EXPLORE DETECTIONS
CLR DLL Loaded Via Office Applications
Detects CLR DLL being loaded by an Office Product
Cmd Launched with Hidden Start Flags to Suspicious Targets
Detects cmd.exe executing commands with the "start" utility using "/b" (no window) or "/min" (minimized) flags. To reduce false positives from standard background tasks, detection is restricted to scenarios where the target is a known script extension or located in suspicious temporary/public directories. This technique was observed in Chaos, DarkSide, and Emotet malware campaigns.
CMD Shell Output Redirect
Detects the use of the redirection character ">" to redirect information on the command line. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
Cmd.EXE Missing Space Characters Execution Anomaly
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).
CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution
CMSTP Execution Process Creation
Detects various indicators of Microsoft Connection Manager Profile Installer execution
CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Cobalt Strike DNS Beaconing
Detects suspicious DNS queries known from Cobalt Strike beacons
CobaltStrike Load by Rundll32
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
CobaltStrike Named Pipe
Detects the creation of a named pipe as used by CobaltStrike
CobaltStrike Named Pipe Pattern Regex
Detects the creation of a named pipe matching a pattern used by CobaltStrike Malleable C2 profiles
CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
CobaltStrike Service Installations - System
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
Code Execution via Pcwutl.dll
Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library.
Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See `man ld.so` for more information.
CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers
CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.
CodeIntegrity - Blocked Image/Driver Load For Policy Violation
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
Detects block events for files that are disallowed by code integrity for protected processes
CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver