EXPLORE DETECTIONS
Windows Chrome Extension Allowed Registry Modification
The following analytic detects modifications to the Windows registry keys that control the Chrome Extension Install Allowlist. Unauthorized changes to these keys may indicate attempts to bypass Chrome extension restrictions or install unapproved extensions. This detection helps identify potential security policy violations or malicious activity targeting Chrome extension settings.
Windows Chromium Browser Launched with Small Window Size
The following analytic detects instances where a Chromium-based browser process, including Chrome, Edge, Brave, Opera, or Vivaldi, is launched with an unusually small window size, typically less than 100 pixels in width or height. Such configurations render the browser effectively invisible to the user and are uncommon in normal user activity. When observed on endpoints, especially in combination with automation, off-screen positioning, or suppression flags, this behavior may indicate attempts to execute web content or automated actions stealthily, bypassing user interaction and security controls. This analytic highlights potential malicious automation or covert browser-based activity.
Windows Chromium Browser No Security Sandbox Process
The following analytic detects instances where a Chrome or Chromium-based browser is launched with the --no-sandbox flag, a known indicator of potentially malicious or suspicious behavior. While this flag is occasionally used during software development or testing, it is rarely seen in normal user activity. Threat actors often abuse this setting to disable Chrome's built-in security sandbox, making it easier to execute malicious code or escape browser isolation. This behavior is commonly observed in malware droppers or loaders that embed Chromium components for command and control, credential theft, or UI spoofing. Analysts should investigate such events, especially if they originate from unusual parent processes (e.g., powershell.exe, cmd.exe, or unknown binaries), or if accompanied by other indicators such as file drops, process injection, or outbound network activity. Filtering by command-line arguments and process ancestry can help reduce false positives and surface high-fidelity detections.
Windows Chromium Browser with Custom User Data Directory
The following analytic detects instances where the Chromium-based browser (e.g., Google Chrome, Microsoft Edge) is launched with the --user-data-dir command-line argument. While this flag is legitimate and used for multi-profile support or automation, it is frequently leveraged by malware and adversaries to run Chrome in an isolated environment for stealth operations, credential harvesting, phishing delivery, or evasion of user session artifacts.
Windows Chromium process Launched with Disable Popup Blocking
The following analytic detects instances where a Windows Chromium-based browser process is launched with the `--disable-popup-blocking` flag. This flag is typically used to bypass the browser’s built-in pop-up protections, allowing automatic execution of pop-ups or redirects without user interaction. While legitimate in some testing or automation scenarios, its presence on endpoints, particularly when combined with other automation or concealment flags, may indicate attempts by malicious actors to execute web-based content stealthily or evade user interaction controls, representing a potential security risk that warrants investigation.
Windows Chromium Process Launched with Logging Disabled
The following analytic detects instances of Chromium-based browser processes on Windows launched with logging disabled via command-line arguments such as --disable-logging and --disable-logging-redirect. The --disable-logging flag forces browser logging to be disabled, while --disable-logging-redirect disables log redirection and is commonly used for testing or debugging scenarios. Logging is enabled by default in Chromium debug builds, making these flags more likely to appear in debug or development environments. While these options may be legitimately used by automation frameworks, debugging workflows, or isolated testing environments, they are also leveraged by malware and malicious scripts to evade security monitoring. Analysts should review the parent process, full command-line parameters, and execution context to determine whether the behavior is expected or potentially suspicious.
Windows Chromium Process Loaded Extension via Command-Line
The following analytic detects instances where Google Chrome is started with the --load-extension command-line flag, which allows loading unpacked or non-standard extensions. This behavior can indicate attempts to bypass enterprise extension policies, install malicious extensions, or load potentially harmful browser components. Monitoring such activity helps identify unauthorized extension usage, potential malware persistence mechanisms, or policy violations that could compromise browser security.
Windows Chromium Process with Disabled Extensions
The following analytic detects instances of Chromium-based browser processes on Windows launched with extensions explicitly disabled via command-line arguments. Disabling extensions can be used by automation frameworks, testing tools, or headless browser activity, but may also indicate defense evasion or abuse of browser functionality by malicious scripts or malware. This behavior reduces browser visibility and bypasses user-installed security extensions, making it relevant for detecting non-interactive execution, suspicious automation, or living-off-the-land techniques. Analysts should validate execution context, parent process, and command-line parameters to determine legitimacy.
Windows Cisco Secure Endpoint Related Service Stopped
The following analytic detects the suspicious termination of known services commonly targeted by ransomware before file encryption. It leverages Windows System Event Logs (EventCode 7036) to identify when critical services such as Volume Shadow Copy, backup, and antivirus services are stopped. This activity is significant because ransomware often disables these services to avoid errors and ensure successful file encryption. If confirmed malicious, this behavior could lead to widespread data encryption, rendering files inaccessible and potentially causing significant operational disruption and data loss.
Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc
The following analytic detects the use of the `sfc.exe` utility, in order to stop the Immunet Protect service. The Sfc.exe utility is part of Cisco Secure Endpoint installation. This detection leverages telemetry from the endpoint, focusing on command-line executions involving the `-k` parameter. This activity is significant as it indicates potential tampering with defensive mechanisms. If confirmed malicious, attackers could partially blind the EDR, enabling further compromise and lateral movement within the network.
Windows Cisco Secure Endpoint Unblock File Via Sfc
The following analytic detects the use of the sfc.exe utility with the "-unblock" parameter, a feature within Cisco Secure Endpoint. The "-unblock" flag is used to remove system blocks imposed by the endpoint protection. This detection focuses on command-line activity that includes the "-unblock" parameter, as it may indicate an attempt to restore access to files or processes previously blocked by the security software. While this action could be legitimate in troubleshooting scenarios, malicious actors might use it to override protective measures, enabling execution of blocked malicious payloads or bypassing other security mechanisms.
Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc
The following analytic detects the use of the sfc.exe utility with the "-u" parameter, which is part of the Cisco Secure Endpoint installation. The "-u" flag allows the uninstallation of Cisco Secure Endpoint components. This detection leverages endpoint telemetry to monitor command-line executions that include the "-u" parameter. The use of this flag is significant as it could indicate an attempt to disable or remove endpoint protection, potentially leaving the system vulnerable to further exploitation. If identified as malicious, this action may be part of a broader effort to disable security mechanisms and avoid detection.
Windows ClipBoard Data via Get-ClipBoard
The following analytic detects the execution of the PowerShell command 'Get-Clipboard' to retrieve clipboard data. It leverages PowerShell Script Block Logging (EventCode 4104) to identify instances where this command is used. This activity is significant because it can indicate an attempt to steal sensitive information such as usernames, passwords, or other confidential data copied to the clipboard. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, potentially compromising user accounts and other critical assets.
Windows Cmdline Tool Execution From Non-Shell Process
The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard shell parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network.
Windows COM Hijacking InprocServer32 Modification
The following analytic detects the modification of the InProcServer32 registry key by reg.exe, indicative of potential COM hijacking. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line execution logs. COM hijacking is significant as it allows adversaries to insert malicious code that executes in place of legitimate software, providing a means for persistence. If confirmed malicious, this activity could enable attackers to execute arbitrary code, disrupt legitimate system components, and maintain long-term access to the compromised environment.
Windows Command and Scripting Interpreter Hunting Path Traversal
The following analytic identifies path traversal command-line executions, leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns in command-line arguments indicative of path traversal techniques, such as multiple instances of "/..", "\..", or "\\..". This activity is significant as it often indicates attempts to evade defenses by executing malicious code, such as through msdt.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.
Windows Command and Scripting Interpreter Path Traversal Exec
The following analytic detects path traversal command-line execution, often used in malicious documents to execute code via msdt.exe for defense evasion. It leverages Endpoint Detection and Response (EDR) data, focusing on specific patterns in process paths. This activity is significant as it can indicate an attempt to bypass security controls and execute unauthorized code. If confirmed malicious, this behavior could lead to code execution, privilege escalation, or persistence within the environment, potentially allowing attackers to deploy malware or leverage other living-off-the-land binaries (LOLBins).
Windows Command Shell DCRat ForkBomb Payload
The following analytic detects the execution of a DCRat "forkbomb" payload, which spawns multiple cmd.exe processes that launch notepad.exe instances in quick succession. This detection leverages Endpoint Detection and Response (EDR) data, focusing on the rapid creation of cmd.exe and notepad.exe processes within a 30-second window. This activity is significant as it indicates a potential DCRat infection, a known Remote Access Trojan (RAT) with destructive capabilities. If confirmed malicious, this behavior could lead to system instability, resource exhaustion, and potential disruption of services.
Windows Common Abused Cmd Shell Risk Behavior
The following analytic identifies instances where four or more distinct detection analytics are associated with malicious command line behavior on a specific host. This detection leverages the Command Line Interface (CLI) data from various sources to identify suspicious activities. This behavior is significant as it often indicates attempts to execute malicious commands, access sensitive data, install backdoors, or perform other nefarious actions. If confirmed malicious, attackers could gain unauthorized control, exfiltrate information, escalate privileges, or launch further attacks within the network, leading to severe compromise.
Windows Compatibility Telemetry Suspicious Child Process
The following analytic detects the execution of CompatTelRunner.exe with parameters indicative of a process not part of the normal "Microsoft Compatibility Appraiser" telemetry collection. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
Windows Compatibility Telemetry Tampering Through Registry
This detection identifies suspicious modifications to the Windows Compatibility Telemetry registry settings, specifically within the "TelemetryController" registry key and "Command" registry value. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant because CompatTelRunner.exe and the "Microsoft Compatibility Appraiser" task always run as System and can be used to elevate privileges or establish a highly privileged persistence mechanism. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
Windows Computer Account Created by Computer Account
The following analytic identifies a computer account creating a new computer account with a specific Service Principal Name (SPN) "RestrictedKrbHost". This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify such activities. This behavior is significant as it may indicate an attempt to establish unauthorized Kerberos authentication channels, potentially leading to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to impersonate services, access sensitive information, or maintain persistence within the network.
Windows Computer Account Requesting Kerberos Ticket
The following analytic detects a computer account requesting a Kerberos ticket, which is unusual as typically user accounts request these tickets. This detection leverages Windows Security Event Logs, specifically EventCode 4768, to identify instances where the TargetUserName ends with a dollar sign ($), indicating a computer account. This activity is significant because it may indicate the use of tools like KrbUpRelay or other Kerberos-based attacks. If confirmed malicious, this could allow attackers to impersonate computer accounts, potentially leading to unauthorized access and lateral movement within the network.
Windows Computer Account With SPN
The following analytic detects the addition of Service Principal Names (SPNs) HOST and RestrictedKrbHost to a computer account, indicative of KrbRelayUp behavior. This detection leverages Windows Security Event Logs, specifically EventCode 4741, to identify changes in SPNs. This activity is significant as it is commonly associated with Kerberos-based attacks, which can be used to escalate privileges or perform lateral movement within a network. If confirmed malicious, this behavior could allow an attacker to impersonate services, potentially leading to unauthorized access to sensitive resources.