Execution

A suspicious Zoom child process was detected, indicating a potential attempt to run unnoticed by masquerading as Zoom.exe or exploiting a vulnerability, resulting in the execution of cmd.exe, powershell.exe, pwsh.exe, or powershell_ise.exe.

This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.

This rule detects potential DLL side-loading attempts by identifying instances of Windows trusted programs (WinWord.exe, EXPLORER.EXE, w3wp.exe, DISM.EXE) being started after being renamed or from a non-standard path, which is a common technique to evade defenses by side-loading a malicious DLL into the memory space of a trusted process.

This rule detects command shell activity, such as cmd.exe or powershell.exe, initiated by RunDLL32, a technique commonly abused by attackers to execute malicious code and bypass security controls.

Adversaries abuse AWS Systems Manager (SSM) Session Manager to gain remote execution and lateral movement within AWS environments by spawning malicious child processes from the SSM session worker, leveraging legitimate AWS credentials and IAM permissions.

Multiple vulnerabilities in CUPS allow an attacker to bypass security measures, execute arbitrary code, escalate privileges, manipulate data, or cause a denial-of-service condition.

Multiple vulnerabilities in the Red Hat Linux kernel allow for arbitrary code execution, privilege escalation, and remote denial of service.

OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that allows attackers to bypass strictInlineEval explicit-approval requirements on gateway and node exec hosts, leading to arbitrary command execution.

Adversaries are increasingly targeting macOS environments, leveraging native tools like Remote Application Scripting (RAS) and Spotlight metadata to bypass security controls for remote code execution and lateral movement.

CVE-2026-32157 is a use-after-free vulnerability in the Remote Desktop Client that allows an unauthorized attacker to execute code over a network.

An AWS Systems Manager (SSM) command document creation by a user or role who does not typically perform this action, which can lead to unauthorized access, command and control, or data exfiltration.

Detection of Living Off the Land Binaries (LOLBins) or GTFOBins execution on EC2 instances via AWS Systems Manager (SSM) SendCommand API, potentially indicating malicious activity.

Malicious actors are exploiting OpenClaw, Moltbot, and Clawdbot AI coding agents via Node.js to execute arbitrary shell commands and download-and-execute commands, potentially targeting cryptocurrency wallets and credentials.

JetAudio jetCast Server 2.0 is vulnerable to a stack-based buffer overflow in the Log Directory configuration, enabling local attackers to overwrite structured exception handling pointers and execute arbitrary code.

Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.

The 'env' command is used to invoke a shell on Linux systems, potentially bypassing restricted environments or escalating privileges to execute arbitrary commands.

The rule identifies the loading of unusual or unsigned DLLs by the DNS Server process, which can indicate exploitation of the ServerLevelPluginDll functionality, potentially leading to privilege escalation and remote code execution with SYSTEM privileges.

Adversaries may use Microsoft Management Console (MMC) files from untrusted paths to bypass security controls for initial access and execution on Windows systems.

This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.

The use of scripting engines like WScript and CScript to modify the Windows registry can indicate an attempt to bypass standard tools and evade defenses, potentially for persistence or other malicious activities.

Attackers are using Windows script interpreters (cscript.exe or wscript.exe) to download executable files from remote locations to deliver second-stage payloads or download tools.

Attackers may configure existing services or create new ones to execute system shells to elevate their privileges from administrator to SYSTEM, using services.exe as the parent process of the shell.

The rule identifies unexpected executable file creation or modification by critical Windows processes, potentially indicating remote code execution or exploitation attempts.

This rule identifies attempts to execute Jscript/Vbscript files from an archive file, a common delivery method for malicious scripts on Windows systems.

Detection of executable files created with multiple extensions, a masquerading technique to evade defenses.

This rule detects the execution of curl or wget from within runc-backed containers on Linux systems monitored by Auditd Manager, indicating potential ingress tool transfer or data exfiltration by attackers who have compromised the container.

This rule detects suspicious execution of scripts via WMIC, potentially used for allowlist bypass, by identifying WMIC executions with atypical arguments and the loading of specific libraries like jscript.dll or vbscript.dll for defense evasion and execution.

Adversaries may load unsigned DLLs into svchost.exe to establish persistence or escalate privileges, leveraging a shared Windows service to execute malicious code with elevated permissions.

The rule identifies unusual outbound network connections on non-standard ports originating from web server processes on Linux systems, indicative of potential web shell activity or unauthorized communication.

The Microsoft Build Engine (MSBuild) being started by an Office application is unusual behavior and could indicate a malicious document executing a script payload for defense evasion.

Adversaries may exploit Windows Management Instrumentation (WMI) to execute code stealthily, bypassing traditional security measures by loading `wmiutils.dll` from Microsoft Office applications, potentially indicating malicious execution.

Adversaries may exploit PDF reader applications to execute arbitrary commands and establish a foothold within a system, often launching built-in utilities for reconnaissance and privilege escalation.

This detection rule identifies downloaded .url shortcut files on Windows systems, often used in phishing campaigns, by monitoring their creation events and flagging those from non-local sources, enabling early threat detection.

The Windows Update Auto Update Client (wuauclt.exe) is being abused to load arbitrary DLLs, a defense evasion technique where malicious activity blends with legitimate Windows software by using specific process arguments and placing DLLs in writable paths.

Adversaries may conceal malicious code in compiled HTML files (.chm) and deliver them to a victim for execution, using the HTML Help executable (hh.exe) to proxy the execution of scripting interpreters and bypass security controls.

This rule detects potentially malicious .lnk shortcut files downloaded from outside the local network on Windows systems, which are commonly used in phishing campaigns.

This rule identifies execution of suspicious programs via scheduled tasks by looking at process lineage and command line usage, detecting processes such as cscript.exe, powershell.exe, and cmd.exe when executed from suspicious paths like C:\Users\ and C:\ProgramData\.

This rule detects network connections initiated by hh.exe, the HTML Help executable, which may indicate the execution of malicious code embedded in compiled HTML files (.chm) to deliver malicious payloads, bypass security controls, and gain initial access via social engineering.

Detection of oversized command lines used by Python, PowerShell, Node.js, or Deno interpreters containing base64 decoding or encoded-command patterns, indicating potential evasion and malicious execution.

Adversaries may exploit MSBuild to execute malicious scripts or compile code, bypassing security controls; this rule detects unusual processes initiated by MSBuild, such as PowerShell or C# compiler, signaling potential misuse for executing unauthorized or harmful actions.

Detects suspicious process access events where the call trace does not originate from known Windows system DLLs, indicating potential defense evasion by bypassing hooked APIs via direct syscalls.

This rule detects suspicious execution of system enumeration commands by the Windows Management Instrumentation Provider Service (WMIPrvSE), indicating potential reconnaissance or malicious activity on Windows systems.

Malware may execute scripts from suspicious directories accessible via environment variables using script interpreters like cscript, wscript, mshta, and powershell to evade detection.

Detection of PowerShell processes launched by cscript.exe or wscript.exe, indicative of potential malicious initial access or execution attempts.

The use of `clip.exe` in conjunction with PowerShell and command-line obfuscation is used to evade detection.

This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.

Adversaries may use MSBuild, a legitimate Microsoft tool, to execute malicious code through script interpreters for defense evasion and execution on Windows systems.

Attackers may use mounted devices as a non-standard working directory to execute signed binaries or script interpreters, evading traditional defense mechanisms, particularly when launched via explorer.exe.

This rule identifies process execution from suspicious default Windows directories, which adversaries may abuse to hide malware in trusted paths to evade defenses.

The rule identifies the use of Windows script interpreters (cscript.exe or wscript.exe) executing a process via Windows Management Instrumentation (WMI), which may indicate malicious activity, especially when initiated by non-system accounts.

The detection rule identifies cmd.exe instances spawned by uncommon parent processes, such as lsass.exe, csrss.exe, or regsvr32.exe, which may indicate unauthorized or suspicious activity, thus aiding in early threat detection.

Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.

Detection of scrobj.dll loaded into unusual Microsoft processes indicates potential malicious scriptlet execution for defense evasion and execution by abusing legitimate system binaries.

The native Windows tools regsvr32.exe, regsvr64.exe, RegSvcs.exe, or RegAsm.exe making a network connection may indicate an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary.

Detects suspicious child processes of Microsoft Office applications, indicating potential exploitation or malicious macros for initial access, defense evasion, and execution.

This rule detects suspicious mofcomp.exe activity, which attackers may leverage MOF files to manipulate the Windows Management Instrumentation (WMI) repository for execution and persistence by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes and system accounts.

Detects suspicious execution of the Microsoft Antimalware Service Executable (MsMpEng.exe) from non-standard paths or renamed instances, which may indicate an attempt to evade defenses through DLL side-loading or masquerading.

Detection of taskschd.dll image loads from Microsoft Office applications indicates potential COM-based scheduled task creation for persistence, bypassing traditional schtasks.exe usage.

Adversaries may leverage the Windows Subsystem for Linux (WSL) to execute malicious Linux commands, bypassing traditional Windows security measures, detected by monitoring process execution and command-line arguments.

Malicious VS Code extensions can execute arbitrary commands, leading to initial access and subsequent payload deployment on Windows systems.

Detection of on-demand execution of Windows Scheduled Tasks via the schtasks.exe command-line utility, a common technique for persistence and lateral movement.

The creation of scheduled tasks from a remote source via RPC, where the RpcCallClientLocality and ClientProcessId are 0, indicates potential adversary lateral movement within a Windows environment.

Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.

Adversaries are leveraging MSBuild, a Microsoft Build Engine, to execute malicious code by initiating it from system processes such as Explorer or WMI to evade defenses and execute unauthorized actions.

Attackers may rename the Microsoft Build Engine (MSBuild) executable to evade detection and proxy execution of malicious code.

Attackers use Invoke-Obfuscation, a PowerShell obfuscation framework, to generate obfuscated IEX (Invoke-Expression) commands, evading detection and executing malicious code.

This detection identifies attempts to execute programs from the Windows Subsystem for Linux (WSL) to evade detection by flagging suspicious executions initiated by WSL processes and excluding known safe executables.

This rule detects the creation, modification, or deletion of DLL files within Windows SxS local folders, which could indicate an attempt to execute malicious payloads by abusing shared module loading.

This rule identifies the creation and subsequent execution of a Windows script downloaded from the internet, a technique used by adversaries for initial access and execution on Windows systems.

Adversaries may create executables or scripts in temporary directories to evade detection, maintain persistence, and execute unauthorized code on Windows systems.

Adversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.

This brief focuses on detecting the execution of Python one-liners utilizing base64 decoding functions on Linux systems, a technique employed by malicious actors to obfuscate and execute payloads, thereby evading traditional security measures.

Detection of a sequence of AWS EC2 management API calls indicative of malicious modification of instance user data to execute arbitrary code upon instance restart, potentially leading to privilege escalation and persistence.

Detects the execution of .NET utilities by script processes from unusual locations, indicative of signed binary proxy execution for defense evasion and code execution.

Detects suspicious PsExec activity where the PsExec service component is executed using a custom name, indicating an attempt to evade detections that look for the default PsExec service component name.

This rule detects PowerShell loading the Task Scheduler COM DLL followed by an outbound RPC network connection, potentially indicating lateral movement or remote discovery via scheduled tasks.

Adversaries use PowerShell to execute malicious code stored in environment variables, leveraging Invoke-Expression or its aliases to bypass static analysis and execute payloads dynamically, as seen in malware loaders and stagers like the VIP Keylogger.

This analytic identifies the creation of executables or scripts in suspicious file paths on Windows systems, where adversaries often use these paths to evade detection and maintain persistence, potentially leading to unauthorized code execution, privilege escalation, or persistence within the environment.

This rule identifies remote scheduled task creations on a target Windows host, potentially indicating lateral movement by adversaries, by monitoring network connections and registry modifications related to task scheduling.

This brief covers a detection for suspicious script execution, such as PowerShell, WScript, or MSHTA, originating from common temporary directories, potentially indicating malware activity.

Adversaries may use ping to delay execution of malicious commands, scripts, or binaries to evade detection, often observed during malware installation.

Detection of rapid creation and deletion of scheduled tasks on Windows, indicating potential malicious activity abusing the task scheduler for execution and cleanup.

Detection of cmd.exe being spawned by svchost.exe, which is an unusual behavior indicative of potential masquerading or privilege escalation attempts on Windows systems.

Adversaries abuse the trusted status of explorer.exe to launch malicious scripts or executables, often using DCOM to start processes like PowerShell or cmd.exe, achieving initial access, defense evasion, and execution.

This alert identifies suspicious network connections initiated by the command prompt (cmd.exe) when executed with arguments indicative of script execution, remote resource access, or originating from Microsoft Office applications, which is a common tactic for downloading payloads or establishing command and control.

Detection of Service Control (sc.exe) being spawned from script interpreter processes, such as PowerShell or cmd.exe, to create, modify, or start services, which may indicate privilege escalation or persistence attempts by an attacker.

Adversaries may abuse Xwizard, a Windows system binary, to execute Component Object Model (COM) objects created in the registry to evade defensive countermeasures by proxying execution through a legitimate system tool.

Detection of remote execution of Windows services over RPC by correlating `services.exe` network connections and spawned child processes, potentially indicating lateral movement.

Adversaries compromising GitHub Actions workflows can execute arbitrary commands on runner hosts, leading to code execution, reconnaissance, credential harvesting, or network exfiltration.