Exploit detection in a cloud-based sandbox

What is claimed is: 1 . A non-transitory computer-readable medium having instructions stored thereon for programming a processor to perform steps of: receiving unknown content comprising one of executable files, dynamic link libraries (DLLs), scripts, or macros in documents executable by one or more processors in a cloud-based sandbox having hardware infrastructure configured to isolate execution of the unknown content; performing an analysis of the unknown content in the cloud-based sandbox; obtaining events based on the analysis; running one or more exploit detection rules on the events, wherein the exploit detection rules comprise dynamically generated signatures created during execution of the unknown content based on observed runtime behaviors including at least one of memory injection, remote process injection, or process hollowing indicative of exploits; and providing a score based on a result of the one or more rules. 2 . The non-transitory computer-readable medium of claim 1 , wherein the steps further include classifying the unknown content as malware or clean based on the score. 3 . The non-transitory computer-readable medium of claim 1 , wherein the events include data containing lists of all queried windows and paths of all opened files. 4 . The non-transitory computer-readable medium of claim 3 , wherein the events include an Application Programing Interface (API) count threshold flag to specify a maximum number of API calls to be listed. 5 . The non-transitory computer-readable medium of claim 1 , wherein the steps include specifying an event name or Application Programing Interface (API) name along with one or more event fields to obtain specified data. 6 . The non-transitory computer-readable medium of claim 1 , wherein the exploit detection rules include checking for a file type, and if any processes have called an Application Programing Interface (API) with a parameter containing a specified string. 7 . The non-transitory computer-readable medium of claim 1 , wherein the events include data which provides information about files opened by a target process. 8 . An apparatus comprising: a network interface; a data store; a processor communicatively coupled to the network interface and the data store; and memory storing instructions that, when executed, cause the processor to: receive unknown content comprising one of executable files, dynamic link libraries (DLLs), scripts, or macros in documents executable by one or more processors in a cloud-based sandbox having hardware infrastructure configured to isolate execution of the unknown content; perform an analysis of the unknown content in the cloud-based sandbox; obtain events based on the analysis; run one or more exploit detection rules on the events, wherein the exploit detection rules comprise dynamically generated signatures created during execution of the unknown content based on observed runtime behaviors including at least one of memory injection, remote process injection, or process hollowing indicative of exploits; and provide a score based on a result of the one or more rules. 9 . The apparatus of claim 8 , wherein the steps further include classifying the unknown content as malware or clean based on the score. 10 . The apparatus of claim 8 , wherein the events include data containing lists of all queried windows and paths of all opened files. 11 . The apparatus of claim 10 , wherein the events include an Application Programing Interface (API) count threshold flag to specify a maximum number of API calls to be listed. 12 . The apparatus of claim 8 , wherein the steps include specifying an event name or Application Programing Interface (API) name along with one or more event fields to obtain specified data. 13 . The apparatus of claim 8 , wherein the exploit detection rules include checking for a file type, and if any processes have called an Application Programing Interface (API) with a parameter containing a specified string. 14 . The apparatus of claim 8 , wherein the events include data which provides information about files opened by a target process. 15 . A computer-implemented method comprising: receiving unknown content comprising one of executable files, dynamic link libraries (DLLs), scripts, or macros in documents executable by one or more processors in a cloud-based sandbox having hardware infrastructure configured to isolate execution of the unknown content; performing an analysis of the unknown content in the cloud-based sandbox; obtaining events based on the analysis; running one or more exploit detection rules on the events, wherein the exploit detection rules comprise dynamically generated signatures created during execution of the unknown content based on observed runtime behaviors including at least one of memory injection; remote process injection, or process hollowing indicative of exploits; and providing a score based on a result of the one or more rules. 16 . The computer-implemented method of claim 15 , wherein the steps further include classifying the unknown content as malware or clean based on the score. 17 . The computer-implemented method of claim 15 , wherein the events include data containing lists of all queried windows and paths of all opened files. 18 . The computer-implemented method of claim 17 , wherein the events include an Application Programing Interface (API) count threshold flag to specify a maximum number of API calls to be listed. 19 . The computer-implemented method of claim 15 , wherein the exploit detection rules include checking for a file type, and if any processes have called an Application Programing Interface (API) with a parameter containing a specified string. 20 . The computer-implemented method of claim 15 , wherein the events include data which provides information about files opened by a target process.