EXPLORE DETECTIONS
Potential WinAPI Calls Via CommandLine
Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
Potential WinAPI Calls Via PowerShell Scripts
Detects use of WinAPI functions in PowerShell scripts
Potential Windows Defender AV Bypass Via Dump64.EXE Rename
Detects when a user is potentially trying to bypass the Windows Defender AV by renaming a tool to dump64.exe and placing it in the Visual Studio folder. Currently the rule is covering only usage of procdump but other utilities can be added in order to increase coverage.
Potential Windows Defender Tampering Via Wmic.EXE
Detects potential tampering with Windows Defender settings such as adding exclusion using wmic
Potential Winnti Dropper Activity
Detects files dropped by Winnti as described in RedMimicry Winnti playbook
Potential WizardUpdate Malware Infection
Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
Potential WWlib.DLL Sideloading
Detects potential DLL sideloading of "wwlib.dll"
Potential XCSSET Malware Infection
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
Potential Xterm Reverse Shell
Detects usage of "xterm" as a potential reverse shell tunnel
Potential XXE Exploitation Attempt In JVM Based Application
Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
Potentially Over Permissive Permissions Granted Using Dsacls.EXE
Detects usage of Dsacls to grant over permissive permissions
Potentially Suspicious AccessMask Requested From LSASS
Detects process handle on LSASS process with certain access mask
Potentially Suspicious ASP.NET Compilation Via AspNetCompiler
Detects execution of "aspnet_compiler.exe" with potentially suspicious paths for compilation.
Potentially Suspicious Azure Front Door Connection
Detects connections with Azure Front Door (known legitimate service that can be leveraged for C2) that fall outside of known benign behavioral baseline (not using common apps or common azurefd.net endpoints)
Potentially Suspicious Cabinet File Expansion
Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks
Potentially Suspicious Call To Win32_NTEventlogFile Class
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
Potentially Suspicious Child Process Of ClickOnce Application
Detects potentially suspicious child processes of a ClickOnce deployment application
Potentially Suspicious Child Process Of DiskShadow.EXE
Detects potentially suspicious child processes of "Diskshadow.exe". This could be an attempt to bypass parent/child relationship detection or application whitelisting rules.
Potentially Suspicious Child Process of KeyScrambler.exe
Detects potentially suspicious child processes of KeyScrambler.exe
Potentially Suspicious Child Process Of Regsvr32
Detects potentially suspicious child processes of "regsvr32.exe".
Potentially Suspicious Child Process Of VsCode
Detects uncommon or suspicious child processes spawning from a VsCode "code.exe" process. This could indicate an attempt of persistence via VsCode tasks or terminal profiles.
Potentially Suspicious Child Process Of WinRAR.EXE
Detects potentially suspicious child processes of WinRAR.exe.