Product

M365_defender

3 briefs RSS

Lateral Movement via Remote Startup Folder Modification

Adversaries may achieve lateral movement by creating malicious files in remote Windows startup folders via RDP or SMB, leading to code execution upon system reboot or user logon.

m365_defender +4 lateral-movement persistence windows

2r 3t May 12, 2026

high advisory

Suspicious Windows Command Shell Arguments Detection

3 rules 2 TTPs

This rule identifies the execution of the Windows Command Shell process (cmd.exe) with suspicious argument values, often observed during malware installation.

m365_defender +3 malware execution cmd

3r 2t Oct 26, 2024

medium advisory

Unusual Service Host Child Process - Childless Service

2 rules 2 TTPs

This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.

m365_defender +3 process_injection privilege_escalation defense_evasion windows

2r 2t Jan 4, 2024