EXPLORE DETECTIONS
Potentially Suspicious Child Processes Spawned by ConHost
Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
Potentially Suspicious CMD Shell Output Redirect
Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location. This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Potentially Suspicious Command Targeting Teams Sensitive Files
Detects a commandline containing references to the Microsoft Teams database or cookies files from a process other than Teams. The database might contain authentication tokens and other sensitive information about the logged in accounts.
Potentially Suspicious Compression Tool Parameters
Detects potentially suspicious command line arguments of common data compression tools
Potentially Suspicious Desktop Background Change Using Reg.EXE
Detects the execution of "reg.exe" to alter registry keys that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Potentially Suspicious Desktop Background Change Via Registry
Detects registry value settings that would replace the user's desktop background. This is a common technique used by malware to change the desktop background to a ransom note or other image.
Potentially Suspicious DLL Registered Via Odbcconf.EXE
Detects execution of "odbcconf" with the "REGSVR" action where the DLL in question doesn't contain a ".dll" extension. Which is often used as a method to evade defenses.
Potentially Suspicious DMP/HDMP File Creation
Detects the creation of a file with the ".dmp"/".hdmp" extension by a shell or scripting application such as "cmd", "powershell", etc. Often created by software during a crash. Memory dumps can sometimes contain sensitive information such as credentials. It's best to determine the source of the crash.
Potentially Suspicious Electron Application CommandLine
Detects potentially suspicious CommandLine of electron apps (teams, discord, slack, etc.). This could be a sign of abuse to proxy execution through a signed binary.
Potentially Suspicious Event Viewer Child Process
Detects uncommon or suspicious child processes of "eventvwr.exe" which might indicate a UAC bypass attempt
Potentially Suspicious EventLog Recon Activity Using Log Query Utilities
Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs. This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
Potentially Suspicious Execution From Parent Process In Public Folder
Detects a potentially suspicious execution of a parent process located in the "\Users\Public" folder executing a child process containing references to shell or scripting binaries and commandlines.
Potentially Suspicious Execution From Tmp Folder
Detects a potentially suspicious execution of a process located in the '/tmp/' folder
Potentially Suspicious Execution Of PDQDeployRunner
Detects suspicious execution of "PDQDeployRunner" which is part of the PDQDeploy service stack that is responsible for executing commands and packages on a remote machines
Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Detects potentially suspicious execution of the Regasm/Regsvcs utilities from a potentially suspicious location
Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension
Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
Potentially Suspicious File Download From ZIP TLD
Detects the download of a file with a potentially suspicious extension from a .zip top level domain.
Potentially Suspicious GoogleUpdate Child Process
Detects potentially suspicious child processes of "GoogleUpdate.exe"
Potentially Suspicious GrantedAccess Flags On LSASS
Detects process access requests to LSASS process with potentially suspicious access flags
Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
Detects potentially suspicious inline JavaScript execution using Node.js with specific keywords in the command line.
Potentially Suspicious JWT Token Search Via CLI
Detects potentially suspicious search for JWT tokens via CLI by looking for the string "eyJ0eX" or "eyJhbG". JWT tokens are often used for access-tokens across various applications and services like Microsoft 365, Azure, AWS, Google Cloud, and others. Threat actors may search for these tokens to steal them for lateral movement or privilege escalation.