EXPLORE DETECTIONS
Suspicious Encoded Scripts in a WMI Consumer
Detects suspicious encoded payloads in WMI Event Consumers
Suspicious Environment Variable Has Been Registered
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Suspicious Eventlog Clear
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
Suspicious Eventlog Clearing or Configuration Change Activity
Detects the clearing or configuration tampering of EventLog using utilities such as "wevtutil", "powershell" and "wmic". This technique were seen used by threat actors and ransomware strains in order to evade defenses.
Suspicious Executable File Creation
Detect creation of suspicious executable file names. Some strings look for suspicious file extensions, others look for filenames that exploit unquoted service paths.
Suspicious Execution From Outlook Temporary Folder
Detects a suspicious program execution in Outlook temp folder
Suspicious Execution Location Of Wermgr.EXE
Detects suspicious Windows Error Reporting manager (wermgr.exe) execution location.
Suspicious Execution of Hostname
Use of hostname to get information
Suspicious Execution of InstallUtil Without Log
Uses the .NET InstallUtil.exe application in order to execute image without log
Suspicious Execution of Powershell with Base64
Commandline to launch powershell with a base64 payload
Suspicious Execution Of Renamed Sysinternals Tools - Registry
Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
Suspicious Execution of Shutdown
Use of the commandline to shutdown or reboot windows
Suspicious Execution of Shutdown to Log Out
Detects the rare use of the command line tool shutdown to logoff a user
Suspicious Execution of Systeminfo
Detects usage of the "systeminfo" command to retrieve information
Suspicious Execution via macOS Script Editor
Detects when the macOS Script Editor utility spawns an unusual child process.
Suspicious Explorer Process with Whitespace Padding - ClickFix/FileFix
Detects process creation with suspicious whitespace padding followed by a '#' character, which may indicate ClickFix or FileFix techniques used to conceal malicious commands from visual inspection. ClickFix and FileFix are social engineering attack techniques where adversaries distribute phishing documents or malicious links that deceive users into opening the Windows Run dialog box or File Explorer search bar. The victims are then instructed to paste commands from their clipboard, which contain extensive whitespace padding using various Unicode space characters to push the actual malicious command far to the right, effectively hiding it from immediate view.
Suspicious External WebDAV Execution
Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
Suspicious Extrac32 Alternate Data Stream Execution
Extract data from cab file and hide it in an alternate data stream
Suspicious Extrac32 Execution
Download or Copy file with Extrac32
Suspicious File Access to Browser Credential Storage
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. This behavior is often commonly observed in credential stealing malware.
Suspicious File Characteristics Due to Missing Fields
Detects Executables in the Downloads folder without FileVersion,Description,Product,Company likely created with py2exe
Suspicious File Created by ArcSOC.exe
Detects instances where the ArcGIS Server process ArcSOC.exe, which hosts REST services running on an ArcGIS server, creates a file with suspicious file type, indicating that it may be an executable, script file, or otherwise unusual.
Suspicious File Created in Outlook Temporary Directory
Detects the creation of files with suspicious file extensions in the temporary directory that Outlook uses when opening attachments. This can be used to detect spear-phishing campaigns that use suspicious files as attachments, which may contain malicious code.
Suspicious File Created In PerfLogs
Detects suspicious file based on their extension being created in "C:\PerfLogs\". Note that this directory mostly contains ".etl" files