EXPLORE DETECTIONS
Use of FSharp Interpreters
Detects the execution of FSharp Interpreters "FsiAnyCpu.exe" and "FSi.exe" Both can be used for AWL bypass and to execute F# code via scripts or inline.
Use Of Hidden Paths Or Files
Detects calls to hidden files or files located in hidden directories in NIX systems.
Use of Legacy Authentication Protocols
Alert on when legacy authentication has been used on an account
Use of OpenConsole
Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
Use of Pcalua For Execution
Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
Use of Remote.exe
Remote.exe is part of WinDbg in the Windows SDK and can be used for AWL bypass and running remote files.
Use Of Remove-Item to Delete File - ScriptBlock
PowerShell Remove-Item with -Path to delete a file or a folder with "-Recurse"
Use of Scriptrunner.exe
The "ScriptRunner.exe" binary can be abused to proxy execution through it and bypass possible whitelisting
Use Of The SFTP.EXE Binary As A LOLBIN
Detects the usage of the "sftp.exe" binary as a LOLBIN by abusing the "-D" flag
Use of TTDInject.exe
Detects the executiob of TTDInject.exe, which is used by Windows 10 v1809 and newer to debug time travel (underlying call of tttracer.exe)
Use of UltraVNC Remote Access Software
An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks
Use of VisualUiaVerifyNative.exe
VisualUiaVerifyNative.exe is a Windows SDK that can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Use of VSIISExeLauncher.exe
The "VSIISExeLauncher.exe" binary part of the Visual Studio/VS Code can be used to execute arbitrary binaries
Use of W32tm as Timer
When configured with suitable command line arguments, w32tm can act as a delay mechanism
Use of Wfc.exe
The Workflow Command-line Compiler can be used for AWL bypass and is listed in Microsoft's recommended block rules.
Use Short Name Path in Command Line
Detects the use of short name paths (8.3 format) in command lines, which can be used to obfuscate paths or access restricted locations. Windows creates short 8.3 filenames (like PROGRA~1) for compatibility with MS-DOS-based or 16-bit Windows programs. When investigating, examine: - Commands using short paths to access sensitive directories or files - Web servers on Windows (especially Apache) where short filenames could bypass security controls - Correlation with other suspicious behaviors - baseline of short name usage in your environment and look for deviations
Use Short Name Path in Image
Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image detection
User Access Blocked by Azure Conditional Access
Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
User Added To Admin Group Via DseditGroup
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
User Added To Admin Group Via Sysadminctl
Detects attempts to create and add an account to the admin group via "sysadminctl"
User Added to an Administrator's Azure AD Role
User Added to an Administrator's Azure AD Role
User Added To Group With CA Policy Modification Access
Monitor and alert on group membership additions of groups that have CA policy modification access
User Added To Highly Privileged Group
Detects addition of users to highly privileged groups via "Net" or "Add-LocalGroupMember".