EXPLORE DETECTIONS
Suspicious PowerShell Invocations - Generic
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Generic - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific - ProcessCreation
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Suspicious PowerShell Parameter Substring
Detects suspicious PowerShell invocation with a parameter substring
Suspicious PowerShell Parent Process
Detects a suspicious or uncommon parent processes of PowerShell
Suspicious PowerShell WindowStyle Option
Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques. This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace. These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll, dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Suspicious Process Created Via Wmic.EXE
Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
Suspicious Process Discovery With Get-Process
Get the processes that are running on the local computer.
Suspicious Process Execution From Fake Recycle.Bin Folder
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Suspicious Process Masquerading As SvcHost.EXE
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
Suspicious Process Parents
Detects suspicious parent processes that should not have any children or should only have a single possible child program
Suspicious Process Patterns NTDS.DIT Exfil
Detects suspicious process patterns used in NTDS.DIT exfiltration
Suspicious Process Start Locations
Detects suspicious process run from unusual locations
Suspicious Processes Spawned by Java.EXE
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
Suspicious PROCEXP152.sys File Created In TMP
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU.