EXPLORE DETECTIONS
Unsigned AppX Installation Attempt Using Add-AppxPackage
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
Unsigned DLL Loaded by Windows Utility
Detects windows utilities loading an unsigned or untrusted DLL. Adversaries often abuse those programs to proxy execution of malicious code.
Unsigned Image Loaded Into LSASS Process
Loading unsigned image (DLL, EXE) into LSASS process
Unsigned Mfdetours.DLL Sideloading
Detects DLL sideloading of unsigned "mfdetours.dll". Executing "mftrace.exe" can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Unsigned Module Loaded by ClickOnce Application
Detects unsigned module load by ClickOnce application.
Unsigned or Unencrypted SMB Connection to Share Established
Detects SMB server connections to shares without signing or encryption enabled. This could indicate potential lateral movement activity using unsecured SMB shares.
Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Unusual File Deletion by Dns.exe
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Unusual File Download from Direct IP Address
Detects the download of suspicious file type from URLs with IP
Unusual File Download From File Sharing Websites - File Stream
Detects the download of suspicious file type from a well-known file and paste sharing domain
Unusual File Modification by dns.exe
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Unusual Parent Process For Cmd.EXE
Detects suspicious parent process for cmd.exe
Unusually Long PowerShell CommandLine
Detects unusually long PowerShell command lines with a length of 1000 characters or more
Usage of Renamed Sysinternals Tools - RegistrySet
Detects non-sysinternals tools setting the "accepteula" key which normally is set on sysinternals tool execution
Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
Usage Of Web Request Commands And Cmdlets - ScriptBlock
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
USB Device Plugged
Detects plugged/unplugged USB devices
Use Get-NetTCPConnection
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Use Get-NetTCPConnection - PowerShell Module
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Use Icacls to Hide File to Everyone
Detect use of icacls to deny access for everyone in Users folder sometimes used to hide malicious files
Use NTFS Short Name in Command Line
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid command-line detection
Use NTFS Short Name in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection