Analytics

WMImplant Hack Tool

8028c2c3-e25a-46e3-827f-bbb5abf181d7

WMI Persistence – Script Event Consumer

ec1d5e28-8f3b-4188-a6f8-6e8df81dc28e

Suspicious WMI Execution Using Rundll32

3c89a1e8-0fba-449e-8f1b-8409d6267ec8

Login with WMI

5af54681-df95-4c26-854f-2565e13cfab0

T1047 Wmiprvse Wbemcomn DLL Hijack

f6c68d5f-e101-4b86-8c84-7d96851fd65c

UNC2452 PowerShell Pattern

b7155193-8a81-4d8f-805d-88de864ca50c

Detect SNICat SNI Exfiltration

82d06410-134c-11eb-adc1-0242ac120002

DNSCat2 Powershell Implementation Detection Via Process Creation

b11d75d6-d7c1-11ea-87d0-0242ac130003

Exfiltration and Tunneling Tools Execution

c75309a3-59f8-4a8d-9c2c-4c927ad50555

Attacker Tools On Endpoint

a51bfe1a-94f0-48cc-b4e4-16a110145893

Windows Processes Suspicious Parent Directory

96036718-71cc-4027-a538-d1587e0006a7

Common Windows Process Masquerading

CAR-2021-04-001

File Created with System Process Name

d5866ddf-ce8f-4aea-b28e-d96485a20d3d

Flash Player Update from Suspicious Location

4922a5dd-6743-4fc2-8e81-144374280997

Exploit for CVE-2015-1641

7993792c-5ce2-4475-a3db-a3a5539827ef

Lazarus Session Highjacker

3f7f5b0b-5b16-476c-a85f-ab477f6dd24b

Suspicious Svchost Process

01d2e2a1-5f09-44f7-9fc1-24faa7479b6d

Suspicious MsiExec Directory

e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144

Findstr Launching .lnk File

33339be3-148b-4e16-af56-ad16ec6c7e7b

Certutil Encode

e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a

Application Whitelisting Bypass via Dnx.exe

81ebd28b-9607-4478-bf06-974ed9d53ed7

Executable in ADS

b69888d4-380c-45ce-9cf9-d9ce46e67821

Suspicious XOR Encoded PowerShell Command Line

bb780e0c-16cf-4383-8383-1e5471db6cf9

Visual Basic Command Line Compiler Usage

7b10f171-7f04-47c7-9fa2-5be43c76e535

Ping Hex IP

1a0d4aba-7668-4365-9ce4-6d79ab088dfd

Python Py2Exe Image Load

cbb56d62-4060-40f7-9466-d8aaf3123f83

PowerShell Base64 Encoded Shellcode

2d117e49-e626-4c7c-bd1f-c3c0147774c8

RedMimicry Winnti Playbook Dropped File

130c9e58-28ac-4f83-8574-0a4cc913b97e

Failed Code Integrity Checks

470ec5fa-7b4e-4071-b200-4c753100f49b

CrackMapExec PowerShell Obfuscation

6f8b3439-a203-45dc-a88b-abf57ea15ccf

Binary Padding

95361ce5-c891-4b0a-87ca-e24607884a96

Binary Padding

c52a914f-3d8b-4b2a-bb75-b3991e75f8ba

Operation Wocao Activity

74ad4314-482e-4c3e-b237-3f7ed3b9ca8d

Decode Base64 Encoded Text

e2072cab-8c9a-459b-b63c-40ae79e27031

Decode Base64 Encoded Text

719c22d7-c11a-4f2c-93a6-2cfdd5412f68

Host Discovery Commands

CAR-2016-03-001

Exports Critical Registry Keys To a File

82880171-b475-4201-b811-e9c826cd5eaa

Exports Registry Key To a File

f0e53e89-8d22-46ea-9db5-9d4796ee2f8a

SysKey Registry Keys Access

9a4ff3b8-6187-4fd2-8e8b-e0eae1129495

SAM Registry Hive Handle Request

f8748f2c-89dc-4d95-afb0-5a2dfdbad332

Quick execution of a series of suspicious commands

CAR-2013-04-002

Query Registry

970007b7-ce32-49d0-a4a4-fbef016950bd

Defense evasion disable windows firewall rules with netsh

4b438734-3793-4fda-bd42-ceeada0be8f9

Simultaneous Logins on a Host

CAR-2013-02-008

Defense evasion cloudwatch alarm deletion

f772ec8a-e182-483c-91d2-72058f76a44c

Scheduled Task – FileAccess

CAR-2020-09-001

Remotely Scheduled Tasks via Schtasks

CAR-2015-04-002

Disable UAC

CAR-2021-01-008

UAC Bypass

CAR-2019-04-001

DLL Injection via Load Library

CAR-2013-10-002

Rare LolBAS Command Lines

CAR-2020-05-003

Reg.exe called from Command Shell

CAR-2013-03-001

Autorun Differences

CAR-2013-01-002

Services launching Cmd

CAR-2014-05-002

Remotely Launched Executables via Services

CAR-2014-03-005

Service Binary Modifications

CAR-2014-02-001

Service Outlier Executables

CAR-2013-09-005

Quick execution of a series of suspicious commands

CAR-2013-04-002

Autorun Differences

CAR-2013-01-002

Quick execution of a series of suspicious commands

CAR-2013-04-002

BCDEdit Failure Recovery Modification

CAR-2021-05-003

Detecting Shadow Copy Deletion via Vssadmin.exe

CAR-2021-01-009

Shadow Copy Deletion

CAR-2020-04-001

Access Permission Modification

CAR-2019-07-001

RunDLL32.exe monitoring

CAR-2014-03-006

Squiblydoo

CAR-2019-04-003

Generic Regsvr32

CAR-2019-04-002

Compiled HTML Access

CAR-2020-11-009

Batch File Write to System32

CAR-2021-05-002

CertUtil With Decode Argument

CAR-2021-05-009

Addition of SID History to Active Directory Object

2632954e-db1c-49cb-9936-67d1ef1d17d2

Detection of Possible Rotten Potato

6c5808ee-85a2-4e56-8137-72e5876a5096

Meterpreter or Cobalt Strike Get System Service Start

15619216-e993-4721-b590-4c520615a67d

Meterpreter or Cobalt Strike Get System Service Installation

843544a7-56e0-4dcc-a44f-5cc266dd97d6

Failed Logon From Public IP

f88e112a-21aa-44bd-9b01-6ee2a2bbbed1

Illegal Access To User Content via PowerSploit modules

01fc7d91-eb0c-478e-8633-e4fa4904463a

Suspicious System.Drawing Load

666ecfc7-229d-42b8-821e-1a8f8cb7057c

Screen Capture – macOS

0877ed01-da46-4c49-8476-d49cdd80dfa7

FodHelper UAC Bypass

909f8fd8-7ac8-11eb-a1f3-acde48001122

Revil Registry Entry

e3d3f57a-c381-11eb-9e35-acde48001122

Suspicious Reg exe Process

a6b3ab4e-dd77-4213-95fa-fc94701995e0

Uncommon Registry Persistence Change

54902e45-3467-49a4-8abc-529f2c8cfb80

OceanLotus Registry Activity

4ac5fc44-a601-4c06-955b-309df8c4e9d4

Suspicious VBoxDrvInst.exe Parameters

b7b19cb6-9b32-4fc4-a108-73f19acfe262

Non-privileged Usage of Reg or Powershell

8f02c935-effe-45b3-8fc9-ef8696a9e41d

DNS ServerLevelPluginDll Install

e61e8a88-59a9-451c-874e-70fcc9740d67

NetNTLM Downgrade Attack

d67572a0-e2ec-45d6-b8db-c100d14b8ef2

Disable Security Events Logging Adding Reg Key MiniNt

919f2ef0-be2d-4a7a-b635-eb2b41fde044

Sysmon Channel Reference Deletion

18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc

Removal of Potential COM Hijacking Registry Keys

96f697b0-b499-4e5d-9908-a67bec11cdb6

DHCP Callout DLL Installation

9d3436ef-9476-4c43-acca-90ce06bdf33a

Modifies the Registry From a File

5f60740a-f57b-4e76-82a1-15b6ff2cb134

Imports Registry Key From a File

73bba97f-a82d-42ce-b315-9182e76c57b1

Blue Mockingbird

c3198a27-23a0-4c2c-af19-e5328d49680e

Modifies the Registry From a ADS

77946e79-97f1-45a2-84b4-f37b5c0d8682

RDP Registry Modification

41904ebe-d56c-4904-b9ad-7a77bdf154b3

Persistent Outlook Landing Pages

ddd171b5-2cc6-4975-9e78-f0eccd08cc76

Imports Registry Key From an ADS

0b80ade5-6997-4b1d-99a1-71701778ea61

Remote Registry Management Using Reg Utility

68fcba0d-73a5-475e-a915-e8b4c576827e

ShimCache Flush

b0524451-19af-4efa-a46f-562a977f792e

Wdigest CredGuard Registry Modification

1a2d6c47-75b0-45bd-b133-2c0be75349fd

Run Once Task Execution as Configured in Registry

198effb6-6c98-4d0c-9ea3-451fa143c45c

FlowCloud Malware

5118765f-6657-4ddb-a487-d7bd673abbf1

Run Once Task Configuration in Registry

c74d7efc-8826-45d9-b8bb-f04fac9e4eff

Suspicious New Printer Ports in Registry (CVE-2020-1048)

