicious children spawned via the Windows Terminal application which could be a sign of persistence via WindowsTerminal (see references section)
Add New Download Source To Winget - Detects usage of winget to add new additional download sources
Add Insecure Download Source To Winget - Detects usage of winget to add a new insecure (http) download source. Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Add Potential Suspicious New Download Source To Winget - Detects usage of winget to add new potentially suspicious download sources
Install New Package Via Winget Local Manifest - Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
Winrar Compressing Dump Files - Detects execution of WinRAR in order to compress a file with a ".dmp"/".dump" extension, which could be a step in a process of dump file exfiltration.
Potentially Suspicious Child Process Of WinRAR.EXE - Detects potentially suspicious child processes of WinRAR.exe.
WinRAR Execution in Non-Standard Folder - Detects a suspicious WinRAR execution in a folder which is not the default installation folder
AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed)
Remote Code Execute via Winrm.vbs - Detects an attempt to execute code or create service on remote host via winrm.vbs.
Remote PowerShell Session Host Process (WinRM) - Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
Suspicious Processes Spawned by WinRM - Detects suspicious processes including shells spawnd from WinRM host process
Winrs Local Command Execution - Detects the execution of Winrs.exe where it is used to execute commands locally. Commands executed this way are launched under Winrshost.exe and can represent proxy execution used for defense evasion or lateral movement.
Potential Lateral Movement via Windows Remote Shell - Detects a child process spawned by 'winrshost.exe', which suggests remote command execution through Windows Remote Shell (WinRs) and may indicate potential lateral movement activity.
Compress Data and Lock With Password for Exfiltration With WINZIP - An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities
Wlrmdr.EXE Uncommon Argument Or Child Process - Detects the execution of "Wlrmdr.exe" with the "-u" command line flag which allows anything passed to it to be an argument of the ShellExecute API, which would allow an attacker to execute arbitrary binaries. This detection also focuses on any uncommon child processes spawned from "Wlrmdr.exe" as a supplement for those that posses "ParentImage" telemetry.
WMI Backdoor Exchange Transport Agent - Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Password Set to Never Expire via WMI - Detects the use of wmic.exe to modify user account settings and explicitly disable password expiration.
WMI Persistence - Script Event Consumer - Detects WMI script event consumers
New ActiveScriptEventConsumer Created Via Wmic.EXE - Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
Potential Windows Defender Tampering Via Wmic.EXE - Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
New Process Created Via Wmic.EXE - Detects new process creation using WMIC via the "process call create" flag
Computer System Reconnaissance Via Wmic.EXE - Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
Hardware Model Reconnaissance Via Wmic.EXE - Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
Local Groups Reconnaissance Via Wmic.EXE - Detects the execution of "wmic" with the "group" flag. Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
Windows Hotfix Updates Reconnaissance Via Wmic.EXE - Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
Process Reconnaissance Via Wmic.EXE - Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
Potential Product Reconnaissance Via Wmic.EXE - Detects the execution of WMIC in order to get a list of firewall and antivirus products
Potential Product Class Reconnaissance Via Wmic.EXE - Detects the execution of WMIC in order to get a list of firewall, antivirus and antispywware products. Adversaries often enumerate security products installed on a system to identify security controls and potential ways to evade detection or disable protection mechanisms. This information helps them plan their next attack steps and choose appropriate techniques to bypass security measures.
Service Reconnaissance Via Wmic.EXE - An adversary might use WMI to check if a certain remote service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
Uncommon System Information Discovery Via Wmic.EXE - Detects the use of the WMI command-line (WMIC) utility to identify and display various system information, including OS, CPU, GPU, and disk drive names; memory capacity; display resolution; and baseboard, BIOS, and GPU driver products/versions. Some of these commands were used by Aurora Stealer in late 2022/early 2023.
