Newest rules

Suspicious PowerShell Download and Execute Pattern
level
status experimental

Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

Enable Microsoft Dynamic Data Exchange
level
status experimental

Enable Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word or Excel.

Suspicious Windows Update Agent Empty Cmdline
level
status experimental

Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn’t contain any command line flags

Suspicious MSExchangeMailboxReplication ASPX Write
level
status experimental

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

Parent in Public Folder Suspicious Process
level
status experimental

This rule detects suspicious processes with parent images located in the C:\Users\Public folder

Sponsored by

Phish Report logo
With Phish Report you can achieve streamlined phishing takedowns using your existing security team.