7ec912f2-5175-4868-b811-ec13ad0f8567

Wdigest Enable Use Logon

d6a9b252-c666-4de6-8806-5561bbbd3bdc

Persistent Outlook Landing Pages

487bb375-12ef-41f6-baae-c6a1572b4dd1

RDP Sensitive Settings Changed

171b67e1-74b4-460e-8d55-b331f3e32d67

Registry Entries For Azorult Malware

f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7

Ursnif

21f17060-b282-4249-ade0-589ea3591558

Office Security Settings Changed

a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd

RedMimicry Winnti Playbook Registry Manipulation

5b175490-b652-4b02-b1de-5b5b4083c5f8

Remote Registry

CAR-2014-11-005

Quick execution of a series of suspicious commands

CAR-2013-04-002

Autorun Differences

CAR-2013-01-002

High Number of Login Failures from a single source

7f398cfb-918d-41f4-8db8-2e2474e02222

Secure Deletion with SDelete

39a80702-d7ca-4a83-b776-525b1f86a36d

Cisco File Deletion

71d65515-c436-43c0-841b-236b1f32c21e

Backup Catalog Deleted

9703792d-fd9a-456d-a672-ff92efe4806a

Illegal Service and Process Control via PowerSploit modules

0e910e5b-309d-4bc3-8af2-0030c02aa353

Illegal Service and Process Control via Mimikatz modules

aaf3adf1-73e1-4477-b4ee-3771898964f1

Suspicious SolarWinds Child Process

93b22c0a-06a0-4131-b830-b10d5e166ff4

Accessing WinAPI in PowerShell

03d83090-8cba-44a0-b02f-0b756a050306

Possible App Whitelisting Bypass via WinDbg/CDB as a Shellcode Runner

b5c7395f-e501-4a08-94d4-57fe7a9da9d2

RedMimicry Winnti Playbook Execute

95022b85-ff2a-49fa-939a-d7b8f56eeb9b

Download Files Using Telegram

58194e28-ae5e-11eb-8912-acde48001122

Suspicious Curl Network Connection

3f613dc0-21f2-4063-93b1-5d3c15eef22f

Office Product Spawning CertUtil

6925fe72-a6d5-11eb-9e17-acde48001122

BITSAdmin Download File

80630ff4-8e4c-11eb-aab5-acde48001122

CertUtil Download With VerifyCtl and Split Arguments

801ad9e4-8bfb-11eb-8b31-acde48001122

CertUtil Download With URLCache and Split Arguments

415b4306-8bfb-11eb-85c4-acde48001122

Command And Control Download RAR Powershell from Internet

ff013cb4-274d-434a-96bb-fe15ddd3ae92

Apple Script Execution followed by Network Connection

47f76567-d58a-4fed-b32b-21f571e28910

Execution command prompt connecting to the internet

89f9a4b0-9f8f-4ee0-8823-c4751a6d6696

Remote File Download via PowerShell

33f306e8-417c-411b-965c-c2812d6d3f4d

Remote File Download via MpCmdRun

c6453e73-90eb-4fe7-a98c-cde7bbfc504a

Detect Excessive User Account Lockouts

95a7f9a5-6096-437e-a19e-86f42ac609bd

External Disk Drive or USB Storage Device

f69a87ea-955e-4fb4-adb2-bb9fd6685632

Suspicious C2 Activities

f7158a64-6204-4d6d-868a-6e6378b467e0

Detect Large Outbound ICMP Packets

e9c102de-4d43-42a7-b1c8-8062ea297419

Suspicious Arguments

CAR-2013-07-001

BITSAdmin Download File

CAR-2021-05-005

CertUtil Download With URLCache and Split Arguments

CAR-2021-05-006

CertUtil Download With VerifyCtl and Split Arguments

CAR-2021-05-007

Remote File Copy

7a14080d-a048-4de8-ae58-604ce58a795b

Windows Update Client LOLBIN

d7825193-b70a-48a4-b992-8b5b3015cc11

Microsoft Binary Suspicious Communication Endpoint

e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97

MsiExec Web Install

f7b5f842-a6af-4da5-9e95-e32478f3cd2f

Cisco Stage Data

5e51acb2-bcbe-435b-99c6-0e3cd5e2aa59

Pandemic Registry Key

47e0852a-cf81-4494-a8e6-31864f8c86ed

Curl Start Combination

21dd6d38-2b18-4453-9404-a0fe4a0cc288

Finger.exe Suspicious Invocation

af491bca-e752-4b44-9c86-df5680533dbc

Malicious Payload Download via Office Binaries

0c79148b-118e-472b-bdb7-9b57b444cc19

Windows Defender Download Activity