Potential Unquoted Service Path Reconnaissance Via Wmic.EXE - Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
System Disk And Volume Reconnaissance Via Wmic.EXE - An adversary might use WMI to discover information about the system, such as the volume name, size, free space, and other disk information. This can be done using the 'wmic' command-line utility and has been observed being used by threat actors such as Volt Typhoon.
WMIC Remote Command Execution - Detects the execution of WMIC to query information on a remote system
Service Started/Stopped Via Wmic.EXE - Detects usage of wmic to start or stop a service
Potential Remote SquiblyTwo Technique Execution - Detects potential execution of the SquiblyTwo technique that leverages Windows Management Instrumentation (WMI) to execute malicious code remotely. This technique bypasses application whitelisting by using wmic.exe to process malicious XSL (eXtensible Stylesheet Language) scripts that can contain embedded JScript or VBScript. The attack typically works by fetching XSL content from a remote source (using HTTP/HTTPS) and executing it with full trust privileges directly in memory, avoiding disk-based detection mechanisms. This is a common LOLBin (Living Off The Land Binary) technique used for defense evasion and code execution.
Registry Manipulation via WMI Stdregprov - Detects the usage of wmic.exe to manipulate Windows registry via the WMI StdRegProv class. This behaviour could be potentially suspicious because it uses an alternative method to modify registry keys instead of legitimate registry tools like reg.exe or regedit.exe. Attackers specifically choose this technique to evade detection and bypass security monitoring focused on traditional registry modification commands.
Suspicious WMIC Execution Via Office Process - Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Suspicious Process Created Via Wmic.EXE - Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
Application Terminated Via Wmic.EXE - Detects calls to the "terminate" function via wmic in order to kill an application
Application Removed Via Wmic.EXE - Detects the removal or uninstallation of an application via "Wmic.EXE".
Potential Tampering With Security Products Via WMIC - Detects uninstallation or termination of security products using the WMIC utility
XSL Script Execution Via WMIC.EXE - Detects the execution of WMIC with the "format" flag to potentially load local XSL files. Adversaries abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files.
WmiPrvSE Spawned A Process - Detects WmiPrvSE spawning a process
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell - Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
Suspicious WmiPrvSE Child Process - Detects suspicious and uncommon child processes of WmiPrvSE
UEFI Persistence Via Wpbbin - ProcessCreation - Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
Potential Dropper Script Execution Via WScript/CScript - Detects wscript/cscript executions of scripts located in user directories
Cscript/Wscript Potentially Suspicious Child Process - Detects potentially suspicious child processes of Wscript/Cscript. These include processes such as rundll32 with uncommon exports or PowerShell spawning rundll32 or regsvr32. Malware such as Pikabot and Qakbot were seen using similar techniques as well as many others.
Cscript/Wscript Uncommon Script Extension Execution - Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
WSL Child Process Anomaly - Detects uncommon or suspicious child processes spawning from a WSL process. This could indicate an attempt to evade parent/child relationship detections or persistence attempts via cron using WSL
Installation of WSL Kali-Linux - Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
WSL Kali-Linux Usage - Detects the use of Kali Linux through Windows Subsystem for Linux
Windows Binary Executed From WSL - Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
Proxy Execution Via Wuauclt.EXE - Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
Suspicious Windows Update Agent Empty Cmdline - Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths - Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
Wusa.EXE Executed By Parent Process Located In Suspicious Location - Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location. Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
Xwizard.EXE Execution From Non-Default Location - Detects the execution of Xwizard tool from a non-default directory. When executed from a non-default directory, this utility can be abused in order to side load a custom version of "xwizards.dll".
COM Object Execution via Xwizard.EXE - Detects the execution of Xwizard tool with the "RunWizard" flag and a GUID like argument. This utility can be abused in order to run custom COM object created in the registry.

