EXPLORE DETECTIONS
Install Root Certificate
Detects installation of new certificate on the system which attackers may use to avoid warnings when connecting to controlled web servers or C2s
Installation of TeamViewer Desktop
TeamViewer_Desktop.exe is create during install
Installation of WSL Kali-Linux
Detects installation of Kali Linux distribution through Windows Subsystem for Linux (WSL). Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
Interactive AT Job
Detects an interactive AT job, which may be used as a form of privilege escalation.
Interactive Bash Suspicious Children
Detects suspicious interactive bash as a parent to rather uncommon child processes
Interesting Service Enumeration Via Sc.EXE
Detects the enumeration and query of interesting and in some cases sensitive services on the system via "sc.exe". Attackers often try to enumerate the services currently running on a system in order to find different attack vectors.
Internet Explorer Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Internet Explorer DisableFirstRunCustomize Enabled
Detects changes to the Internet Explorer "DisableFirstRunCustomize" value, which prevents Internet Explorer from running the first run wizard the first time a user starts the browser after installing Internet Explorer or Windows.
Invalid PIM License
Identifies when an organization doesn't have the proper license for PIM and is out of compliance.
Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace. The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption. These can be used for example in decrypting malicious payload for defense evasion.
Invoke-Obfuscation CLIP+ Launcher
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation CLIP+ Launcher - PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation CLIP+ Launcher - Security
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation CLIP+ Launcher - System
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation COMPRESS OBFUSCATION - Security
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation COMPRESS OBFUSCATION - System
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation Obfuscated IEX Invocation
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below