46123129-1024-423e-9fae-43af4a0fa9a5

Suspicious Curl Usage on Windows

e218595b-bbe7-4ee5-8a96-f32a24ad3468

PowerShell Download File

8f70ac5f-1f6f-4f8e-b454-db19561216c5

Executable from Webdav

aac2fd97-bcba-491b-ad66-a6edf89c71bf

GfxDownloadWrapper.exe Downloads File from Suspicious URL

eee00933-a761-4cd0-be70-c42fe91731e7

Microsoft Binary Github Communication

635dbb88-67b3-4b41-9ea5-a3af2dd88153

Suspicious Desktop Image Downloader Target File

fc4f4817-0c53-4683-a4ee-b17a64bc1039

Command Line Execution with Suspicious URL and AppData Strings

1ac8666b-046f-4201-8aba-1951aaec03a3

Copy from Admin Share

855bc8b5-2ae8-402e-a9ed-b889e6df1900

Suspicious Certutil Command

e011a729-98a6-4139-b5c4-bf6f6dd8239a

Greenbug Campaign Indicators

3711eee4-a808-4849-8a14-faf733da3612

Download from Suspicious Dyndns Hosts

195c1119-ef07-4909-bb12-e66f5e07bf3c

Remote File Copy via TeamViewer

b25a7df2-120a-4db2-bd3f-3e4b86b24bee

Remote File Download via Script Interpreter

1d276579-3380-4095-ad38-e596a01bc64f

Remote File Download via Desktop Image Downloader Utility

15c0b7a7-9c34-4869-b25b-fa6518414899

Network Connection via Certutil

3838e0e3-1850-4850-a411-2e8c5ba40ba8

Suspicious Desktop Image Downloader Command

bb58aa4a-b80b-415a-a2c0-2f65a4c81009

Privilege escalation local user added to admin

565c2b44-7a21-4818-955f-8d4737967d2e

Persistence account creation hide at logon

41b638a1-8ab6-4f8e-86d9-466317ef2db5

Persistence enable root account

cc2fd2d0-ba3a-4939-b87f-2901764ed036

Admin User Remote Logon

0f63e1ef-1eb9-4226-9d54-8927ca08520a

User Login Activity Monitoring

CAR-2013-10-001

SMB Copy and Execution

CAR-2013-05-005

SMB Write Request

CAR-2013-05-003

User Logged in to Multiple Hosts

CAR-2013-02-012

Suspicious Scheduled Task from Public Directory

7feb7972-7ac3-11eb-bac8-acde48001122

Invoke-Obfuscation STDIN+ Launcher

6c96fc76-0eb1-11eb-adc1-0242ac120002

Execution with schtasks

CAR-2013-08-001

Invoke-Obfuscation Via Use Clip

e1561947-b4e3-4a74-9bdd-83baed21bdb5

Impact cloud watch log stream deletion

d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17

Defense evasion waf acl deletion

91d04cd4-47a9-4334-ab14-084abe274d49

Defense evasion event hub deletion

e0f36de1-0342-453d-95a9-a068b257b053

Impact cloud watch log group deletion

68a7a5a5-a2fc-4a76-ba9f-26849de881b4

Defense evasion SolarWinds backdoor service disabled via registry

b9960fef-82c6-4816-befa-44745030e917

Defense evasion network watcher deletion

323cb487-279d-4218-bcbd-a568efe930c6

Defense evasion guard duty detector deletion

523116c0-d89d-4d7c-82c2-39e6845a78ef

Defense evasion cloudtrail logging suspended

1aa8fa52-44a7-4dae-b058-f3333b91c8d7

Defense evasion firewall policy deletion

e02bd3ea-72c6-4181-ac2b-0f83d17ad969

Defense evasion ec2 flow log deletion

9395fd2c-9947-4472-86ef-4aceb2f7e872

Defense evasion apple software updates modification

f683dcdf-a018-4801-b066-193d4ae6c8e5

Defense evasion attempt to disable syslog service

2f8a1226-5720-437d-9c20-e0029deb6194

Defense evasion scheduled jobs at protocol enabled

9aa0e1f6-52ce-42e1-abb3-09657cee2698

Defense evasion waf rule or rule group deletion

5beaebc1-cc13-4bfc-9949-776f9e0dc318

Defense evasion cloudtrail logging deleted

7024e2a0-315d-4334-bb1a-441c593e16ab

Defense evasion azure diagnostic settings deletion

5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de

Defense evasion attempt del quarantine attrib

f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7

Defense evasion configuration recorder stopped

