CCM.exe (SCCM)
Contributed By: mttaggart
Windows Config Manager CCM.exe runs b64-encoded powershell.
PanGpHip.exe
Contributed By: mttaggart
Palo Alto GP Firewall HIP check runs whoami.exe as SYSTEM.
Skype.exe
Contributed By: g1ng3rr00t
It runs whoami because it's lost.
Nim Lang install binaries
Contributed By: HuskyHacks
The Nim language install binaries in certain versions trigger Windows Defender.
Windows TCP Connections on High Ports
Contributed By: Ductape and Dreams
Windows uses random high service ports for a variety of functions.
Edge/Chromium Browsers
Contributed By: mttaggart
Browsers based on Chromium will launch several sub-processes that look extremely suspicious.
Windows Terminal
Contributed By: mttaggart
Windows Terminal runs wsl --list to find potential Linux profiles to add to its list.
Network Detective Data Collector (nddc.exe)
Contributed By: Dray Agha (@purp1ew0lf)
The executable for Network Detective Data Collector displays false positive activity similar to Impacket's WMI/SMBexec.
Adobe Reader (reader_sl.exe)
Contributed By: 59e5aaf4
Adobe Reader for no reason starts a subprocess using the command line "I run".
Sophos Web Protection (sophosxl.net)
Contributed By: mttaggart
Sophos Web Protection, performs odd DNS lookups to sophosxl.net.
LogMeIn.exe
Contributed By: t3chn1qu3_/WSP (@t3chn1qu3_WSP)
LogMeIn runs `avfilter.js` via cscript to check what AV is running on your system.
RingCentral.exe
Contributed By: t3chn1qu3_/WSP (@t3chn1qu3_WSP)
Binary installs deep in AppData, drops a setDefaultAppByProtcol.vbs script.
Bloodhound.exe
Contributed By: Dray Agha (@purp1ew0lf)
Silver Bullet Technology's Ranger runs an executable called `Bloodhound.exe`
Noregon Fake Windows Components
Contributed By: Matt Anderson
Named after legitimate Windows binaries, in the wrong location.
Adobe Genuine Monitor Service
Contributed By: g1ng3rr00t
`AGMService.exe` opens and reads from the LSASS process
Ivanti Endpoint Manager
Contributed By: Micah Babinski (mbabinski)
Fragmented, seemingly-random strings containing special unicode characters.
SentinelOne
Contributed By: Dray Agha (@purp1ew0lf)
A SentinelOne PowerShell script contains malicious indicators.
Snow Inventory Agent for Windows
Contributed By: Luke Humberdross (@ukejjh)
Snow Inventory Agent for Window runs some incredibly sketch PowerShell.
Samsung MobileWips
Contributed By: Micah Babinski (@mbabinski)
An Android wireless security app queries TOR sites, triggering network alerts.
ArcGISPortal.exe
Contributed By: Dray Agha (@purp1ew0lf)
ArcGIS joins the ranks of apps asking the age-old question: whoami?
McAfee Antivirus
Contributed By: Petr Špaček (@pspacek)
McAfee Antivirus performs bizarre DNS lookups.
ESET Protection Suite
Contributed By: Petr Špaček (@pspacek)
ESET Protection Suite performs bizarre DNS lookups.
spaceman.exe
Contributed By: Michael Weber "mthrfcknruckus" (@mjweber915)
EaseUS Partition Manager installs weird stuff to System32
AvastSvc.exe
Contributed By: mttaggart
Avast Antivirus attempts SSH connections to neighbor hosts
SenseNdr.exe
Contributed By: Bumbucha
SenseNDR is not shy about base64
HostedAgent.exe
Contributed By: Biffalo
Trend Micro Agent runs `whoami.exe`
iManage Document Protection
Contributed By: Chris Beckett (@cbecks_2)
iManage Document Protection creates random sus files
gc_worker.exe
Contributed By: rcegan
Azure Conected Machine Agent runs b64 PowerShell
explorer.exe
Contributed By: ygil1234
Shared Folder to "Everyone" causes a Guest login attempt
SenseIR.exe
Contributed By: Adam Ponce (@adamcysec)
SenseIR.exe, a Windows Defender component, executes base64-encoded scripts
Nutanix Guest Tools
Contributed By: Micah Babinski (@mbabinski)
Nutanix Guest Tools runs b64-encoded PowerShell
Cisco Jabber
Contributed By: Alex Walston (@4ayymm)
Cisco Jabber writes system info to files
Windows (Startupscan.dll)
Contributed By: Matthew W (@0xDeadcell)
Windows runs a DLL function called SusRunTask
IBM Storage Insights Data Collector
Contributed By: Micah Babinski (@mbabinski), William Rotchford
IBM Storage Insights Data Collector Runs WMIC
JetBrains binaries invoke WMI
Contributed By: Thurein Oo
Jetbrains IDE using WMI to query antivirus product