GitHub

detect_empire_with_powershell_script_block_logging.yml

description: The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and ...
GitHub

proc_creation_win_vbscript_registry_modification.yml

Detects attempts to modify the registry using VBScript's CreateObject("Wscript.shell") and RegWrite methods via common LOLBINs. It could be an attempt to modify the registry for persistence without ...
Bitdefender

Deep Dive Into DownEx Espionage Operation in Central Asia

The domain and IP addresses involved do not appear in any previously documented incidents, and the malware does not share any code similarities with previously known malicious software. Since this ...