Aether adopts the following list of indicators of suspicious (IoS), with accurate scoring and severity.
Modified-code pipeline (L1–L5)
Label
Severity
Meaning
MODIFIED_CODE_HIGH
HIGH
Executable IMAGE pages with hook prologue, on-disk diff, OR ≥ 25 % private-page ratio
MODIFIED_CODE_MED
MEDIUM
Corroborated by another signal, OR ≥ 5 % ratio, OR ≥ 8 private pages
HOOK_PROLOGUE
MEDIUM
Trampoline byte pattern found at the start of a private code page
DISK_MEM_DIFF
HIGH
First bytes of an executable private page differ from the on-disk image
MISSING_PEB
HIGH
MEM_IMAGE allocation not present in the PEB module list (DLL hollowing)
PRIVATE_RWX
HIGH
Private memory with executable protection
CLR_INIT
INFO
Target process hosts the .NET CLR (filtering hint, not a finding)
Thread Start-Address Validation (L8)
Label
Severity
Meaning
TSAV_SHELLCODE_PRIVATE
CRITICAL
Thread starts in MEM_PRIVATE + PAGE_EXECUTE_* (classic shellcode thread)
TSAV_SUSPENDED_RIP
CRITICAL
Suspended thread’s Rip / Eip resolves to a suspicious region disagreeing with Win32StartAddress
TSAV_HOLLOWED_HOST
HIGH
Thread starts inside a MEM_IMAGE allocation missing from the PEB
TSAV_MODIFIED_HOST
HIGH
Thread starts inside an allocation already flagged by L1–L5
TSAV_STAGED_PRIVATE_RW
HIGH
Thread starts in MEM_PRIVATE + PAGE_READWRITE (pre-VirtualProtect staging)
TSAV_MAPPED_NONPE
MEDIUM
Thread starts in MEM_MAPPED non-PE section
TSAV_SPOOF_TRAMPOLINE
MEDIUM
Thread Win32StartAddress equals a denylisted trampoline (LoadLibraryW, RtlExitUserThread, etc.)
THREAD_START_ANOMALY
HIGH
Aggregate count of suspicious threads (one per scan)
Encrypted Payload Detection
Label
Severity
Meaning
XOR_PE_HEADER
CRITICAL
PE header found under single- or multi-byte XOR; DOS-stub anchor + MZ / e_lfanew / PE\0\0 consistency check all pass (Donut, CS sleep_mask, Sliver, sRDI)