Defense Evasion

Threat actors are actively abusing Microsoft's ClickOnce technology, specifically targeting the `.application` and `.appref-ms` file types, to achieve stealthy initial access, execute malicious payloads within legitimate Microsoft processes like rundll32.exe and dfsvc.exe, and establish persistence through its built-in update mechanism, effectively bypassing traditional endpoint security controls.

Adversaries can abuse the Azure VM Managed Run Command feature (MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMANDS/WRITE) to achieve code execution as System or root and establish persistence on Azure Virtual Machines or Virtual Machine Scale Sets by an unusual identity, potentially evading detections focused solely on action-based Run Commands.

A remote, unauthenticated attacker can exploit a vulnerability in Gitea to bypass existing security measures, potentially leading to unauthorized access, privilege escalation, or data manipulation within the application.

Adversaries with privileged Azure RBAC roles are exploiting the Azure VM Serial Console to gain SYSTEM/root access on virtual machines, bypassing network controls like NSGs and JIT policies, with detections focusing on unusual user and source network combinations.

Adversaries with elevated privileges within Google Workspace may delete custom administrative roles to impede security operations, remove delegated administrator access, or obfuscate their activities during an active incident, leading to disrupted delegated administration, loss of security team access, or hindrance of incident response efforts.

Unspecified adversaries are using a Traffic Direction System (TDS) redirect for initial access, followed by encoded PowerShell execution to download payloads like `script.ps1` into the `ApplicationData` directory, and establishing command-and-control (C2) communication via `curl.exe` to suspicious IP addresses such as `144.31.221.82` with defense evasion techniques like post-execution cleanup, designed to operate below traditional detection thresholds.

The rule detects attempts to clear the kernel ring buffer on Linux systems using the `dmesg` command with options like `-c`, `-C`, `--clear`, or `--read-clear` to evade detection.

This rule detects when a Microsoft Exchange inbox rule is created or modified with a name composed only of special characters, which adversaries may use to evade detection and hide malicious forwarding or deletion rules.

Detection of the Microsoft Software Licensing User Interface Tool (`slui.exe`) being executed with elevated privileges using the `-verb runas` parameter, indicating a potential privilege escalation attempt.

This analytic identifies instances where three or more distinct registry modification events associated with MITRE ATT&CK Technique T1112 are detected, leveraging Splunk's Risk data model to detect persistence, hiding malicious configurations, or erasing forensic evidence.

Pimcore's CustomReports feature has a share bypass vulnerability due to inconsistent authorization checks between the report listing endpoint and the report detail endpoint, allowing low-privileged users to access report configurations without explicit sharing permissions.

A cryptojacking campaign targets systems with high-performance GPUs using SEO poisoning and manipulated AI chatbot recommendations, distributing malware disguised as legitimate software utilities to establish persistence and evade detection before deploying GPU mining programs.

A remote, anonymous attacker can exploit multiple vulnerabilities in Apple macOS to gain root privileges, execute arbitrary code, cause a denial-of-service condition, disclose confidential information, modify data, or bypass security measures.

Adversaries may attempt to bypass macOS privacy controls by directly modifying the Transparency, Consent, and Control (TCC) SQLite database using sqlite3, potentially gaining unauthorized access to sensitive resources.

This rule identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource, where attackers may inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication using rundll32.exe.

A remote, authenticated attacker can exploit a vulnerability in Sparx Systems Enterprise Architect to bypass security precautions.

Multiple vulnerabilities in Budibase could be exploited by an attacker to gain administrative privileges, bypass security measures, perform cross-site scripting attacks, manipulate data, or disclose confidential information.

A remote, anonymous attacker can exploit a vulnerability in Squid to bypass security precautions and disclose information, potentially leading to unauthorized access or data leakage.

Multiple vulnerabilities in Rsync could be exploited by an attacker to elevate privileges, disclose information, bypass security precautions, and perform a denial of service attack.

Microsoft disrupted Fox Tempest, a threat actor running a malware-signing-as-a-service (MSaaS) that abuses Microsoft Artifact Signing to generate short-lived code-signing certificates used to sign malware disguised as legitimate software, delivering ransomware and various information stealers to victims across multiple sectors.

A vulnerability in Unbound allows an attacker from an adjacent network to manipulate the cache, potentially leading to domain hijacking.

A race condition in Docker's `docker cp` command allows a malicious container to redirect a bind mount target to an arbitrary host path by manipulating symlinks during the setup of temporary filesystem views, potentially overwriting host files or causing denial of service.

Threat actors are actively disabling antivirus and EDR solutions through abusing Windows Firewall rules, uninstalling agents, and exploiting vulnerable drivers (BYOVD) to establish persistence, move laterally, and deploy ransomware undetected.

Detects Kubernetes API requests where a user is impersonating a privileged cluster identity such as system:kube-controller-manager, system:admin, system:anonymous, or a member of the system:masters group, potentially leading to privilege escalation and unauthorized access.

A machine learning job combination has identified a user with one or more suspicious Windows processes exhibiting unusually high malicious probability scores, potentially involving LOLbins for defense evasion.

A machine learning job has identified a parent process spawning one or more suspicious Windows processes exhibiting unusually high malicious probability scores, indicating potential defense evasion tactics like masquerading and LOLBins usage.

A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, indicating potential masquerading tactics for defense evasion.

A machine learning job has detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be suspicious given its user context by an unsupervised ML model, indicating potential defense evasion activity involving LOLbins.

This rule detects unusual process spawned by a parent process, potentially indicating malicious activity involving LOLbins by leveraging machine learning to identify anomalous process creation patterns that evade conventional search rules.

A machine learning job detects unusual Windows processes, potentially Living off the Land binaries, on hosts not commonly associated with malicious activity, indicating possible defense evasion attempts.

This rule detects the creation of files in world-writable directories on Linux systems by an unusual process, which is a common defense evasion tactic for potential lateral movement or malicious payload staging.

Multiple vulnerabilities in F5 BIG-IP products could allow an attacker to execute arbitrary code, gain elevated privileges, bypass security measures, manipulate or disclose data, or cause a denial-of-service condition.

Multiple vulnerabilities in AMD EPYC, Athlon, and Ryzen processors can be exploited by an attacker to execute arbitrary code, escalate privileges, bypass security measures, cause a denial-of-service condition, disclose sensitive information, or manipulate data.

Multiple vulnerabilities in Apache Solr could be exploited by an attacker to bypass security measures, manipulate data, and disclose sensitive information.

Multiple vulnerabilities exist in Microsoft Windows products, enabling attackers to execute arbitrary code, escalate privileges, perform denial-of-service attacks, disclose information, or bypass security measures.

An anonymous remote attacker can exploit multiple vulnerabilities in Kiali for Red Hat OpenShift Service Mesh to gain extended privileges, bypass security measures, manipulate or disclose data, or cause a denial-of-service condition.

Multiple vulnerabilities in Microsoft Azure and Windows Admin Center allow an attacker to escalate privileges, spoof information, and bypass security measures.

A remote memory corruption vulnerability exists in Linux ksmbd that allows remote clients with directory creation permissions to trigger a heap out-of-bounds read and subsequent heap corruption by setting a crafted DACL with a malformed SID, potentially leading to kernel instability, denial of service, or privilege escalation.

Multiple vulnerabilities exist in Apple macOS Sonoma, macOS Sequoia, and macOS Tahoe that could allow an attacker to elevate privileges, conduct a denial-of-service attack, disclose information, execute arbitrary code, and bypass security measures.

Threat actors are leveraging AI to enhance vulnerability discovery, exploit development, defense evasion, and autonomous operations, with state-sponsored groups showing particular interest in AI-driven vulnerability research and exploit generation.

Cisco researchers discovered that attackers can manipulate vision-language models (VLMs) by using pixel-level perturbations in images to embed malicious instructions, which are unreadable by humans but interpreted by AI, leading to potential data exfiltration or other unauthorized actions.

A macOS vulnerability enables bypassing System Integrity Protection (SIP) by abusing sandboxing mechanisms to load an untrusted library into a SIP-entitled process.

A vulnerability in the dssrf npm package allows attackers to bypass SSRF protections by using specially crafted IPv6 addresses, despite documentation claiming IPv6 is disabled, which can lead to internal resource access or other malicious activities.

Multiple vulnerabilities in Red Hat Hardened Images RPMs can be exploited by an attacker to bypass security measures, escalate privileges, disclose sensitive information, manipulate data, or cause a denial-of-service condition.

A remote, authenticated attacker can exploit a vulnerability in Red Hat OpenShift Container Platform to bypass security measures.

Multiple vulnerabilities in Apache HTTP Server can be exploited by an attacker to gain elevated privileges, execute arbitrary code, bypass security measures, disclose sensitive information, or cause a denial-of-service condition.

Argo Workflows has an incomplete fix for CVE-2026-31892, allowing bypass of templateReferencing restrictions to modify pod specifications, leading to potential privilege escalation and security context overrides.

This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.

An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.

A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.

Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.

This rule detects modifications to the registered Subject Interface Package (SIP) providers, which are used by the Windows cryptographic system to validate file signatures, potentially indicating an attempt to bypass signature validation or inject code for defense evasion.

Detection of service DACL modifications via `sc.exe` using the `sdset` command, potentially leading to defense evasion by denying service access to legitimate users or system accounts.

This rule detects file name patterns generated by the use of Sysinternals SDelete utility, potentially used by attackers to delete forensic indicators and hinder data recovery efforts.

The rule detects the execution of the built-in Windows Installer, msiexec.exe, to install a remote package potentially abused by adversaries for initial access and defense evasion.

This brief details a registry modification attack that downgrades the system to NTLMv1 authentication, enabling NetNTLMv1 downgrade attacks, typically performed with local administrator privileges on Windows systems.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.

Adversaries may modify the LocalAccountTokenFilterPolicy registry key to bypass User Account Control (UAC) and gain elevated privileges remotely by granting high-integrity tokens to remote connections from local administrators, facilitating lateral movement and defense evasion.

Attackers may attempt to disable or modify code signing policies on Windows systems by using built-in tools like bcdedit.exe in order to execute unsigned or self-signed malicious code.

CVE-2026-0967 is a denial-of-service vulnerability in libssh, stemming from inefficient regular expression processing that could lead to defense evasion and impact availability on affected systems.

OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows attackers to bypass intended execution restrictions by exploiting trust relationships with wrapper carrier executables, leading to privilege escalation and defense evasion.

Multiple vulnerabilities in Dell PowerProtect Data Domain OS allow an attacker to execute arbitrary code with root privileges, escalate privileges to administrator, bypass security measures, manipulate data, disclose sensitive information, or conduct unspecified attacks.

The Payouts King ransomware is leveraging QEMU VMs as a reverse SSH backdoor to execute payloads, store malicious files, and establish covert remote access tunnels, bypassing endpoint security measures.

An authorization bypass vulnerability exists in Better Auth's OAuth provider, allowing low-privilege users to create OAuth clients despite configured clientPrivileges, potentially leading to unauthorized client registration and increased phishing risks.

A middleware bypass vulnerability (CVE-2026-33804) exists in @fastify/middie versions 9.3.1 and earlier when the deprecated Fastify ignoreDuplicateSlashes option is enabled, potentially allowing unauthorized access.

Scripting engines such as WScript, CScript, and MSHTA are being used to make registry modifications, potentially for persistence or defense evasion.

An anonymous, remote attacker can exploit a vulnerability in VMware Tanzu Spring Cloud Gateway to bypass security measures, potentially gaining unauthorized access or control.

A context isolation bypass vulnerability exists in Electron applications that bridge VideoFrame objects via contextBridge, potentially allowing an attacker with JavaScript execution in the main world to access the isolated world and Node.js APIs.

A machine learning job detected a spike in successful authentication events from a source IP address, which can indicate password spraying, user enumeration, or brute force activity, potentially leading to credential access.

Qilin ransomware employs a malicious msimg32.dll in a multi-stage infection chain to disable endpoint detection and response (EDR) solutions by evading detection and terminating EDR processes.

Detection of web server access log deletion across Windows, Linux, and macOS systems indicates potential defense evasion and destruction of forensic evidence by threat actors.

Adversaries are using the Right-to-Left Override (RTLO) character (U+202E) in command-line arguments to obfuscate malicious file names and trick users into executing them, achieving defense evasion.

Detection of PowerShell scripts modifying the msDS-ManagedAccountPrecededByLink attribute, potentially indicating exploitation of the BadSuccessor privilege escalation vulnerability in Windows Server 2025.

An out-of-bounds read and write vulnerability in LIBPNG's ARM/AArch64 Neon-optimized palette expansion path (CVE-2026-33636) allows attackers to potentially achieve denial-of-service or arbitrary code execution by crafting malicious PNG images.

A remote, authenticated attacker can exploit multiple vulnerabilities in IBM WebSphere Application Server Liberty to escalate privileges, bypass security measures, and disclose information.

A shellcode loader dubbed 'Lucky Pasta' employs JIT decryption, string obfuscation, dynamic library loading, fiber-based execution, and AES instruction patching to evade AV detection, retrieving shellcode via HTTP/HTTPS and executing it on Windows systems.

A newly discovered Mark of the Web (MOTW) bypass technique utilizes a chain of CAB, TAR, and 7-Zip archives to circumvent SmartScreen and execute files without security warnings.

Adversaries may use a specially crafted Windows Defender Application Control (WDAC) policy to restrict the execution of security products, detected by unusual process creation of WDAC policy files.

Attackers may leverage misconfigured SUID/SGID permissions on Linux systems to escalate privileges to root or establish persistence by executing processes with root privileges initiated by non-root users.

An administrator or privileged user disables critical security features within a GitHub organization or repository, potentially leading to increased risk of unauthorized access, data breaches, and persistent compromise.

Detection of MsiExec spawning child processes that initiate network connections, potentially indicating abuse of Windows Installers for malware delivery and defense evasion.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

Detection of Alternate Data Stream (ADS) creation at a volume root directory, a technique used to hide malware and tools by exploiting how ADSs in root directories are not readily visible to standard system utilities, indicating a defense evasion attempt.

Adversaries may exploit Microsoft's System Center Configuration Manager by loading malicious DLLs into SCNotification.exe, a process associated with user notifications, potentially leading to Windows session hijacking.

Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.

Attackers with DNSAdmin privileges can modify or disable the DNS Global Query Block List (GQBL) in Windows, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.

This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.

Adversaries use parent process PID spoofing to evade detection by creating processes with mismatched parent-child relationships, hindering process monitoring and potentially elevating privileges on Windows systems.

An adversary may delete Kubernetes events to evade detection and hide malicious activity within a Kubernetes environment by removing audit logs.

This brief details detection of anomalous activity within the Okta Admin Console, potentially indicating privilege escalation, persistence, defense evasion, or initial access attempts by malicious actors.

The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.

Adversaries may disable Network-Level Authentication (NLA) by modifying specific registry keys to bypass authentication requirements for Remote Desktop Protocol (RDP) and enable persistence mechanisms.

Adversaries may clear the command history of a compromised account to conceal the actions undertaken during an intrusion on a Windows system.

Adversaries may modify file or directory ownership to evade access control lists (ACLs) and access protected files, often using icacls.exe or takeown.exe to reset permissions on system files.

A machine learning model detected a parent process spawning a cluster of suspicious Windows processes with high malicious probability scores, potentially indicating LOLBins usage and defense evasion.

An expired or revoked driver being loaded on a Windows system may indicate an attempt to gain code execution in kernel mode or abuse revoked certificates for malicious purposes, potentially leading to privilege escalation or defense evasion.

Msxsl.exe, a legitimate Windows utility, is being abused by adversaries to make network connections to non-local IPs for command and control or data exfiltration, potentially bypassing security measures.

The use of scripting engines like WScript and CScript to modify the Windows registry can indicate an attempt to bypass standard tools and evade defenses, potentially for persistence or other malicious activities.

This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.

Adversaries may masquerade malicious executables within directories mimicking the legitimate Windows Program Files directory to evade defenses and execute untrusted code.

This rule detects attempts to install a file from a remote server using MsiExec, which adversaries may abuse to deliver malware, by identifying msiexec.exe processes running with arguments indicative of remote installations and executed from suspicious parent processes.

