EXPLORE DETECTIONS
Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
Suspicious Program Names
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Suspicious Provlaunch.EXE Child Process
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Suspicious PsExec Execution
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Suspicious PsExec Execution - Zeek
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Suspicious Query of MachineGUID
Use of reg to get MachineGuid information
Suspicious RASdial Activity
Detects suspicious process related to rasdial.exe
Suspicious RDP Redirect Using TSCON
Detects a suspicious RDP session redirect using tscon.exe
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Suspicious Recursive Takeown
Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders
Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Suspicious Reg Add BitLocker
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
Suspicious Registry Modification From ADS Via Regini.EXE
Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
Suspicious Regsvr32 Execution From Remote Share
Detects REGSVR32.exe to execute DLL hosted on remote shares
Suspicious Rejected SMB Guest Logon From IP
Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service
Suspicious Remote Child Process From Outlook
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
Suspicious Remote Logon with Explicit Credentials
Detects suspicious processes logging on with explicit credentials
Suspicious Renamed Comsvcs DLL Loaded By Rundll32
Detects rundll32 loading a renamed comsvcs.dll to dump process memory
Suspicious Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
Suspicious Reverse Shell Command Line
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
Suspicious Run Key from Download
Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
Suspicious RunAs-Like Flag Combination
Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools
Suspicious Rundll32 Activity Invoking Sys File
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452