EXPLORE DETECTIONS
Suspicious Child Process Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
Suspicious Chromium Browser Instance Executed With Custom Extension
Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
Suspicious ClickFix/FileFix Execution Pattern
Detects suspicious execution patterns where users are tricked into running malicious commands via clipboard manipulation, either through the Windows Run dialog (ClickFix) or File Explorer address bar (FileFix). Attackers leverage social engineering campaigns—such as fake CAPTCHA challenges or urgent alerts—encouraging victims to paste clipboard contents, often executing mshta.exe, powershell.exe, or similar commands to infect systems.
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Suspicious CodePage Switch Via CHCP
Detects a code page switch in command line or batch scripts to a rare language
Suspicious Command Patterns In Scheduled Task Creation
Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
Suspicious Commands Linux
Detects relevant commands often related to malware or hacking activity
Suspicious Computer Machine Password by PowerShell
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
Suspicious Connection to Remote Account
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Suspicious Control Panel DLL Load
Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits
Suspicious Copy From or To System Directory
Detects a suspicious copy operation that tries to copy a program from system (System32, SysWOW64, WinSxS) directories to another on disk. Often used to move LOLBINs such as 'certutil' or 'desktopimgdownldr' to a different location with a different name in order to bypass detections based on locations.
Suspicious Creation TXT File in User Desktop
Detects creation of .txt files in user desktop folders via cmd.exe. This behavior may indicate ransomware deploying ransom notes, but can also occur during legitimate administrative tasks. Analysts should investigate for suspicious filenames (e.g., "RANSOM", "DECRYPT", "READ_ME"), bulk file creation patterns, or concurrent encryption activity to determine if this is part of a ransomware attack.
Suspicious Creation with Colorcpl
Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
Suspicious Csi.exe Usage
Csi.exe is a signed binary from Microsoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe'
Suspicious Curl Change User Agents - Linux
Detects a suspicious curl process start on linux with set useragent options
Suspicious Curl File Upload - Linux
Detects a suspicious curl process start the adds a file to a web request
Suspicious Curl.EXE Download
Detects a suspicious curl process start on Windows and outputs the requested document to a local file
Suspicious CustomShellHost Execution
Detects the execution of CustomShellHost.exe where the child isn't located in 'C:\Windows\explorer.exe'. CustomShellHost is a known LOLBin that can be abused by attackers for defense evasion techniques.
Suspicious Debugger Registration Cmdline
Detects the registration of a debugger for a program that is available in the logon screen (sticky key backdoor).
Suspicious Deno File Written from Remote Source
Detects Deno writing a file from a direct HTTP(s) call and writing to the appdata folder or bringing it's own malicious DLL. This behavior may indicate an attempt to execute remotely hosted, potentially malicious files through deno.
Suspicious Desktopimgdownldr Command
Detects a suspicious Microsoft desktopimgdownldr execution with parameters used to download files from the Internet
Suspicious Desktopimgdownldr Target File
Detects a suspicious Microsoft desktopimgdownldr file creation that stores a file to a suspicious location or contains a file with a suspicious extension
Suspicious Diantz Alternate Data Stream Execution
Compress target file into a cab file stored in the Alternate Data Stream (ADS) of the target file.