Adversaries modify the AmsiEnable registry key to 0 to disable Windows Script AMSI scanning, bypassing AMSI protections for Windows Script Host or JScript execution.

Detects suspicious creation of Alternate Data Streams (ADS) on targeted files using script or command interpreters, indicative of malware hiding in ADS for defense evasion.

The rule detects unusual outbound network connections made by rundll32.exe, specifically when executed with minimal arguments, which may indicate command and control activity or defense evasion tactics on Windows systems.

Detect Google Workspace login activity that Google has classified as suspicious, potentially indicating initial access, privilege escalation, defense evasion, or persistence attempts.

This rule detects potential abuse of the Microsoft Diagnostics Troubleshooting Wizard (MSDT) to proxy malicious command or binary execution via malicious process arguments on Windows systems.

The rule identifies unexpected executable file creation or modification by critical Windows processes, potentially indicating remote code execution or exploitation attempts.

macOS is vulnerable to synthetic mouse event attacks, allowing threat actors to bypass security mechanisms and interact with protected UI components to perform unauthorized actions like dumping keychains and loading kernel extensions.

Detection of executable files created with multiple extensions, a masquerading technique to evade defenses.

This detection identifies PowerShell scripts leveraging Win32 APIs for memory allocation, process access, and thread creation, indicative of potential process injection or in-memory payload execution on Windows systems.

Attackers modify the Windows Defender registry settings to disable the service or set the service to be started manually, evading defenses.

A machine learning job detected a suspicious Windows process, predicted malicious by the ProblemChild model and flagged as an unusual child process name for its parent, potentially indicating LOLbins usage and evading traditional detection.

Detection of svchost.exe executing with uncommon command-line parameters, excluding known legitimate patterns, which may indicate file masquerading, process injection, or process hollowing.

Detects the renaming of automation script interpreter processes like AutoIt, AutoHotkey, and KIX32, a tactic used by malware operators to evade detection by obscuring the true nature of the executable.

Detection of successful PutKeyPolicy calls on AWS KMS keys to identify potential privilege escalation or unauthorized access by adversaries modifying key policies to decrypt or exfiltrate data.

This rule detects suspicious execution of scripts via WMIC, potentially used for allowlist bypass, by identifying WMIC executions with atypical arguments and the loading of specific libraries like jscript.dll or vbscript.dll for defense evasion and execution.

The ProblemChild machine learning model has detected a user with suspicious Windows processes exhibiting unusually high malicious probability scores, potentially indicating defense evasion via masquerading or LOLbins.

This rule detects the abuse of Windows Sandbox with sensitive configurations to evade detection, where malware may abuse the sandbox feature to gain write access to the host file system, enable network connections, and automatically execute commands via logon, identifying the start of a new container with these sensitive configurations.

Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.

Adversaries may delete events in Azure Kubernetes to evade detection, which this rule detects via the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation.

The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.

This rule detects PowerShell scripts that attempt to bypass the Antimalware Scan Interface (AMSI) in order to disable scanning and execute malicious PowerShell code undetected.

An untrusted driver loaded by the Windows kernel may indicate an attempt to bypass code signing policies and execute unsigned or self-signed kernel code, potentially leading to defense evasion.

MsBuild.exe making outbound network connections may indicate adversarial activity as attackers leverage MsBuild to execute code and evade detection.

Adversaries attempt to clear Linux system logs using utilities like rm, rmdir, shred, and unlink to conceal malicious activity and evade detection.

Aegra versions 0.9.0 through 0.9.6 are vulnerable to a cross-tenant IDOR, enabling authenticated users to execute graph runs against other users' threads, read checkpoint states, inject messages, and conceal their actions due to missing user ID validation on run creation endpoints; patched in version 0.9.7.

This rule detects suspicious child processes of WerFault.exe, a Windows error reporting tool, indicating potential abuse of the SilentProcessExit registry key to execute malicious processes stealthily for defense evasion, persistence, and privilege escalation.

Attackers may disable PowerShell Script Block Logging by modifying the registry to conceal their activities on the host and evade detection by setting the `EnableScriptBlockLogging` registry value to 0, impacting security monitoring and incident response capabilities.

This rule identifies potential timestomping behavior on Windows systems where the creation time of executable files in sensitive system directories is modified, potentially to blend malicious executables with legitimate system files and evade detection.

Detection of MsBuild.exe making outbound network connections which may indicate adversarial activity used to execute code and evade detection.

Attackers use PowerShell commands, including base64-encoded variants, to disable or weaken Windows Defender settings, impairing defenses on compromised systems.

Adversaries may use rundll32.exe to execute DLLs stored within alternate data streams (ADS) to bypass security controls and conceal malicious code.

This analytic detects instances where a process loads a file from a remote share path, potentially indicating execution, defense evasion, or lateral movement by attackers loading code from attacker-controlled infrastructure.

Adversaries may exploit PDF reader applications to execute arbitrary commands and establish a foothold within a system, often launching built-in utilities for reconnaissance and privilege escalation.

Adversaries may execute processes from unusual default Windows directories to masquerade malware and evade defenses by blending in with trusted paths, making malicious activity harder to detect.

Detection of a user pausing audit log event streaming in GitHub Enterprise, potentially indicating an attempt to evade detection by disabling the audit trail.

The Windows Update Auto Update Client (wuauclt.exe) is being abused to load arbitrary DLLs, a defense evasion technique where malicious activity blends with legitimate Windows software by using specific process arguments and placing DLLs in writable paths.

Attackers attempt to disable Windows Event and Security Logs using logman, PowerShell, or auditpol to evade detection and cover their tracks.

Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.

An Azure firewall was created, modified, or deleted, potentially indicating malicious activity aimed at impairing network defenses.

Detection of adversaries disabling HTTP logging on IIS servers using AppCmd.exe, potentially evading detection by removing evidence of their actions.

The analytic identifies instances where wmiprvse.exe spawns msbuild.exe, an unusual process relationship indicative of potential COM object misuse and unauthorized code execution on Windows systems.

This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.

Detection of the 'wevtutil.exe' command-line utility being used to disable event logs, a common tactic employed by ransomware actors to evade detection and hinder forensic analysis on compromised Windows systems.

Detection of PowerShell commands to import AppLocker policy via Import-Module Applocker and Set-AppLockerPolicy, potentially used to enforce restrictive policies or disable security products like antivirus.

Detection of 'no logging message' command usage on Cisco ASA devices, potentially indicating an adversary suppressing security-critical log events to evade detection.

The rule detects creation, modification, or deletion of Kubernetes MutatingWebhookConfigurations or ValidatingWebhookConfigurations by non-system identities, allowing attackers to inject malicious sidecars, block security tooling, or exfiltrate pod specifications.

This brief covers the detection of adversaries disabling Windows Defender services by modifying specific registry keys to set the 'Start' value to '0x00000004', indicating an attempt to evade detection and maintain persistence.

This analytic detects modifications to the Windows registry that disable the display of hidden files, a technique commonly used by malware to evade detection and conceal malicious activities.

This analytic detects modifications to the Windows registry, specifically targeting the 'DisableRegistryTools' key, which is a common tactic used by malware for persistence and defense evasion by preventing the removal of malicious entries.

An attacker attempts to disable Windows Defender by deleting its context menu entry from the registry, a tactic often used by Remote Access Trojans (RATs) to impair defenses and facilitate further malicious activities.

Adversaries may create symbolic links to shadow copies to access sensitive files such as ntds.dit and browser credentials, enabling credential dumping using cmd.exe or powershell.exe.

Detection of O365 advanced audit being disabled for a specific user, potentially allowing attackers to operate with reduced risk of detection, leading to unauthorized data access, data exfiltration, or account compromise.

Detection of InstallUtil.exe making outbound network connections, which can indicate adversaries leveraging it to execute code and evade detection by proxying execution through a trusted system binary.

The Windows Downdate attack involves modifying specific registry keys to force a Windows downgrade, enabling exploitation of older, vulnerable versions, which this detection identifies through monitoring for the creation or modification of the pending.xml file in unusual locations.

A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, potentially indicating masquerading and defense evasion tactics.

Detects PowerShell scripts employing Base64 decoding combined with .NET decompression (Deflate/GZip) to deobfuscate and reconstruct malicious payloads in memory, evading traditional defenses.

This rule detects network connections initiated by hh.exe, the HTML Help executable, which may indicate the execution of malicious code embedded in compiled HTML files (.chm) to deliver malicious payloads, bypass security controls, and gain initial access via social engineering.

Detection of oversized command lines used by Python, PowerShell, Node.js, or Deno interpreters containing base64 decoding or encoded-command patterns, indicating potential evasion and malicious execution.

This rule detects registry modifications indicative of a new Windows Subsystem for Linux (WSL) distribution installation, a technique adversaries may leverage to evade detection by utilizing Linux environments within Windows.

Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.

This brief outlines detection strategies for adversaries leveraging Invoke-Obfuscation techniques within PowerShell scripts executed via standard input, a method commonly used to evade traditional detection mechanisms.

Detection of choice.exe used in batch files for time-based evasion, a technique observed in SnakeKeylogger malware, indicating potential stealthy code execution and persistence.

Adversaries may modify service security descriptors to deny access to specific groups, potentially escalating privileges and hindering security services, by using sc.exe to set new deny ACEs (Access Control Entries) on Windows services.

Attackers modify the Windows registry to disable the Folder Options feature, preventing users from showing hidden files and file extensions, commonly used by malware to conceal malicious files and deceive users with fake file extensions.

Detection of attempts to mount the EFI volume on Windows systems using mountvol.exe, potentially leading to system compromise.

Attackers modify Windows Registry keys associated with Windows Defender to disable real-time behavior monitoring, a common tactic used by malware to evade detection and persist on compromised systems.

Attackers may use auditpol.exe with the /restore argument to replace the existing audit policy with a malicious one, disabling auditing to evade detection, potentially leading to full machine compromise or lateral movement.

Detection of network connections initiated by unusual Windows system binaries, often leveraged by adversaries to proxy execution of malicious code and evade detection, indicating potential defense evasion and command and control activity.

Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.

Detects suspicious processes spawned by WScript or CScript, a common technique used by adversaries to execute LOLBINs, PowerShell, or inject code into suspended processes for defense evasion.

An adversary may attempt to bypass AMSI by creating a rogue AMSI DLL in an unusual location to evade detection.

Detects the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe to bypass defenses by proxying execution of malicious content with signed binaries.

This rule detects PowerShell scripts that build commands from concatenated string literals within dynamic invocation constructs, a technique used by attackers to obscure execution intent, bypass keyword-based detections, and evade AMSI.

Adversaries abuse the Console Window Host (conhost.exe) with the `--headless` argument to proxy execution of malicious commands, evading detection by blending in with legitimate Windows software.

Detection of attrib.exe being used with the +h flag to hide files and directories on Windows systems, a technique used by attackers for defense evasion and persistence.

