EXPLORE DETECTIONS
Indirect Command Execution By Program Compatibility Wizard
Detect indirect command execution via Program Compatibility Assistant pcwrun.exe
Indirect Command Execution From Script File Via Bash.EXE
Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
Indirect Command Execution via SFTP ProxyCommand
Detects the use of SFTP.exe to execute commands indirectly via ProxyCommand parameter. Threat actors were seen leveraging this legitimate Windows binary to bypass security controls and execute arbitrary commands while evading detection.
Indirect Inline Command Execution Via Bash.EXE
Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash.
InfDefaultInstall.exe .inf Execution
Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
Ingress/Egress Security Group Modification
Detects when an account makes changes to the ingress or egress rules of a security group. This can indicate that an attacker is attempting to open up new attack vectors in the account, that they are trying to exfiltrate data over the network, or that they are trying to allow machines in that VPC/Subnet to contact a C&C server.
Inline Python Execution - Spawn Shell Via OS System Library
Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
Insecure Proxy/DOH Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
Insecure Transfer Via Curl.EXE
Detects execution of "curl.exe" with the "--insecure" flag.
Insensitive Subfolder Search Via Findstr.EXE
Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
Install New Package Via Winget Local Manifest
Detects usage of winget to install applications via manifest file. Adversaries can abuse winget to download payloads remotely and execute them. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe, msi or msix files later.
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Installation of TeamViewer Desktop
TeamViewer_Desktop.exe is create during install
Installation of WSL Kali-Linux
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
Interactive AT Job
Detects an interactive AT job, which may be used as a form of privilege escalation.
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
Interesting Service Enumeration Via Sc.EXE
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Internet Explorer DisableFirstRunCustomize Enabled
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
Invalid PIM License
Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
Invoke-Obfuscation CLIP+ Launcher
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation CLIP+ Launcher - PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell