EXPLORE DETECTIONS
Suspicious Application Allowed Through Exploit Guard
Detects applications being added to the "allowed applications" list of exploit guard in order to bypass controlled folder settings
Suspicious Application Installed
Detects suspicious application installed by looking at the added shortcut to the app resolver cache
Suspicious ArcSOC.exe Child Process
Detects script interpreters, command-line tools, and similar suspicious child processes of ArcSOC.exe. ArcSOC.exe is the process name which hosts ArcGIS Server REST services. If an attacker compromises an ArcGIS Server system and uploads a malicious Server Object Extension (SOE), they can send crafted requests to the corresponding service endpoint and remotely execute code from the ArcSOC.exe process.
Suspicious ASPX File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
Suspicious Autorun Registry Modified via WMI
Detects suspicious activity where the WMIC process is used to create an autorun registry entry via reg.exe, which is often indicative of persistence mechanisms employed by malware.
Suspicious Base64 Encoded User-Agent
Detects suspicious encoded User-Agent strings, as seen used by some malware.
Suspicious Binaries and Scripts in Public Folder
Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
Suspicious Binary In User Directory Spawned From Office Application
Detects an executable in the users directory started from one of the Microsoft Office suite applications (Word, Excel, PowerPoint, Publisher, Visio)
Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
Suspicious BitLocker Access Agent Update Utility Execution
Detects the execution of the BitLocker Access Agent Update Utility (baaupdate.exe) which is not a common parent process for other processes. Suspicious child processes spawned by baaupdate.exe could indicate an attempt at lateral movement via BitLocker DCOM & COM Hijacking.
Suspicious Browser Activity
Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
Suspicious Browser Child Process - MacOS
Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
Suspicious C2 Activities
Detects suspicious activities as declared by Florian Roth in its 'Best Practice Auditd Configuration'. This includes the detection of the following commands; wget, curl, base64, nc, netcat, ncat, ssh, socat, wireshark, rawshark, rdesktop, nmap. These commands match a few techniques from the tactics "Command and Control", including not exhaustively the following; Application Layer Protocol (T1071), Non-Application Layer Protocol (T1095), Data Encoding (T1132)
Suspicious Cabinet File Execution Via Msdt.EXE
Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
Suspicious Calculator Usage
Detects suspicious use of 'calc.exe' with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion.
Suspicious Camera and Microphone Access
Detects Processes accessing the camera and microphone from suspicious folder
Suspicious CertReq Command to Download
Detects a suspicious CertReq execution downloading a file. This behavior is often used by attackers to download additional payloads or configuration files. Certreq is a built-in Windows utility used to request and retrieve certificates from a certification authority (CA). However, it can be abused by threat actors for malicious purposes.
Suspicious Child Process Created as System
Detection of child processes spawned with SYSTEM privileges by parents with LOCAL SERVICE or NETWORK SERVICE accounts
Suspicious Child Process of AspNetCompiler
Detects potentially suspicious child processes of "aspnet_compiler.exe".
Suspicious Child Process Of BgInfo.EXE
Detects suspicious child processes of "BgInfo.exe" which could be a sign of potential abuse of the binary to proxy execution via external VBScript
Suspicious Child Process Of Manage Engine ServiceDesk
Detects suspicious child processes of the "Manage Engine ServiceDesk Plus" Java web service
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
Suspicious Child Process Of SQL Server
Detects suspicious child processes of the SQLServer process. This could indicate potential RCE or SQL Injection.
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.