fbd44836-0d69-4004-a0b4-03c20370c435

Defense evasion defender disabled via registry

2ffa1f1e-b6db-47fa-994b-1512743847eb

Defense evasion safari config change

6482255d-f468-45ea-a5b3-d3a7de1331ae

Defense evasion privacy controls tcc database modification

eea82229-b002-470e-a9e1-00be38b14d32

Defense evasion amenable key mod

f874315d-5188-4b4a-8521-d1c73093a7e4

Defense evasion port forwarding added registry

3535c8bb-3bd5-40f4-ae32-b7cd589d5372

Defense evasion disable selinux attempt

eb9eb8ba-a983-41d9-9c93-a1c05112ca5e

Defense evasion unload endpointsecurity text

70fa1af4-27fd-4f26-bd03-50b6af6b9e24

Detecting Tampering of Windows Defender Command Prompt

CAR-2021-01-007

User Activity from Stopping Windows Defensive Services

CAR-2016-04-003

Quick execution of a series of suspicious commands

CAR-2013-04-002

Defense evasion cve

56557cde-d923-4b88-adee-c61b3f3b5dc3

Schtasks used for forcing a reboot

1297fb80-f42a-4b4a-9c8a-88c066437cf6

Scheduled Task Deleted Or Created via CMD

d5af132c-7c17-439c-9d31-13d55340f36c

Schtasks scheduling job on remote system

1297fb80-f42a-4b4a-9c8a-88c066237cf6

WinEvent Scheduled Task Created to Spawn Shell

203ef0ea-9bd8-11eb-8201-acde48001122

WinEvent Scheduled Task Created Within Public Path

5d9c6eee-988c-11eb-8253-acde48001122

Schedule Task with HTTP Command Arguments

523c2684-a101-11eb-916b-acde48001122

Powershell Execution

CAR-2014-04-003

Remote PowerShell Sessions

CAR-2014-11-004

T1086 PowerShell Execution

ac7102b4-9e1e-4802-9b4f-17c5524c015c

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

e9f55347-2928-4c06-88e5-1a7f8169942e

Encoded FromBase64String

fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c

FromBase64String Command Line

e32d4572-9826-4738-b651-95fa63747e8a

PowerShell Encoded Character Syntax

e312efd0-35a1-407f-8439-b8d434b438a6

Encoded IEX

88f680b8-070e-402c-ae11-d2914f2257f1

Dnscat Execution

a6d67db4-6220-436d-8afc-f3842fe05d43

Invoke-Obfuscation Via Stdin

9c14c9fa-1a63-4a64-8e57-d19280559490

Invoke-Obfuscation VAR+ Launcher

27aec9c9-dbb0-4939-8422-1742242471d0

Suspicious PowerShell Invocations – Generic

3d304fda-78aa-43ed-975c-d740798a49c1

Invoke-Obfuscation CLIP+ Launcher

b222df08-0e07-11eb-adc1-0242ac120002

Invoke-Obfuscation Via Use MSHTA

ac20ae82-8758-4f38-958e-b44a3140ca88

Defense evasion attempt to disable iptables or firewall

125417b8-d3df-479f-8418-12d7e034fee3

Defense evasion enable inbound rdp with netsh

074464f9-f30d-4029-8c03-0ed237fffec7

Invoke-Obfuscation RUNDLL LAUNCHER

056a7ee1-4853-4e67-86a0-3fd9ceed7555

Defense evasion stop process service threshold

035889c4-2686-4583-a7df-67f89c292f2c

Invoke-Obfuscation Via Use Rundll32

36c5146c-d127-4f85-8e21-01bf62355d5a

Credentials in Files & Registry

CAR-2020-09-004

Credential access collection sensitive files

6b84d470-9036-4cc0-a27c-6d90bbfe81ab

Credential access key vault modified

792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec

Suspicious XOR Encoded PowerShell Command Line

812837bb-b17f-45e9-8bd0-0ec35d2e3bd6

Too Long PowerShell Commandlines

d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6

Suspicious CLR Logs Creation

e4b63079-6198-405c-abd7-3fe8b0ce3263

PowerShell Called from an Executable Version Mismatch

c70e019b-1479-4b65-b0cc-cd0c6093a599

Suspicious PowerShell Download

65531a81-a694-4e31-ae04-f8ba5bc33759

Invoke-Obfuscation COMPRESS OBFUSCATION

7eedcc9d-9fdb-4d94-9c54-474e8affc0c7

PowerShell Execution

867613fb-fa60-4497-a017-a82df74a172c

Accessing WinAPI in PowerShell. Code Injection.

eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50

Invoke-Obfuscation Via Stdin

86b896ba-ffa1-4fea-83e3-ee28a4c915c7

Invoke-Obfuscation Via Use Clip

db92dd33-a3ad-49cf-8c2c-608c3e30ace0

PowerShell Download from URL

3b6ab547-8ec2-4991-b9d2-2b06702a48d7

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION

e54f5149-6ba3-49cf-b153-070d24679126

Alternate PowerShell Hosts

fe6e002f-f244-4278-9263-20e4b593827f

PowerShell Create Local User

243de76f-4725-4f2e-8225-a8a69b15ad61

Any Powershell DownloadFile

1a93b7ea-7af7-11eb-adb5-acde48001122

Any Powershell DownloadString

4d015ef2-7adf-11eb-95da-acde48001122

Detect SharpHound Command-Line Arguments

a0bdd2f6-c2ff-11eb-b918-acde48001122

Detect SharpHound Usage

dd04b29a-beed-11eb-87bc-acde48001122

Detect SharpHound File Modifications

42b4b438-beed-11eb-ba1d-acde48001122

Malicious PowerShell Process With Obfuscation Techniques

cde75cf6-3c7a-4dd6-af01-27cdb4511fd4

Set Default PowerShell Execution Policy To Unrestricted or Bypass

c2590137-0b08-4985-9ec5-6ae23d92f63d

Malicious PowerShell Process – Execution Policy Bypass

9be56c82-b1cc-4318-87eb-d138afaaca39

Malicious PowerShell Process – Connect To Internet With Hidden Window

ee18ed37-0802-4268-9435-b3b91aaa18db

Nishang PowershellTCPOneLine

1a382c6c-7c2e-11eb-ac69-acde48001122

Powershell Processing Stream Of Data

0d718b52-c9f1-11eb-bc61-acde48001122

Detect AzureHound Command-Line Arguments

26f02e96-c300-11eb-b611-acde48001122

Detect AzureHound File Modifications

1c34549e-c31b-11eb-996b-acde48001122

Detect Mimikatz Using Loaded Images

29e307ba-40af-4ab2-91b2-3c6b392bbba0

Processes Spawning cmd.exe

CAR-2013-02-003

Outlier Parents of Cmd

CAR-2014-11-002

Cmd.exe CommandLine Path Traversal

087790e3-3287-436c-bccf-cbd0184a7db1

ZxShell Malware

f0b70adb-0075-43b0-9745-e82a1c608fcc

Elise Backdoor

e507feb7-5f73-4ef6-a970-91bb6f6d744f

Sofacy Trojan Loader Activity

ba778144-5e3d-40cf-8af9-e28fb1df1e20

Baby Shark Activity

2b30fa36-3a18-402f-a22d-bf4ce2189f35

Koadic Execution

5cddf373-ef00-4112-ad72-960ac29bac34

Command Line Execution with Suspicious URL and AppData Strings

1ac8666b-046f-4201-8aba-1951aaec03a3

AWS EC2 Startup Shell Script Change

1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df

