EXPLORE DETECTIONS
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 3
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Activity Via Emoji Usage In CommandLine - 4
Detects the usage of emojis in the command line, this could be a sign of potential defense evasion activity.
Potential Defense Evasion Via Binary Rename
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Potential Defense Evasion Via Raw Disk Access By Uncommon Tools
Detects raw disk access using uncommon tools or tools that are located in suspicious locations (heavy filtering is required), which could indicate possible defense evasion attempts
Potential Defense Evasion Via Rename Of Highly Relevant Binaries
Detects the execution of a renamed binary often used by attackers or malware leveraging new Sysmon OriginalFileName datapoint.
Potential Defense Evasion Via Right-to-Left Override
Detects the presence of the "u202+E" character, which causes a terminal, browser, or operating system to render text in a right-to-left sequence. This character is used as an obfuscation and masquerading techniques by adversaries to trick users into opening malicious files.
Potential Direct Syscall of NtOpenProcess
Detects potential calls to NtOpenProcess directly from NTDLL.
Potential Discovery Activity Using Find - Linux
Detects usage of "find" binary in a suspicious manner to perform discovery
Potential Discovery Activity Using Find - MacOS
Detects usage of "find" binary in a suspicious manner to perform discovery
Potential Discovery Activity Via Dnscmd.EXE
Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
Potential DLL File Download Via PowerShell Invoke-WebRequest
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
Potential DLL Injection Or Execution Using Tracker.exe
Detects potential DLL injection and execution using "Tracker.exe"
Potential DLL Injection Via AccCheckConsole
Detects the execution "AccCheckConsole" a command-line tool for verifying the accessibility implementation of an application's UI. One of the tests that this checker can run are called "verification routine", which tests for things like Consistency, Navigation, etc. The tool allows a user to provide a DLL that can contain a custom "verification routine". An attacker can build such DLLs and pass it via the CLI, which would then be loaded in the context of the "AccCheckConsole" utility.
Potential DLL Sideloading Activity Via ExtExport.EXE
Detects the execution of "Extexport.exe".A utility that is part of the Internet Explorer browser and is used to export and import various settings and data, particularly when switching between Internet Explorer and other web browsers like Firefox. It allows users to transfer bookmarks, browsing history, and other preferences from Internet Explorer to Firefox or vice versa. It can be abused as a tool to side load any DLL. If a folder is provided in the command line it'll load any DLL with one of the following names "mozcrt19.dll", "mozsqlite3.dll", or "sqlite.dll". Arbitrary DLLs can also be loaded if a specific number of flags was provided.
Potential DLL Sideloading Of DBGCORE.DLL
Detects DLL sideloading of "dbgcore.dll"
Potential DLL Sideloading Of DBGHELP.DLL
Detects potential DLL sideloading of "dbghelp.dll"
Potential DLL Sideloading Of DbgModel.DLL
Detects potential DLL sideloading of "DbgModel.dll"
Potential DLL Sideloading Of KeyScramblerIE.DLL Via KeyScrambler.EXE
Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe". Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".
Potential DLL Sideloading Of Libcurl.DLL Via GUP.EXE
Detects potential DLL sideloading of "libcurl.dll" by the "gup.exe" process from an uncommon location
Potential DLL Sideloading Of MpSvc.DLL
Detects potential DLL sideloading of "MpSvc.dll".
Potential DLL Sideloading Of MsCorSvc.DLL
Detects potential DLL sideloading of "mscorsvc.dll".
Potential DLL Sideloading Of Non-Existent DLLs From System Folders
Detects loading of specific system DLL files that are usually not present on the system (or at least not in system directories) but may be loaded by legitimate processes, potentially indicating phantom DLL hijacking attempts. Phantom DLL hijacking involves placing malicious DLLs with names of non-existent system binaries in locations where legitimate applications may search for them, leading to execution of the malicious DLLs.
Potential DLL Sideloading Using Coregen.exe
Detect usage of the "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
Potential DLL Sideloading Via ClassicExplorer32.dll
Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software