EXPLORE DETECTIONS
File Download From IP URL Via Curl.EXE
Detects file downloads directly from IP address URL using curl.exe
File Download Using Notepad++ GUP Utility
Detects execution of the Notepad++ updater (gup) from a process other than Notepad++ to download files.
File Download Using ProtocolHandler.exe
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
File Download Via Bitsadmin
Detects usage of bitsadmin downloading a file
File Download Via Bitsadmin To A Suspicious Target Folder
Detects usage of bitsadmin downloading a file to a suspicious target folder
File Download via CertOC.EXE
Detects when a user downloads a file by using CertOC.exe
File Download Via Curl.EXE
Detects file download using curl.exe
File Download Via InstallUtil.EXE
Detects use of .NET InstallUtil.exe in order to download arbitrary files. The files will be written to "%LOCALAPPDATA%\Microsoft\Windows\INetCache\IE\"
File Download Via Nscurl - MacOS
Detects the execution of the nscurl utility in order to download files.
File Download Via Windows Defender MpCmpRun.EXE
Detects the use of Windows Defender MpCmdRun.EXE to download files
File Download with Headless Browser
Detects execution of chromium based browser in headless mode using the "dump-dom" command line to download files
File Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64. This can be abused by threat actors and attackers for data exfiltration
File Encryption Using Gpg4win
Detects usage of Gpg4win to encrypt files
File Encryption/Decryption Via Gpg4win From Suspicious Locations
Detects usage of Gpg4win to encrypt/decrypt files located in potentially suspicious locations.
File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
File In Suspicious Location Encoded To Base64 Via Certutil.EXE
Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
File or Folder Permissions Change
Detects file and folder permission changes.
File or Folder Permissions Modifications
Detects a file or folder's permissions being modified or tampered with.
File Recovery From Backup Via Wbadmin.EXE
Detects the recovery of files from backups via "wbadmin.exe". Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
File Time Attribute Change
Detect file time attribute change to hide new or changes to existing files
File Time Attribute Change - Linux
Detect file time attribute change to hide new or changes to existing files.
File With Suspicious Extension Downloaded Via Bitsadmin
Detects usage of bitsadmin downloading a file with a suspicious extension
File With Uncommon Extension Created By An Office Application
Detects the creation of files with an executable or script extension by an Office application.
FileFix - Command Evidence in TypedPaths
Detects commonly-used chained commands and strings in the most recent 'url' value of the 'TypedPaths' key, which could be indicative of a user being targeted by the FileFix technique.