Security - Event ID 4692 - Backup of data protection master key was attempted. #

DPAPI Domain Master Key Backup Attempt - Detects anyone attempting a backup for the DPAPI Master Key. This events gets generated at the source and not the Domain Controller.

Security - Event ID 4697 - A service was installed in the system. #

CobaltStrike Service Installations - Security - Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
HybridConnectionManager Service Installation - Rule to detect the Hybrid Connection Manager service installation.
Invoke-Obfuscation CLIP+ Launcher - Security - Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - Security - Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references
Invoke-Obfuscation STDIN+ Launcher - Security - Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - Security - Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - Security - Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - Security - Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - Security - Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - Security - Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - Security - Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - Security - Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security - Detects Obfuscated Powershell via VAR++ LAUNCHER
Credential Dumping Tools Service Execution - Security - Detects well-known credential dumping tools execution via service execution events
Metasploit Or Impacket Service Installation Via SMB PsExec - Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation
Meterpreter or Cobalt Strike Getsystem Service Installation - Security - Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Windows Pcap Drivers - Detects Windows Pcap driver installation based on a list of associated .sys files.
PowerShell Scripts Installed as Services - Security - Detects powershell script installed as a Service
Remote Access Tool Services Have Been Installed - Security - Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
Service Installed By Unusual Client - Security - Detects a service installed by a client which has PID 0 or whose parent has PID 0
Tap Driver Installation - Security - Detects the installation of a well-known TAP driver service. This could be a sign of potential preparation for data exfiltration using tunnelling techniques.

Security - Event ID 4698 - A scheduled task was created. #

Suspicious Scheduled Task Creation - Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.

Security - Event ID 4699 - A scheduled task was deleted. #

Important Scheduled Task Deleted/Disabled - Detects when adversaries stop services or processes by deleting or disabling their respective scheduled tasks in order to conduct data destructive activities

Security - Event ID 4701 - A scheduled task was disabled. #

Security - Event ID 4702 - A scheduled task was updated. #

Suspicious Scheduled Task Update - Detects update to a scheduled task event that contain suspicious keywords.

Security - Event ID 4704 - A user right was assigned. #

Enabled User Right in AD to Control User Objects - Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.

Security - Event ID 4706 - A new trust was created to a domain. #

A New Trust Was Created To A Domain - Addition of domains is seldom and should be verified for legitimacy.

Security - Event ID 4719 - System audit policy was changed. #

Windows Event Auditing Disabled - Detects scenarios where system auditing (i.e.: Windows event log auditing) is disabled. This may be used in a scenario where an entity would want to bypass local logging to evade detection when Windows event logging is enabled and reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications - however, it is recommended to perform these modifications in Active Directory anyways.
Important Windows Event Auditing Disabled - Detects scenarios where system auditing for important events such as "Process Creation" or "Logon" events is disabled.

Security - Event ID 4720 - A user account was created. #

Also fires on: Security-Auditing EID 4781

Hidden Local User Creation - Detects the creation of a local hidden user account which should not happen for event ID 4720.
New or Renamed User Account with '$' Character - Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.
Suspicious Windows ANONYMOUS LOGON Local Account Created - Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Local User Creation - Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.

Security - Event ID 4728 - A member was added to a security-enabled global group. #

A Member Was Added to a Security-Enabled Global Group - Detects activity when a member is added to a security-enabled global group

Security - Event ID 4729 - A member was removed from a security-enabled global group. #

A Member Was Removed From a Security-Enabled Global Group - Detects activity when a member is removed from a security-enabled global group

Security - Event ID 4730 - A security-enabled global group was deleted. #

A Security-Enabled Global Group Was Deleted - Detects activity when a security-enabled global group is deleted

Security - Event ID 4732 - A member was added to a security-enabled local group. #

User Added to Local Administrator Group - Detects the addition of a new member to the local administrator group, which could be legitimate activity or a sign of privilege escalation activity

Security - Event ID 4738 - A user account was changed. #

Active Directory User Backdoors - Detects scenarios where one can control another users or computers account without having to use their credentials.↳ also fires on: Security-Auditing EID 5136
Weak Encryption Enabled and Kerberoast - Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
Addition of SID History to Active Directory Object - An attacker can use the SID history attribute to gain additional privileges.↳ also fires on: Security-Auditing EID 4765, Security-Auditing EID 4766

Security - Event ID 4741 - A computer account was created. #

Add or Remove Computer from DC - Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Security - Event ID 4742 - A computer account was changed. #

Possible DC Shadow Attack - Detects DCShadow via create new SPN

Security - Event ID 4743 - A computer account was deleted. #

Add or Remove Computer from DC - Detects the creation or removal of a computer. Can be used to detect attacks such as DCShadow via the creation of a new SPN.