Detection of adversaries disabling Windows Firewall rules using the `netsh.exe` command-line tool to weaken defenses and facilitate unauthorized network activity.

Adversaries may clear Windows event logs using `wevtutil.exe` to remove evidence of their activity and hinder forensic investigations.

An attacker modifies the Windows registry to disable Windows Defender Controlled Folder Access, a defense evasion technique that weakens protections against unauthorized access and ransomware.

Detection of processes loading Mozilla NSS/Mozglue libraries (mozglue.dll, nss3.dll) outside of known Mozilla applications, potentially indicating malware or unauthorized activity.

The use of `clip.exe` in conjunction with PowerShell and command-line obfuscation is used to evade detection.

Attackers can impair defenses by modifying or deleting findings and insights within AWS SecurityHub using API calls such as BatchUpdateFindings, DeleteInsight, UpdateFindings, and UpdateInsight.

An adversary modifies the AWS Identity Center identity provider configuration, potentially leading to persistent access and privilege escalation through user impersonation.

A PowerShell command attempting to remove the Windows Defender directory is detected via PowerShell Script Block Logging, potentially indicating an attacker's attempt to disable endpoint protection for further malicious activities.

The analytic detects the use of `dism.exe` to remove Windows Defender, potentially allowing adversaries to evade detection and carry out further malicious actions.

Detection of command execution via proxy using the Windows OpenSSH client (ssh.exe or sftp.exe) to bypass application control using trusted Windows binaries.

Attackers may disable Event Tracing for Windows (ETW) for the .NET Framework by modifying the ETWEnabled registry value, allowing them to evade endpoint detection and response (EDR) tools and hide malicious activity.

The rule identifies unusual instances of dllhost.exe making outbound network connections to non-local IPs, which may indicate adversarial Command and Control activity and defense evasion.

This detection identifies a Windows trusted program running from locations often abused by adversaries to masquerade as a trusted program and loading a recently dropped unsigned DLL, which indicates an attempt to evade defenses via side-loading a malicious DLL within the memory space of a signed process.

Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.

Attackers may use mounted devices as a non-standard working directory to execute signed binaries or script interpreters, evading traditional defense mechanisms, particularly when launched via explorer.exe.

Attackers abuse certutil.exe, a native Windows utility, to download/deobfuscate malware for command and control or data exfiltration, evading defenses.

This rule detects potential RemoteMonologue attacks by identifying attempts to perform session hijacking via COM object registry modification, specifically when the RunAs value is set to Interactive User.

Adversaries may abuse the Filter Manager Control Program (fltMC.exe) to unload filter drivers, thereby evading security software defenses such as malware detection and file system monitoring.

The Microsoft Build Engine (MSBuild) is being abused to perform process injection by creating threads in other processes, a technique used to evade detection and potentially escalate privileges.

This rule identifies process execution from suspicious default Windows directories, which adversaries may abuse to hide malware in trusted paths to evade defenses.

Adversaries may delete the volume USN Journal on Windows systems using `fsutil.exe` to eliminate evidence of post-exploitation file activity.

Adversaries may enable and use Windows Subsystem for Linux (WSL) using the Microsoft Dism utility to evade detection on Windows systems by running Linux applications and tools.

Attackers disable Windows SmartScreen protection by modifying specific registry keys to evade detection and facilitate malware deployment.

Detection of a Windows service being disabled via Event ID 7040, a common tactic used by adversaries to evade defenses and maintain control over compromised systems.

Attackers may enable the deprecated Windows AT command via registry modification to achieve local persistence or lateral movement.

The modification of root certificates on Windows systems by unauthorized processes can allow attackers to masquerade malicious files as valid signed components and intercept/decrypt SSL traffic, leading to defense evasion and data collection.

Attackers modify the Windows registry to disable Task Manager, preventing users from terminating malicious processes and allowing persistence.

Attackers may delete a scheduled task's Security Descriptor (SD) from the registry to remove evidence of the task for defense evasion.

Adversaries may use PowerShell with specific commands to disable HTTP logging on Windows systems to evade detection and hinder forensic investigations.

Attackers can enable host network discovery via netsh.exe to weaken host firewall settings, facilitating lateral movement by identifying other systems on the network.

This analytic detects suspicious modifications to system firewall rules to allow execution of applications from notable and potentially malicious file paths, indicating an attempt to bypass firewall restrictions for malicious code execution.

Attackers may disable the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet to enable lateral movement and command and control activity.

Attackers modify the Windows Filtering Platform (WFP) policy to block the communication of endpoint detection and response (EDR) processes, impairing their functionality and hindering detection of malicious activities.

Detection of icacls.exe, cacls.exe, or xcacls.exe being used to modify file or directory permissions, often used by APTs and coinminers for defense evasion and persistence.

This analytic detects suspicious modifications to the EventLog security descriptor registry value, specifically the 'CustomSD' value, within the registry path 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD', which can be used for defense evasion by attackers.

An attacker modifies the Windows EventLog ChannelAccess registry value to evade defenses by blocking security products from accessing event logs.

Detection of the Windows Event Log service shutdown, indicated by Event ID 1100, which can signify attempts to evade detection by disabling logging.

An attacker modifies the Windows registry to disable Windows Defender web content evaluation, potentially allowing malicious web content to bypass security checks and compromise the system.

The following analytic detects modifications to the Windows registry specifically targeting the 'WppTracingLevel' setting within Windows Defender, potentially impairing its diagnostic capabilities and allowing attackers to evade detection.

