EXPLORE DETECTIONS
Suspicious UltraVNC Execution
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
Suspicious Unblock-File
Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
Suspicious Uninstall of Windows Defender Feature via PowerShell
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
Suspicious Usage of For Loop with Recursive Directory Search in CMD
Detects suspicious usage of the cmd.exe 'for /f' loop combined with the 'tokens=' parameter and a recursive directory listing. This pattern may indicate an attempt to discover and execute system binaries dynamically, for example powershell, a technique sometimes used by attackers to evade detection. This behavior has been observed in various malicious lnk files.
Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Suspicious Use of /dev/tcp
Detects suspicious command with /dev/tcp
Suspicious Use of CSharp Interactive Console
Detects the execution of CSharp interactive console by PowerShell
Suspicious Use of PsLogList
Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs
Suspicious User Agent
Detects suspicious malformed user agent strings in proxy logs
Suspicious User-Agents Related To Recon Tools
Detects known suspicious (default) user-agents related to scanning/recon tools
Suspicious Userinit Child Process
Detects a suspicious child process of userinit
Suspicious VBoxDrvInst.exe Parameters
Detect VBoxDrvInst.exe run with parameters allowing processing INF file. This allows to create values in the registry and install drivers. For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys
Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
Suspicious Volume Shadow Copy VSS_PS.dll Load
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes. It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts. The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
Suspicious Volume Shadow Copy Vssapi.dll Load
Detects the image load of VSS DLL by uncommon executables
Suspicious VSFTPD Error Messages
Detects suspicious VSFTPD error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Suspicious Vsls-Agent Command With AgentExtensionPath Load
Detects Microsoft Visual Studio vsls-agent.exe lolbin execution with a suspicious library load using the --agentExtensionPath parameter
Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Suspicious Where Execution
Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.
Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE
Detects the usage of "reg.exe" to add Defender folder exclusions. Qbot has been seen using this technique to add exclusions for folders within AppData and ProgramData.