EXPLORE DETECTIONS
Suspicious File Created Via OneNote Application
Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
Suspicious File Creation Activity From Fake Recycle.Bin Folder
Detects file write event from/to a fake recycle bin folder that is often used as a staging directory for malware
Suspicious File Creation In Uncommon AppData Folder
Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
Suspicious File Download From File Sharing Domain Via Curl.EXE
Detects potentially suspicious file download from file sharing domains using curl.exe
Suspicious File Download From File Sharing Domain Via Wget.EXE
Detects potentially suspicious file downloads from file sharing domains using wget.exe
Suspicious File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
Suspicious File Download From IP Via Curl.EXE
Detects potentially suspicious file downloads directly from IP addresses using curl.exe
Suspicious File Download From IP Via Wget.EXE
Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
Suspicious File Download From IP Via Wget.EXE - Paths
Detects potentially suspicious file downloads directly from IP addresses and stored in suspicious locations using Wget.exe
Suspicious File Downloaded From Direct IP Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from direct IPs.
Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE
Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
Suspicious File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS
Suspicious File Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
Suspicious File Execution From Internet Hosted WebDav Share
Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
Suspicious File Write to SharePoint Layouts Directory
Detects suspicious file writes to SharePoint layouts directory which could indicate webshell activity or post-exploitation. This behavior has been observed in the exploitation of SharePoint vulnerabilities such as CVE-2025-49704, CVE-2025-49706 or CVE-2025-53770.
Suspicious File Write to Webapps Root Directory
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers. This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
Suspicious FileFix Execution Pattern
Detects suspicious FileFix execution patterns where users are tricked into running malicious commands through browser file upload dialog manipulation. This attack typically begins when users visit malicious websites impersonating legitimate services or news platforms, which may display fake CAPTCHA challenges or direct instructions to open file explorer and paste clipboard content. The clipboard content usually contains commands that download and execute malware, such as information stealing tools.
Suspicious Filename with Embedded Base64 Commands
Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.
Suspicious Files in Default GPO Folder
Detects the creation of copy of suspicious files (EXE/DLL) to the default GPO storage folder
Suspicious FromBase64String Usage On Gzip Archive - Process Creation
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
Suspicious FromBase64String Usage On Gzip Archive - Ps Script
Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
Suspicious Get Information for SMB Share
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Suspicious Get Information for SMB Share - PowerShell Module
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Suspicious Get Local Groups Information
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.