EXPLORE DETECTIONS
Potential Mfdetours.DLL Sideloading
Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
Potential Mftrace.EXE Abuse
Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
Potential Mpclient.DLL Sideloading
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Potential Mpclient.DLL Sideloading Via Defender Binaries
Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
Potential Mpclient.DLL Sideloading Via OfflineScannerShell.EXE Execution
Detects execution of Windows Defender "OfflineScannerShell.exe" from its non standard directory. The "OfflineScannerShell.exe" binary is vulnerable to DLL side loading and will load any DLL named "mpclient.dll" from the current working directory.
Potential MsiExec Masquerading
Detects the execution of msiexec.exe from an uncommon directory
Potential MSTSC Shadowing Activity
Detects RDP session hijacking by using MSTSC shadowing
Potential Netcat Reverse Shell Execution
Detects execution of netcat with the "-e" flag followed by common shells. This could be a sign of a potential reverse shell setup.
Potential Network Sniffing Activity Using Network Tools
Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
Potential NTLM Coercion Via Certutil.EXE
Detects possible NTLM coercion via certutil using the 'syncwithWU' flag
Potential Obfuscated Ordinal Call Via Rundll32
Detects execution of "rundll32" with potential obfuscated ordinal calls
Potential OGNL Injection Exploitation In JVM Based Application
Detects potential OGNL Injection exploitation, which may lead to RCE. OGNL is an expression language that is supported in many JVM based systems. OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
Potential Okta Password in AlternateID Field
Detects when a user has potentially entered their password into the username field, which will cause the password to be retained in log files.
Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.
Potential Password Reconnaissance Via Findstr.EXE
Detects command line usage of "findstr" to search for the "passwords" keyword in a variety of different languages
Potential Password Spraying Attempt Using Dsacls.EXE
Detects possible password spraying attempts using Dsacls
Potential PendingFileRenameOperations Tampering
Detect changes to the "PendingFileRenameOperations" registry key from uncommon or suspicious images locations to stage currently used files for rename or deletion after reboot.
Potential Perl Reverse Shell Execution
Detects execution of the perl binary with the "-e" flag and common strings related to potential reverse shell activity
Potential Persistence Attempt Via ErrorHandler.Cmd
Detects creation of a file named "ErrorHandler.cmd" in the "C:\WINDOWS\Setup\Scripts\" directory which could be used as a method of persistence The content of C:\WINDOWS\Setup\Scripts\ErrorHandler.cmd is read whenever some tools under C:\WINDOWS\System32\oobe\ (e.g. Setup.exe) fail to run for any reason.
Potential Persistence Attempt Via Existing Service Tampering
Detects the modification of an existing service in order to execute an arbitrary payload when the service is started or killed as a potential method for persistence.
Potential Persistence Attempt Via Run Keys Using Reg.EXE
Detects suspicious command line reg.exe tool adding key to RUN key in Registry
Potential Persistence Using DebugPath
Detects potential persistence using Appx DebugPath
Potential Persistence Via App Paths Default Property
Detects changes to the "Default" property for keys located in the \Software\Microsoft\Windows\CurrentVersion\App Paths\ registry. Which might be used as a method of persistence The entries found under App Paths are used primarily for the following purposes. First, to map an application's executable file name to that file's fully qualified path. Second, to prepend information to the PATH environment variable on a per-application, per-process basis.
Potential Persistence Via AppCompat RegisterAppRestart Layer
Detects the setting of the REGISTERAPPRESTART compatibility layer on an application. This compatibility layer allows an application to register for restart using the "RegisterApplicationRestart" API. This can be potentially abused as a persistence mechanism.