EXPLORE DETECTIONS
Exchange Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
Executable from Webdav
Detects executable access via webdav6. Can be seen in APT 29 such as from the emulated APT 29 hackathon https://github.com/OTRF/detection-hackathon-apt29/
Execute Code with Pester.bat
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Execute Code with Pester.bat as Parent
Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
Execute Files with Msdeploy.exe
Detects file execution using the msdeploy.exe lolbin
Execute From Alternate Data Streams
Detects execution from an Alternate Data Stream (ADS). Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection
Execute Invoke-command on Remote Host
Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
Execute Pcwrun.EXE To Leverage Follina
Detects indirect command execution via Program Compatibility Assistant "pcwrun.exe" leveraging the follina (CVE-2022-30190) vulnerability
Execution DLL of Choice Using WAB.EXE
This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry.
Execution From Webserver Root Folder
Detects a program executing from a web server root folder. Use this rule to hunt for potential interesting activity such as webshell or backdoors
Execution Of Non-Existing File
Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process)
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
Execution Of Script Located In Potentially Suspicious Directory
Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.
Execution of Suspicious File Type Extension
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process. This rule might require some initial baselining to align with some third party tooling in the user environment.
Execution via stordiag.exe
Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe
Execution via WorkFolders.exe
Detects using WorkFolders.exe to execute an arbitrary control.exe
Exploit Framework User Agent
Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs
Explorer NOUACCHECK Flag
Detects suspicious starts of explorer.exe that use the /NOUACCHECK flag that allows to run all sub processes of that newly started explorer.exe without any UAC checks
Explorer Process Tree Break
Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost"
Exports Critical Registry Keys To a File
Detects the export of a crital Registry key to a file.
Exports Registry Key To a File
Detects the export of the target Registry key to a file.
Exports Registry Key To an Alternate Data Stream
Exports the target Registry key and hides it in the specified alternate data stream.
External Disk Drive Or USB Storage Device Was Recognized By The System
Detects external disk drives or plugged-in USB devices.
External Remote RDP Logon from Public IP
Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.