Security - Event ID 4765 - SID History was added to an account. #

Addition of SID History to Active Directory Object - An attacker can use the SID history attribute to gain additional privileges.

Security - Event ID 4766 - An attempt to add SID History to an account failed. #

Addition of SID History to Active Directory Object - An attacker can use the SID history attribute to gain additional privileges.

Security - Event ID 4768 - A Kerberos authentication ticket (TGT) was requested. #

Also fires on: Security-Auditing EID 675, Security-Auditing EID 4769, Security-Auditing EID 4771

Potential AS-REP Roasting via Kerberos TGT Requests - Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
PetitPotam Suspicious Kerberos TGT Request - Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.
Kerberos Manipulation - Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

Security - Event ID 4769 - A Kerberos service ticket was requested. #

Also fires on: Security-Auditing EID 675, Security-Auditing EID 4768, Security-Auditing EID 4771

Kerberoasting Activity - Initial Query - This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
Kerberos Manipulation - Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Suspicious Kerberos RC4 Ticket Encryption - Detects service ticket requests using RC4 encryption type

Security - Event ID 4771 - Kerberos pre-authentication failed. #

Kerberos Manipulation - Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

Security - Event ID 4776 - The domain controller attempted to validate the credentials for an account. #

Hacktool Ruler - This events that are generated when using the hacktool Ruler by Sensepost↳ also fires on: Security-Auditing EID 4624, Security-Auditing EID 4625
Metasploit SMB Authentication - Alerts on Metasploit host's authentications on the domain.↳ also fires on: Security-Auditing EID 4624, Security-Auditing EID 4625
Account Tampering - Suspicious Failed Logon Reasons - This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.↳ also fires on: Security-Auditing EID 4625

Security - Event ID 4781 - The name of an account was changed. #

New or Renamed User Account with '$' Character - Detects the creation of a user with the "$" character. This can be used by attackers to hide a user or trick detection systems that lack the parsing mechanisms.

Security - Event ID 4794 - An attempt was made to set the Directory Services Restore Mode administrator password. #

Password Change on Directory Service Restore Mode (DSRM) Account - Detects potential attempts made to set the Directory Services Restore Mode administrator password. The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password in order to obtain persistence.

Security - Event ID 4800 - The workstation was locked. #

Locked Workstation - Detects locked workstation session events that occur automatically after a standard period of inactivity.

Security - Event ID 4825 - A user was denied the access to Remote Desktop. #

Denied Access To Remote Desktop - This event is generated when an authenticated user who is not allowed to log on remotely attempts to connect to this computer through Remote Desktop. Often, this event can be generated by attackers when searching for available windows servers in the network.

Security - Event ID 4898 - Certificate Services loaded a template. #

Also fires on: Security-Auditing EID 4899

ADCS Certificate Template Configuration Vulnerability - Detects certificate creation with template allowing risk permission subject
ADCS Certificate Template Configuration Vulnerability with Risky EKU - Detects certificate creation with template allowing risk permission subject and risky EKU

Security - Event ID 4899 - A Certificate Services template was updated. #

Also fires on: Security-Auditing EID 4898

ADCS Certificate Template Configuration Vulnerability - Detects certificate creation with template allowing risk permission subject
ADCS Certificate Template Configuration Vulnerability with Risky EKU - Detects certificate creation with template allowing risk permission subject and risky EKU

Security - Event ID 4904 - An attempt was made to register a security event source. #

VSSAudit Security Event Source Registration - Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Security - Event ID 4905 - An attempt was made to unregister a security event source. #

VSSAudit Security Event Source Registration - Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen.

