Product

Windows Defender Advanced Threat Protection

5 briefs RSS

Potential PowerShell Obfuscated Script via High Entropy

This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.

Microsoft Intune Management Extension +2 defense-evasion powershell obfuscation

2r 3t 6h ago

high advisory

Suspicious Registry Hive Access via RegBack

2 rules 1 TTP

This rule detects attempts to access registry backup hives (SAM, SECURITY, SYSTEM) via RegBack on Windows systems, which can contain or enable access to credential material.

Endpoint Defense +6 credential-access regback windows

2r 1t Jul 2, 2024

high advisory

Potential Process Injection via PowerShell

2 rules 2 TTPs

This detection identifies PowerShell scripts leveraging Win32 APIs for memory allocation, process access, and thread creation, indicative of potential process injection or in-memory payload execution on Windows systems.

Windows Defender Advanced Threat Protection process injection powershell defense evasion

2r 2t Jan 24, 2024

low advisory

Account Discovery Command via SYSTEM Account

3 rules 3 TTPs

The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.

Elastic Defend +5 discovery privilege-escalation windows

3r 3t Jan 9, 2024

high advisory

PowerShell Suspicious Payload Encoded and Compressed

2 rules 1 TTP

Detects PowerShell scripts employing Base64 decoding combined with .NET decompression (Deflate/GZip) to deobfuscate and reconstruct malicious payloads in memory, evading traditional defenses.

Windows Defender Advanced Threat Protection defense-evasion powershell windows

2r 1t Jan 3, 2024