Tool
Splunk ESCU
2,101 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,101GitHub Enterprise Register Self Hosted Runner
The following analytic identifies when a self-hosted runner is created in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for actions related to creating new self-hosted runners at the organization or enterprise level. his behavior warrants monitoring because self-hosted runners execute workflow jobs on customer-controlled infrastructure, which could be exploited by attackers to execute malicious code, access sensitive data, or pivot to other systems. While self-hosted runners are a legitimate feature, their creation should be carefully controlled as compromised runners pose significant security risks. The impact includes potential remote code execution, data exfiltration, and lateral movement within the environment if a runner is compromised. SOC teams should investigate unexpected runner creation events to verify they are authorized and properly secured, especially if created by unfamiliar users or in unusual contexts.
Show query
`github_enterprise` action=enterprise.register_self_hosted_runner
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_is_bot,
actor_location.country_code, business, business_id,
user_agent, action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_enterprise_register_self_hosted_runner_filter`GitHub Enterprise Remove Organization
The following analytic detects when a user removes an organization from GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for organization deletion events, which could indicate unauthorized removal of critical business resources. For a SOC, identifying organization removals is crucial as it may signal account compromise, insider threats, or malicious attempts to disrupt business operations by deleting entire organizational structures. The impact could be severe, potentially resulting in loss of source code, repositories, team structures, access controls, and other critical organizational assets. This disruption could halt development workflows, cause data loss, and require significant effort to restore from backups if available. Additionally, unauthorized organization removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets.
Show query
`github_enterprise` action=business.remove_organization
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_is_bot,
actor_location.country_code, business, business_id,
org, org_id, user_agent,
action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_enterprise_remove_organization_filter`GitHub Enterprise Repository Archived
The following analytic detects when a repository is archived in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for repository archival events by tracking actor details, repository information, and associated metadata. For a SOC, identifying repository archival is important as it could indicate attempts to make critical code inaccessible or preparation for repository deletion. While archiving is a legitimate feature, unauthorized archival of active repositories could signal account compromise, insider threats, or attempts to disrupt development operations. The impact of unauthorized repository archival includes loss of active development access, disruption to workflows and CI/CD pipelines, and potential business delays if critical repositories are affected. Additionally, archived repositories may be targeted for subsequent deletion, potentially resulting in permanent loss of intellectual property if proper backups are not maintained.
Show query
`github_enterprise` action=repo.archived
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_is_bot,
actor_location.country_code, business, business_id,
org, org_id, repo,
repo_id, user_agent, visibility,
action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_enterprise_repository_archived_filter`GitHub Enterprise Repository Deleted
The following analytic detects when a user deletes a repository in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for repository deletion events, which could indicate unauthorized removal of critical source code and project resources. For a SOC, identifying repository deletions is crucial as it may signal account compromise, insider threats, or malicious attempts to destroy intellectual property and disrupt development operations. The impact could be severe, potentially resulting in permanent loss of source code, documentation, project history, and other critical assets if proper backups are not maintained. Repository deletion could halt development workflows, cause significant business disruption, and require substantial effort to restore from backups if available. Additionally, unauthorized repository removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets.
Show query
`github_enterprise` action=repo.destroy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_is_bot,
actor_location.country_code, business, business_id,
org, org_id, repo,
repo_id, user_agent, visibility,
action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_enterprise_repository_deleted_filter`GitHub Organizations Delete Branch Ruleset
The following analytic detects when branch rulesets are deleted in GitHub Organizations. The detection monitors GitHub Organizations audit logs for branch ruleset deletion events by tracking actor details, repository information, and associated metadata. For a SOC, identifying deleted branch rulesets is critical as it could indicate attempts to bypass code review requirements and security controls. Branch rulesets are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.