Security - Event ID 5038 - Code integrity determined that the image hash of a file is not valid. #

Failed Code Integrity Checks - Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

Security - Event ID 5136 - A directory service object was modified. #

Powerview Add-DomainObjectAcl DCSync AD Extend Right - Backdooring domain object to grant the rights associated with DCSync to a regular user or machine account using Powerview\Add-DomainObjectAcl DCSync Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
Active Directory User Backdoors - Detects scenarios where one can control another users or computers account without having to use their credentials.↳ also fires on: Security-Auditing EID 4738
Windows Default Domain GPO Modification - Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). Adversaries may modify these default GPOs to deploy malicious configurations across the domain.
Persistence and Execution at Scale via GPO Scheduled Task - Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale↳ also fires on: Security-Auditing EID 5145
Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation - Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.↳ also fires on: Security-Auditing EID 4662, Security-Auditing EID 5137
Possible DC Shadow Attack - Detects DCShadow via create new SPN↳ also fires on: Security-Auditing EID 4742
Group Policy Abuse for Privilege Addition - Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
Startup/Logon Script Added to Group Policy Object - Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.↳ also fires on: Security-Auditing EID 5145
Suspicious LDAP-Attributes Used - Detects the usage of particular AttributeLDAPDisplayNames, which are known for data exchange via LDAP by the tool LDAPFragger and are additionally not commonly used in companies.
Possible Shadow Credentials Added - Detects possible addition of shadow credentials to an active directory object.

Security - Event ID 5137 - A directory service object was created. #

Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation - Detects modifications to DNS records in Active Directory where the Distinguished Name (DN) contains a base64-encoded blob matching the pattern "1UWhRCAAAAA...BAAAA". This pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, commonly used in Kerberos coercion attacks. Adversaries may exploit this to coerce victim systems into authenticating to attacker-controlled hosts by spoofing SPNs via DNS. It is one of the strong indicators of a Kerberos coercion attack,. where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like CVE-2025-33073. Please investigate the user account that made the changes, as it is likely a low-privileged account that has been compromised.

Security - Event ID 5140 - A network share object was accessed. #

Access To ADMIN$ Network Share - Detects access to ADMIN$ network share

Security - Event ID 5145 - A network share object was checked to see whether client can be granted desired access. #

Also fires on: Security-Auditing EID 5136

Remote Task Creation via ATSVC Named Pipe - Detects remote task creation via at.exe or API interacting with ATSVC namedpipe
DCERPC SMB Spoolss Named Pipe - Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security - Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Persistence and Execution at Scale via GPO Scheduled Task - Detect lateral movement using GPO scheduled task, usually used to deploy ransomware at scale
Impacket PsExec Execution - Detects execution of Impacket's psexec.py.
Possible Impacket SecretDump Remote Activity - Detect AD credential dumping using impacket secretdump HKTL
First Time Seen Remote Named Pipe - This detection excludes known namped pipes accessible remotely and notify on newly observed ones, may help to detect lateral movement and remote exec using named pipes
Windows Network Access Suspicious desktop.ini Action - Detects unusual processes accessing desktop.ini remotely over network share, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk.
Possible PetitPotam Coerce Authentication Attempt - Detect PetitPotam coerced authentication activity.
Protected Storage Service Access - Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
SMB Create Remote File Admin Share - Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Startup/Logon Script Added to Group Policy Object - Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
Suspicious PsExec Execution - detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Suspicious Access to Sensitive File Extensions - Detects known sensitive file extensions accessed on a network share
Remote Service Activity via SVCCTL Named Pipe - Detects remote service activity via remote access to the svcctl named pipe
Transferring Files with Credential Data via Network Shares - Transferring files with well-known filenames (sensitive files with credential data) using network shares
T1047 Wmiprvse Wbemcomn DLL Hijack - Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.

