-
Adobe Reader (reader_sl.exe)
Adobe Reader for no reason starts a subprocess using the command line "I run".
-
Network Detective Data Collector (nddc.exe)
WMIExec-ish NDCC
-
Windows Terminal
-
Edge/Chromium Browsers
Bizarre sub-processes.
-
Windows TCP Connections on High Ports
Windows uses random high service ports for a variety of functions.
-
Nim Lang install binaries
The Nim language installer binaries in certain versions trigger Windows Defender.
-
Nutanix Guest Tools
Yet another base64-loving process.
-
SenseIR.exe
How much can an EDR look like malware?
-
Skype.exe
It runs whoami because it's lost.
-
explorer.exe
Guests are not invited to Everyone shares.
-
gc_worker.exe
Base64-encoded PowerShell from Azure's own agent!
-
iManage Document Protection
Random file extensions from iManage
-
HostedAgent.exe
Whoami? HostedAgent, of course!
-
SenseNdr.exe
SenseNDR base64 encoding
-
AvastSvc.exe
Avast scans your network on the sly.
-
EaseUS spaceman.exe
EaseUS and bizarre Scheduled Tasks.
-
ESET Protection Suite
Everybody loves a big DNS query!
-
McAfee Antivirus
McAfee also loves big DNS queries!
-
ArcGISPortal.exe
Not just bad guys run
whoami. -
PanGpHip.exe
Palo Alto GP Firewall HIP check runs whoami.exe as SYSTEM.
-
Samsung MobileWips
Bizarre DNS requests on Samsung phones.
-
Snow Inventory Agent for Windows
Yet another PowerShell weirdo.
-
SentinelOne
EDRs 🤝 Malware
Encoded PowerShell
-
Ivanti Endpoint Manager
Ivanti does some weird stuff
-
Adobe Genuine Monitor Service
A little LSASS, as a treat.
-
Noregon Fake Windows Components
Named after legitimate Windows binaries, in the wrong location.
-
Bloodhound.exe
Not the Bloodhound you're thinking of.
-
RingCentral.exe
How to look like malware, by RingCentral
-
LogMeIn and CScript
Who doesn't love CScript?
-
Sophos Web Protection (sophosxl.net)
Do you like giant DNS queries? Sophos does.
-
CCM.exe (SCCM)
Windows Config Manager CCM.exe runs b64-encoded powershell.
-
Startupscan.dll
Windows being sus? Inconceivable!
-
Cisco Jabber
Cisco enumerates your system.
-
IBM Storage Insights Data Collector
IBM creates WMI false positives
-
JetBrains binaries invoke WMI
JetBrains queries security tools.
-
draw.io.exe
Nothing to see here
-
SecurityHealthService.exe unprotects LSA
Who needs protection? Not LSA!
-
OpenVAS runs WMIExec
TFW the vuln scanner runs offensive tools.
-
IBM's pcsnp.exe triggers SYSTEM cmd.exe
IBM's
pcsnp.exejust...what -
Teramind's dwm.exe
Nacho dwm
-
EndpointBasecamp.exe, RiskIndexCollector.exe
A little wmic enumeration
-
ESET AV Module (ekrn.exe)
What is it with antivirus and weird DNS?
-
Adobe CC Setup
Adobe performs...process injection??
-
Veritas Backup Agent (Symantec)
Another bin with an identity crisis.
-
Microsoft Managed Desktop Agent
Microsoft loves to look like malware, huh?
-
Podman Desktop
Podman Desktop writes
.vbsto the Startup folder. -
DTS Sound Unbound Ransomware File Extension
Services created as part of this application installation and usage will create or rename files with a
.cryptextension. -
Block64 Uses Impacket
-
pia-daemon ICMP Flood
pia-daemon emits 'ICMP Flood' behavior every minute. This is a 'latency check' which is used for server selection.
-
Jamf Nation
IP Geo-Location Extension Attribute Closely Resembles Keylogger Behavior