EXPLORE DETECTIONS
Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
Detects execution of arbitrary DLLs or unsigned code via a ".csproj" files via Dotnet.EXE.
Arbitrary File Download Via ConfigSecurityPolicy.EXE
Detects the execution of "ConfigSecurityPolicy.EXE", a binary part of Windows Defender used to manage settings in Windows Defender. Users can configure different pilot collections for each of the co-management workloads. It can be abused by attackers in order to upload or download files.
Arbitrary File Download Via GfxDownloadWrapper.EXE
Detects execution of GfxDownloadWrapper.exe with a URL as an argument to download file.
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
Arbitrary File Download Via MSEDGE_PROXY.EXE
Detects usage of "msedge_proxy.exe" to download arbitrary files
Arbitrary File Download Via MSOHTMED.EXE
Detects usage of "MSOHTMED" to download arbitrary files
Arbitrary File Download Via MSPUB.EXE
Detects usage of "MSPUB" (Microsoft Publisher) to download arbitrary files
Arbitrary File Download Via PresentationHost.EXE
Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
Arbitrary File Download Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" to download arbitrary files. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Arbitrary MSI Download Via Devinit.EXE
Detects a certain command line flag combination used by "devinit.exe", which can be abused as a LOLBIN to download arbitrary MSI packages on a Windows system
Arbitrary Shell Command Execution Via Settingcontent-Ms
The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including: - Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000) - Modification of the /proc/sys/kernel/randomize_va_space file - Execution of the `sysctl` command to set `kernel.randomize_va_space=0` Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms. A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
AspNetCompiler Execution
Detects execution of "aspnet_compiler.exe" which can be abused to compile and execute C# code.
Assembly DLL Creation Via AspNetCompiler
Detects the creation of new DLL assembly files by "aspnet_compiler.exe", which could be a sign of "aspnet_compiler" abuse to proxy execution through a build provider.
Assembly Loading Via CL_LoadAssembly.ps1
Detects calls to "LoadAssemblyFromPath" or "LoadAssemblyFromNS" that are part of the "CL_LoadAssembly.ps1" script. This can be abused to load different assemblies and bypass App locker controls.
Atbroker Registry Change
Detects creation/modification of Assistive Technology applications and persistence with usage of 'at'
Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Audio Capture
Detects attempts to record audio using the arecord and ecasound utilities.
Audio Capture via PowerShell
Detects audio capture via PowerShell Cmdlet.
Audio Capture via SoundRecorder
Detect attacker collecting audio via SoundRecorder application.
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.