Security - Event ID 5156 - The Windows Filtering Platform has permitted a connection. #

RDP over Reverse SSH Tunnel WFP - Detects svchost hosting RDP termsvcs communicating with the loopback address
Remote PowerShell Sessions Network Connections (WinRM) - Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
Uncommon Outbound Kerberos Connection - Security - Detects uncommon outbound network activity via Kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation.

Security - Event ID 5157 - The Windows Filtering Platform has blocked a connection. #

Windows Filtering Platform Blocked Connection From EDR Agent Binary - Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents. Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.

Security - Event ID 5379 - Credential Manager credentials were read. #

Password Protected ZIP File Opened - Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Suspicious Filenames) - Detects the extraction of password protected ZIP archives with suspicious file names. See the filename variable for more details on which file has been opened.
Password Protected ZIP File Opened (Email Attachment) - Detects the extraction of password protected ZIP archives. See the filename variable for more details on which file has been opened.

Security - Event ID 5441 - The following filter was present when the Windows Filtering Platform Base Filtering Engine started. #

HackTool - EDRSilencer Execution - Filter Added - Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.

Security - Event ID 5447 - A Windows Filtering Platform filter has been changed. #

HackTool - EDRSilencer Execution - Filter Added - Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.↳ also fires on: Security-Auditing EID 5441
HackTool - NoFilter Execution - Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators↳ also fires on: Security-Auditing EID 5449

Security - Event ID 5449 - A Windows Filtering Platform provider context has been changed. #

HackTool - NoFilter Execution - Detects execution of NoFilter, a tool for abusing the Windows Filtering Platform for privilege escalation via hardcoded policy name indicators

Security - Event ID 6281 - Code Integrity determined that the page hashes of an image file are not valid. #

Failed Code Integrity Checks - Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries.

Security - Event ID 6416 - A new external device was recognized by the system. #

External Disk Drive Or USB Storage Device Was Recognized By The System - Detects external disk drives or plugged-in USB devices.

Security - Event ID 6423 - The installation of this device is forbidden by system policy. #

Device Installation Blocked - Detects an installation of a device that is forbidden by the system policy

Microsoft-Windows-Security-Kerberos (1 event, 1 rule) #

Operational - Event ID 16 #

No Suitable Encryption Key Found For Generating Kerberos Ticket - Detects errors when a target server doesn't have suitable keys for generating kerberos tickets. This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.

Microsoft-Windows-Security-Mitigations (2 events, 4 rules) #

KernelMode - Event ID 11 - Process 'ProcessPath' (PID ProcessId) would have been blocked from loading the non-Microsoft-signed binary 'ImageName'. #

Also fires on: Security-Mitigations EID 12

Microsoft Defender Blocked from Loading Unsigned DLL - Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Unsigned Binary Loaded From Suspicious Location - Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

KernelMode - Event ID 12 - Process 'ProcessPath' (PID ProcessId) was blocked from loading the non-Microsoft-signed binary 'ImageName'. #

Also fires on: Security-Mitigations EID 11

Microsoft Defender Blocked from Loading Unsigned DLL - Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL
Unsigned Binary Loaded From Suspicious Location - Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations

Microsoft-Windows-Shell-Core (1 event, 1 rule) #

Operational - Event ID 28115 - Shortcut for application Name with ID AppID and flags Flags is added to app resolver cache. #

Suspicious Application Installed - Detects suspicious application installed by looking at the added shortcut to the app resolver cache

Microsoft-Windows-SMBServer (1 event, 1 rule) #

Operational - Event ID 4000 #

Unsigned or Unencrypted SMB Connection to Share Established - Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.

Microsoft-Windows-SoftwareRestrictionPolicies (5 events, 5 rules) #

Application - Event ID 865 - Access to AttemptedPath has been restricted by your Administrator by the default software restriction policy level. #