HTML Help Shell Spawn

52cad028-0ff0-4854-8f67-d25dfcbc78b4

Suspicious HWP Sub Processes

023394c4-29d5-46ab-92b8-6a534c6f447b

Exploiting SetupComplete.cmd CVE-2019-1378

1c373b6d-76ce-4553-997d-8c1da9a6b5f5

Exploited CVE-2020-10189 Zoho ManageEngine

846b866e-2a57-46ee-8e16-85fa92759be7

Detect Excessive User Account Lockouts

95a7f9a5-6096-437e-a19e-86f42ac609bd

CrackMapExec Command Execution

058f4380-962d-40a5-afce-50207d36d7e2

Detect Prohibited Applications Spawning cmd exe

dcfd6b40-42f9-469d-a433-2e53f7486664

Detect Use of cmd exe to Launch Script Interpreters

b89919ed-fe5f-492c-b139-95dbb162039e

Ryuk Wake on LAN Command

538d0152-7aaa-11eb-beaa-acde48001122

CMD Echo Pipe – Escalation

eb277ba0-b96b-11eb-b00e-acde48001122

Quick execution of a series of suspicious commands

CAR-2013-04-002

WSF/JSE/JS/VBA/VBE File Execution

1e33157c-53b1-41ad-bbcc-780b80b58288

WMIExec VBS Script

966e4016-627f-44f7-8341-f394905c361f

Application Whitelisting Bypass via Bginfo

aaf46cdc-934e-4284-b329-34aa701e3771

Suspicious Parent of Csc.exe

b730a276-6b63-41b8-bcf8-55930c8fc6ee

SquiblyTwo

8d63dadf-b91b-4187-87b6-34a1114577ea

Powershell Reverse Shell Connection

edc2f8ae-2412-4dfd-b9d5-0c57727e70be

CACTUSTORCH Remote Thread Creation

2e4e488a-6164-4811-9ea1-f960c7359c40

Autorun Differences

CAR-2013-01-002

Quick execution of a series of suspicious commands

CAR-2013-04-002

QBot Process Creation

4fcac6eb-0287-4090-8eea-2602e4c20040

WScript or CScript Dropper

cea72823-df4d-4567-950c-0b579eaf0846

Exchange PowerShell Snap-Ins Used by HAFNIUM

25676e10-2121-446e-80a4-71ff8506af47

Suspicious Scripting in a WMI Consumer

fe21810c-2a8c-478f-8dd3-5a287fb2a0e0

Koadic Execution

5cddf373-ef00-4112-ad72-960ac29bac34

HTML Help Shell Spawn

52cad028-0ff0-4854-8f67-d25dfcbc78b4

Windows Shell Spawning Suspicious Program

3a6586ad-127a-4d3b-a677-1e6eacdf8fde

Adwind RAT / JRAT

1fac1481-2dbc-48b2-9096-753c49b4ec71

Suspicious File Characteristics Due to Missing Fields

9637e8a5-7131-4f7f-bdc7-2b05d8670c43

User Login Activity Monitoring

CAR-2013-10-001

Detect Excessive Account Lockouts From Endpoint

c026e3dd-7e18-4abb-8f41-929e836efe74

File Was Not Allowed To Run

401e5d00-b944-11ea-8f9a-00163ecd60ae

SMB Write Request

CAR-2013-05-003