EXPLORE DETECTIONS
Rundll32 UNC Path Execution
Detects rundll32 execution where the DLL is located on a remote location (share)
Rundll32.EXE Calling DllRegisterServer Export Function Explicitly
Detects when the DLL export function 'DllRegisterServer' is called in the commandline by Rundll32 explicitly where the DLL is located in a non-standard path.
RunMRU Registry Key Deletion
Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
RunMRU Registry Key Deletion - Registry
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog. In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands. Adversaries may delete this key to cover their tracks after executing commands.
Running Chrome VPN Extensions via the Registry 2 VPN Extension
Running Chrome VPN Extensions via the Registry install 2 vpn extension
SafeBoot Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive
SAML Token Issuer Anomaly
Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
SC.EXE Query Execution
Detects execution of "sc.exe" to query information about registered services on the system
Schedule Task Creation From Env Variable Or Potentially Suspicious Path Via Schtasks.EXE
Detects Schtask creations that point to a suspicious folder or an environment variable often used by malware
Scheduled Cron Task/Job - Linux
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Scheduled Cron Task/Job - MacOs
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Scheduled Task Created - FileCreation
Detects the creation of a scheduled task via file creation.
Scheduled Task Created - Registry
Detects the creation of a scheduled task via Registry keys.
Scheduled Task Creation From Potential Suspicious Parent Location
Detects the execution of "schtasks.exe" from a parent that is located in a potentially suspicious location. Multiple malware strains were seen exhibiting a similar behavior in order to achieve persistence.
Scheduled Task Creation Masquerading as System Processes
Detects the creation of scheduled tasks that involve system processes, which may indicate malicious actors masquerading as or abusing these processes to execute payloads or maintain persistence.
Scheduled Task Creation Via Schtasks.EXE
Detects the creation of scheduled tasks by user accounts via the "schtasks" utility.
Scheduled Task Creation with Curl and PowerShell Execution Combo
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. This facilitates executing malicious payloads or connecting with C&C server persistently without dropping the malware sample on the host.
Scheduled Task Deletion
Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
Scheduled Task Executed From A Suspicious Location
Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
Scheduled Task Executed Uncommon LOLBIN
Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
Scheduled Task Executing Encoded Payload from Registry
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Scheduled Task Executing Payload from Registry
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Scheduled Task/Job At
Detects the use of at/atd which are utilities that are used to schedule tasks. They are often abused by adversaries to maintain persistence or to perform task scheduling for initial or recurring execution of malicious code