EXPLORE DETECTIONS

Application Using Device Code Authentication Flow

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

T1078

Applications That Are Using ROPC Authentication Flow

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

T1078

T1204.002T1059.001T1059.003T1059.005T1059.006+1

AppLocker Prevented Application or Script from Running

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

AppX Located in Known Staging Directory Added to Deployment Pipeline

Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.

AppX Located in Uncommon Directory Added to Deployment Pipeline

Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in uncommon locations.

AppX Package Deployment Failed Due to Signing Requirements

Detects an appx package deployment / installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements.

AppX Package Installation Attempts Via AppInstaller.EXE

Detects DNS queries made by "AppInstaller.EXE". The AppInstaller is the default handler for the "ms-appinstaller" URI. It attempts to load/install a package from the referenced URL

T1105

APT User Agent

Detects suspicious user agent strings used in APT malware in proxy logs

T1071.001

Arbitrary Binary Execution Using GUP Utility

Detects execution of the Notepad++ updater (gup) to launch other commands or executables

Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE

Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.

Arbitrary File Download Via ConfigSecurityPolicy.EXE

Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.

T1567

Arbitrary File Download Via GfxDownloadWrapper.EXE

Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.

T1105

Arbitrary File Download Via IMEWDBLD.EXE

Detects usage of "IMEWDBLD.exe" to download arbitrary files

Arbitrary File Download Via MSEDGE_PROXY.EXE

Detects usage of "msedge_proxy.exe" to download arbitrary files

Arbitrary File Download Via MSOHTMED.EXE

Detects usage of "MSOHTMED" to download arbitrary files

Arbitrary File Download Via MSPUB.EXE

Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files

Arbitrary File Download Via PresentationHost.EXE

Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files

Arbitrary File Download Via Squirrel.EXE

Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)

Arbitrary MSI Download Via Devinit.EXE

Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system