An attacker modifies the Windows Defender ThrottleDetectionEventsRate registry setting to reduce the frequency of logged detection events, potentially evading detection.

An attacker modifies the Windows Defender ThreatSeverityDefaultAction registry setting to weaken defenses, potentially leading to unaddressed threats and system compromise.

Attackers modify the Windows registry to disable SmartScreen prompt overrides, potentially allowing users to bypass security warnings and execute harmful content, leading to system compromise.

Attackers modify the Windows Registry to disable Windows Defender SmartScreen App Install Control, potentially allowing the installation of malicious web-based applications without restrictions, leading to system compromise and sensitive information exposure.

An attacker disables Windows Defender's signature retirement feature by modifying a registry key, potentially reducing its effectiveness in detecting threats by allowing older, less relevant signatures to persist.

An attacker modifies the Windows registry to disable the Windows Defender Scan On Update feature, potentially evading detection and establishing persistence.

Attackers modify the Windows registry to disable Windows Defender generic reports, preventing error reports and potentially hiding malicious activity.

The following analytic detects modifications to the Windows registry that disable the Windows Defender real-time signature delivery feature, preventing timely malware definition updates and potentially leading to system compromise.

An attacker modifies the Windows Registry to disable Windows Defender protocol recognition, hindering its ability to detect and respond to malware, potentially leading to successful data exfiltration or system compromise.

Detection of Windows Defender profile registry key deletion, indicating potential defense evasion by malware or threat actors aiming to disable security controls.

The analytic detects modifications to the Windows registry that disable the Windows Defender phishing filter, potentially allowing attackers to deceive users into visiting malicious websites without browser warnings.

This analytic detects modifications to the Windows registry to disable Windows Defender Network Protection, potentially leaving the system vulnerable to network-based threats.

An attacker modifies the Windows Defender MpEngine registry value to disable key features, potentially allowing malware to evade detection.

Attackers may disable Windows Defender logging by modifying specific registry keys to evade detection and conceal malicious activities.

Attackers modify the Windows registry to disable Windows Defender's infection reporting, preventing detailed threat information from reaching Microsoft and potentially allowing malware to evade detection.

Attackers may disable Windows Defender's ability to compute file hashes by modifying the EnableFileHashComputation registry value, impairing its malware detection capabilities.

Adversaries may attempt to bypass Windows Defender's capabilities by using PowerShell to add exclusions for folders or processes, and this activity can be detected by monitoring PowerShell command lines that use `Add-MpPreference` or `Set-MpPreference` with exclusion parameters.

Adversaries modify Windows Defender exclusion registry entries to bypass antivirus and execute malicious code undetected, potentially leading to persistence and further malicious activities.

Adversaries use Add-MpPreference or Set-MpPreference commands to add exclusions in Windows Defender, allowing malicious code to execute undetected, and this activity can be detected via Endpoint Detection and Response (EDR) agents.

An attacker modifies the Windows Registry key 'DisableAntiSpyware' to disable Windows Defender, a technique commonly associated with Ryuk ransomware to evade defenses.

Adversaries tamper with Windows Defender's Attack Surface Reduction (ASR) rules or threat default actions using Add-MpPreference or Set-MpPreference commands, aiming to bypass the security tool for undetected malicious code execution.

Attackers modify the Windows Registry to disable auditing for Windows Defender Application Guard, hindering security monitoring and enabling malicious activity to go unnoticed.

Attackers modify Windows Defender registry settings to disable antivirus and antispyware protections, evading detection and maintaining persistence.

This analytic detects registry modifications that disable the Control Panel on Windows systems by monitoring changes to the registry path '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel' with a value of '0x00000001', which is commonly used by malware to prevent users from accessing the Control Panel and hindering remediation efforts.

An attacker disables Windows AutoLogger sessions by modifying specific registry values to evade defenses and blind EDR and log ingest tools.

Adversaries may clear the global object access auditing policy using `auditpol.exe` with the `/resourceSACL` flag and either `/clear` or `/remove` arguments to evade detection by removing audit configurations.

Adversaries may attempt to disable or modify security tools to evade detection; this analytic identifies the execution of `auditpol.exe` with the `/set` and `/exclude` command-line arguments to exclude specific users' events from audit logs, potentially evading detection and enabling further malicious activities.

Adversaries may disable Windows audit policies using the legacy auditpol.exe utility to evade detection by limiting the data available for security monitoring and incident response.

Detection of disabled important audit policies via Windows EventCode 4719, indicating potential attacker attempts to evade detection on a compromised domain controller, leading to data theft, privilege escalation, and network compromise.

The execution of `auditpol.exe` with the `/clear` or `/remove` command-line arguments indicates potential defense evasion by adversaries or Red Teams, aiming to limit data that can be leveraged for detections and audits, potentially leading to full machine compromise or lateral movement.

An attacker attempts to stop security services on a Windows endpoint using sc.exe, net.exe, or PowerShell Stop-Service cmdlet to weaken defenses for further malicious activity.

Attackers disable Windows application hotkeys by modifying specific registry entries to hinder incident response and evade detection.

Detection of disabled audit policies on a Windows domain controller by monitoring Windows Security Event Logs for EventCode 4719, indicative of an attacker attempting to evade detection and potentially leading to data theft, privilege escalation, and full network compromise.

Adversaries may leverage unusual system utilities such as Microsoft.Workflow.Compiler.exe, bginfo.exe, cdb.exe, cmstp.exe, csi.exe, dnx.exe, fsi.exe, ieexec.exe, iexpress.exe, odbcconf.exe, rcsi.exe and xwizard.exe to execute code and evade detection, as identified by network connections originating from these processes.

