EXPLORE DETECTIONS
Process Memory Dump Via Comsvcs.DLL
Detects a process memory dump via "comsvcs.dll" using rundll32, covering multiple different techniques (ordinal, minidump function, etc.)
Process Memory Dump Via Dotnet-Dump
Detects the execution of "dotnet-dump" with the "collect" flag. The execution could indicate potential process dumping of critical processes such as LSASS.
Process Memory Dump via RdrLeakDiag.EXE
Detects the use of the Microsoft Windows Resource Leak Diagnostic tool "rdrleakdiag.exe" to dump process memory
Process Monitor Driver Creation By Non-Sysinternals Binary
Detects creation of the Process Monitor driver by processes other than Process Monitor (procmon) itself.
Process Proxy Execution Via Squirrel.EXE
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
Process Reconnaissance Via Wmic.EXE
Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
Process Terminated Via Taskkill
Detects execution of "taskkill.exe" in order to stop a service or a process. Look for suspicious parents executing this command in order to hunt for potential malicious activity. Attackers might leverage this in order to conduct data destruction or data encrypted for impact on the data stores of services like Exchange and SQL Server.
Processes Accessing the Microphone and Webcam
Potential adversaries accessing the microphone and webcam in an endpoint.
ProcessHacker Privilege Elevation
Detects a ProcessHacker tool that elevated privileges to a very high level
Program Executed Using Proxy/Local Command Via SSH.EXE
Detect usage of the "ssh.exe" binary as a proxy to launch other programs.
Program Executions in Suspicious Folders
Detects program executions in suspicious non-program folders related to malware or hacking activity
Protected Storage Service Access
Detects access to a protected_storage service over the network. Potential abuse of DPAPI to extract domain backup keys from Domain Controllers
Proxy Execution via Vshadow
Detects the invocation of vshadow.exe with the -exec parameter that executes a specified script or command after the shadow copies are created but before the VShadow tool exits. VShadow is a command-line tool that you can use to create and manage volume shadow copies. While legitimate backup or administrative scripts may use this flag, attackers can leverage this parameter to proxy the execution of malware.
Proxy Execution Via Wuauclt.EXE
Detects the use of the Windows Update Client binary (wuauclt.exe) for proxy execution.
ProxyLogon MSExchange OabVirtualDirectory
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
PSAsyncShell - Asynchronous TCP Reverse Shell
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
PSExec and WMI Process Creations Block
Detects blocking of process creations originating from PSExec and WMI commands
PsExec Default Named Pipe
Detects PsExec service default pipe creation
Psexec Execution
Detects user accept agreement execution in psexec commandline
PSEXEC Remote Execution File Artefact
Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
PsExec Service Child Process Execution as LOCAL SYSTEM
Detects suspicious launch of the PSEXESVC service on this system and a sub process run as LOCAL_SYSTEM (-s), which means that someone remotely started a command on this system running it with highest privileges and not only the privileges of the login user account (e.g. the administrator account)
PsExec Service Execution
Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
PsExec Service File Creation
Detects default PsExec service filename which indicates PsExec service installation and execution
PsExec Service Installation
Detects PsExec service installation and execution events