| threat-filesystem-read |
threat.filesystem.read |
Detects access to sensitive files (credentials, configs, keys) |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-obfuscation-chr |
threat.runtime.obfuscation |
Detects chr-based code obfuscation: exec/eval of chr() sequences |
high |
✅ |
|
|
|
|
|
| threat-runtime-obfuscation-dynamic-eval |
threat.runtime.obfuscation.dynamic-eval |
Detects JavaScript payloads executed through eval/Function over a self-decoding wrapper or character-code/base64 decoded data |
high |
|
✅ |
|
✅ |
✅ |
|
| threat-npm-preinstall-script |
threat.process.hooks |
Detects npm preinstall scripts, which are almost exclusively used for malware delivery |
high |
|
✅ |
|
✅ |
✅ |
|
| threat-runtime-obfuscation-steganography |
threat.runtime.obfuscation.steganography |
Detects steganography decode followed by code execution |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-keylogging |
threat.runtime.keylogging |
Detects keylogging and input capture patterns |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-dynamic-loader |
threat.runtime.obfuscation |
Detects dynamic code loading: downloading and importing/executing code at runtime |
high |
✅ |
|
|
|
|
|
| threat-process-cryptomining |
threat.process.cryptomining |
Detects cryptocurrency mining activity |
high |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
| threat-runtime-self-propagation |
threat.runtime.self-propagation |
Detects worm/self-propagating behavior: package code that rewrites its own manifest and programmatically publishes copies to a package registry to spread |
high |
|
✅ |
|
✅ |
✅ |
|
| threat-process-powershell-encoded |
threat.process.spawn |
Detects PowerShell encoded commands, hidden windows, and download cradles |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-network-reverse-shell |
threat.network.outbound |
Detects reverse shell patterns and remote access tools |
high |
✅ |
✅ |
|
✅ |
✅ |
✅ |
| threat-runtime-obfuscation-general |
threat.runtime.obfuscation.general |
Detects heavy code obfuscation techniques |
medium |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-obfuscation-hidden-code |
threat.runtime.obfuscation |
Detects a payload hidden by excessive whitespace or require aliased through a global to evade static analysis |
high |
|
✅ |
|
✅ |
✅ |
|
| threat-filesystem-destruction |
threat.filesystem.destruction |
Detects destructive operations (recursive deletion, wiping) |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-setup-suspicious-imports |
threat.setup.import.aliasing |
Detects suspicious imports in setup.py: network, system, or crypto libraries that have no place in a build script |
high |
✅ |
|
|
|
|
|
| threat-runtime-obfuscation-pyarmor |
threat.runtime.obfuscation.pyarmor |
Detects PyArmor obfuscation, a commercial tool commonly used to hide malicious code in Python packages |
medium |
✅ |
|
|
|
|
|
| threat-network-exfiltration |
threat.network.outbound |
Detects URLs to suspicious domains often used for exfiltration or C2 |
high |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
| threat-runtime-enumeration |
threat.runtime.enumeration |
Detects extensive system/network enumeration activities |
medium |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-environment-read |
threat.runtime.environment.read |
Detects reading of environment variables (credential access, often contains secrets) |
low |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
| threat-process-memory |
threat.process.memory |
Detects memory scraping and credential dumping from process memory |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-process-hooks |
threat.process.hooks |
Detects LOLBAS usage in install hooks (execution and network tools) |
medium |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-obfuscation |
threat.runtime.obfuscation |
Detects heavy obfuscation techniques commonly used by malware |
low |
✅ |
✅ |
✅ |
✅ |
✅ |
|
| threat-npm-http-dependency |
threat.npm.http.dependency |
Detects HTTP/HTTPS URL dependencies in package.json (dependency confusion, untrusted sources) |
high |
|
✅ |
|
✅ |
✅ |
|
| threat-network-outbound-shady-links |
threat.network.outbound.shady_links |
Detects URLs to URL shorteners, file sharing, and suspicious services |
medium |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-obfuscation-unicode |
threat.runtime.obfuscation.unicode |
Detects unicode homoglyphs and uncommon characters used for obfuscation |
medium |
✅ |
✅ |
✅ |
✅ |
✅ |
|
| threat-process-sysinfo |
threat.process.spawn.sysinfo |
Detects LOLBAS usage in process spawning |
medium |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-obfuscation-log-suppress |
threat.runtime.obfuscation |
Detects log/console suppression combined with obfuscated code, a common malware evasion pattern |
medium |
|
✅ |
|
✅ |
✅ |
|
| threat-network-exfil-messenger |
threat.network.outbound |
Detects hardcoded messaging platform tokens/webhooks used for data exfiltration |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-network-dns-exfil |
threat.network.outbound |
Detects DNS-based data exfiltration: encoding data in DNS queries |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-setup-import-aliasing |
threat.setup.import.aliasing |
Detects suspicious import aliasing of dangerous functions in setup.py |
high |
✅ |
|
|
|
|
|
| threat-runtime-obfuscation-import-exec |
threat.runtime.obfuscation |
Detects dynamic import chains used to obfuscate code execution |
high |
✅ |
|
|
|
|
|
| threat-setup-network-in-install |
threat.network.outbound |
Detects network operations or hostname/system info collection in setup.py, which is suspicious at install time |
high |
✅ |
|
|
|
|
|
| threat-runtime-obfuscation-api |
threat.runtime.obfuscation.api |
Detects advanced API call obfuscation using introspection and reflection techniques |
medium |
✅ |
✅ |
✅ |
✅ |
✅ |
|
| threat-filesystem-autostart |
threat.filesystem.autostart |
Detects suspicious autostart persistence mechanisms |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-npm-dependency-confusion |
threat.npm.http.dependency |
Detects dependency confusion indicators: self-referencing dependencies or DNS exfil in scripts |
high |
|
✅ |
|
✅ |
✅ |
|
| threat-process-download-exec |
threat.process.spawn |
Detects download-and-execute patterns: fetching a remote file then executing it |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-obfuscation-base64exec |
threat.runtime.obfuscation.base64exec |
Detects base64 decoding followed by code execution |
high |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
| threat-network-exfil-sysinfo |
threat.network.outbound |
Detects system info collection combined with network exfiltration (hostname/user in HTTP requests) |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-obfuscation-js-mangling |
threat.runtime.obfuscation.js.mangling |
Detects JavaScript variable name mangling (_0x pattern) used by obfuscation tools |
medium |
|
✅ |
|
✅ |
✅ |
|
| threat-process-spawn-silent |
threat.process.spawn.silent |
Detects fully silent process execution (suppressing all output channels) |
low |
✅ |
✅ |
✅ |
✅ |
✅ |
|
| threat-runtime-system-info |
threat.runtime.system.info |
Detects active collection of system information (hostname, platform, architecture, user) |
low |
✅ |
✅ |
✅ |
✅ |
✅ |
✅ |
| threat-process-injection-dll |
threat.process.injection.dll |
Detects DLL injection and process injection techniques |
high |
✅ |
✅ |
|
✅ |
✅ |
|
| threat-runtime-screencapture |
threat.runtime.screencapture |
|
medium |
✅ |
|
|
|
|
|