This analytic detects unexpected shutdowns of the Linux auditd daemon, potentially indicating attempts to disable security monitoring and evade detection by attackers.

This analytic identifies the use of the WMIC command-line tool to uninstall applications non-interactively, a technique used to evade detection by removing security software, as observed in IcedID campaigns.

Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.

Attackers may execute malicious code from unusual file paths such as Windows fonts or debug directories to evade defenses and gain unauthorized access, as detected by endpoint detection and response (EDR) agents.

The native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection may indicate an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.

Detection of msbuild.exe execution from a non-standard path, indicating potential attempts to evade detection and execute malicious code.

Detects suspicious child processes of Microsoft Office applications, indicating potential exploitation or malicious macros for initial access, defense evasion, and execution.

Adversaries may modify the Windows Security Support Provider (SSP) configuration in the registry to establish persistence or evade defenses.

Detection of the renaming of microsoft.workflow.compiler.exe, a technique used by attackers to evade security controls and potentially execute arbitrary code for privilege escalation or persistence.

Detects suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances, which may indicate an attempt to evade defenses through DLL side-loading or masquerading.

Adversaries may leverage the Windows Subsystem for Linux (WSL) to execute malicious Linux commands, bypassing traditional Windows security measures, detected by monitoring process execution and command-line arguments.

This rule detects suspicious parent processes of endpoint security solutions such as Elastic Defend, Microsoft Defender, and SentinelOne, indicating potential process hollowing or code injection attempts to evade detection.

Attackers may use csc.exe to compile .NET code on the fly to evade detection, often placing the compiler and source code in suspicious locations, which can be detected by monitoring process creation events.

This threat involves the suspicious copying of files from or to Windows system directories (System32, SysWOW64, WinSxS) using command-line tools, often employed by attackers to relocate LOLBINs for defense evasion.

Detection of PowerShell commands used to import AppLocker XML policies, potentially indicating an attempt to bypass security controls, as observed with Azorult malware.

A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.

Attackers can abuse Windows Work Folders to execute a masqueraded control.exe file from untrusted locations, potentially bypassing application controls for defense evasion and privilege escalation.

This rule detects the execution of renamed utilities with a single-character process name, differing from the original filename, a common technique used by adversaries for staging, executing temporary utilities, or bypassing security detections.

Modification of the AppInit DLLs registry keys on Windows systems allows attackers to execute code in every process that loads user32.dll, establishing persistence and potentially escalating privileges.

An adversary may enable Remote Desktop Protocol (RDP) access by modifying the `fDenyTSConnections` registry key, potentially indicating lateral movement preparation or defense evasion.

Detection of adversaries deleting the Raccine Rules Updater scheduled task via `schtasks.exe` to disable the ransomware protection tool, potentially leading to data encryption and loss.

Attackers are using PowerShell commands with specific Set-MpPreference parameters to disable Windows Defender's real-time behavior monitoring, a common tactic for malware to evade detection and persist on compromised systems.

Adversaries employ token obfuscation techniques within PowerShell commands to evade detection by security tools, leveraging methods such as character insertion, string concatenation, and environment variable manipulation to mask their malicious intent.

PowerShell scripts employing .NET cryptography APIs are used to encrypt data for impact or decrypt payloads for defense evasion.

This rule detects PowerShell scripts employing string concatenation to evade static analysis and AMSI by fragmenting keywords or URLs at runtime.

Detects PowerShell scripts using character array reconstruction to hide commands, URLs, or payloads, evading static analysis and AMSI.

Adversaries may masquerade malicious processes as legitimate Windows Error Reporting processes (WerFault.exe or Wermgr.exe) to evade detection by establishing network connections without arguments, thus blending into normal system activity.

Detects potential DLL sideloading of vcruntime140.dll, a common C++ runtime library, often used by threat actors like APT29 (via WinELOADER) to load malicious payloads under the guise of legitimate applications, leading to defense evasion, persistence, and privilege escalation.

This rule detects PowerShell scripts heavily obfuscated with whitespace and special characters, often used to evade static analysis and AMSI, by identifying scripts with low symbol diversity and a high proportion of whitespace and special characters.

Attackers may attempt to evade defenses by masquerading malicious processes as legitimate communication applications such as Slack, WebEx, Teams, Discord, RocketChat, Mattermost, WhatsApp, Zoom, Outlook and Thunderbird.

This rule detects the execution of known Windows utilities often abused to dump LSASS memory or the Active Directory database (NTDS.dit) in preparation for credential access by identifying specific command-line arguments and process names associated with credential dumping activities.

Attackers modify the NullSessionPipe registry setting in Windows to enable anonymous access to named pipes, potentially facilitating lateral movement and unauthorized access to network resources.

Mshta.exe making outbound network connections may indicate adversarial activity, as it is often used to execute malicious scripts and evade detection by proxying execution of untrusted code.

Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.

Detects the suspicious spawning of MSBuild.exe by Windows Script Host processes (cscript.exe or wscript.exe), a behavior often associated with malware executing malicious MSBuild processes via scripts.

The execution of MpCmdRun.exe with the '-RemoveDefinitions' argument, used to remove definitions from the Windows Malware Protection Engine, can indicate potential malware activity or attempts to bypass security measures.

Adversaries may disable or tamper with Microsoft Defender features via registry modifications to evade detection and conceal malicious behavior on Windows systems.

Attackers may rename the Microsoft Build Engine (MSBuild) executable to evade detection and proxy execution of malicious code.