Show query
`github_organizations` vendor_action=repository_ruleset.destroy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
repo, repo_id, user_agent,
vendor_action, ruleset_name
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_organizations_delete_branch_ruleset_filter`GitHub Organizations Disable 2FA Requirement
The following analytic detects when two-factor authentication (2FA) requirements are disabled in GitHub Organizations. The detection monitors GitHub Organizations audit logs for 2FA requirement changes by tracking actor details, organization information, and associated metadata. For a SOC, identifying disabled 2FA requirements is critical as it could indicate attempts to weaken account security controls. Two-factor authentication is a fundamental security control that helps prevent unauthorized access even if passwords are compromised. Disabling 2FA requirements could allow attackers to more easily compromise accounts through password-based attacks. The impact of disabled 2FA includes increased risk of account takeover, potential access to sensitive code and intellectual property, and compromise of the software supply chain. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting broader account compromises.
Show query
`github_organizations` vendor_action=org.disable_two_factor_requirement
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
user_agent, vendor_action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_organizations_disable_2fa_requirement_filter`GitHub Organizations Disable Classic Branch Protection Rule
The following analytic detects when classic branch protection rules are disabled in GitHub Organizations. The detection monitors GitHub Organizations audit logs for branch protection removal events by tracking actor details, repository information, and associated metadata. For a SOC, identifying disabled branch protection is critical as it could indicate attempts to bypass code review requirements and security controls. Branch protection rules are essential security controls that enforce code review, prevent force pushes, and maintain code quality. Disabling these protections could allow malicious actors to directly push unauthorized code changes or backdoors to protected branches. The impact of disabled branch protection includes potential code tampering, bypass of security reviews, introduction of vulnerabilities or malicious code, and compromise of software supply chain integrity. This activity could be part of a larger attack chain where an adversary first disables security controls before attempting to inject malicious code.
Show query
`github_organizations` vendor_action=protected_branch.destroy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
repo, repo_id, user_agent,
vendor_action, name
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_organizations_disable_classic_branch_protection_rule_filter`GitHub Organizations Disable Dependabot
The following analytic detects when a user disables Dependabot security features within a GitHub repository. Dependabot helps automatically identify and fix security vulnerabilities in dependencies. The detection monitors GitHub Enterprise logs for configuration changes that disable Dependabot functionality. This behavior could indicate an attacker attempting to prevent the automatic detection of vulnerable dependencies, which would allow them to exploit known vulnerabilities that would otherwise be patched. For a SOC, identifying the disabling of security features like Dependabot is critical as it may be a precursor to supply chain attacks where attackers exploit vulnerable dependencies. The impact could be severe if vulnerabilities remain unpatched, potentially leading to code execution, data theft, or other compromises through the software supply chain.
Show query
`github_organizations` vendor_action=repository_vulnerability_alerts.disable
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_ip,
actor_is_bot, actor_location.country_code, business,
business_id, org, org_id,
repo, repo_id, user,
user_agent, user_id, vendor_action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_organizations_disable_dependabot_filter`GitHub Organizations Repository Archived
The following analytic detects when a repository is archived in GitHub Organizations. The detection monitors GitHub Organizations audit logs for repository archival events by tracking actor details, repository information, and associated metadata. For a SOC, identifying repository archival is important as it could indicate attempts to make critical code inaccessible or preparation for repository deletion. While archiving is a legitimate feature, unauthorized archival of active repositories could signal account compromise, insider threats, or attempts to disrupt development operations. The impact of unauthorized repository archival includes loss of active development access, disruption to workflows and CI/CD pipelines, and potential business delays if critical repositories are affected. Additionally, archived repositories may be targeted for subsequent deletion, potentially resulting in permanent loss of intellectual property if proper backups are not maintained.
Show query
`github_organizations` vendor_action=repo.archived
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_is_bot,
actor_location.country_code, business, business_id,
org, org_id, repo,
repo_id, user_agent, visibility,
vendor_action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_organizations_repository_archived_filter`GitHub Organizations Repository Deleted
The following analytic identifies when a repository is deleted within a GitHub organization. The detection monitors GitHub Organizations audit logs for repository deletion events by tracking actor details, repository information, and associated metadata. This behavior is concerning for SOC teams as malicious actors may attempt to delete repositories to destroy source code, intellectual property, or evidence of compromise. Repository deletion can result in permanent loss of code, documentation, and project history if proper backups are not maintained. Additionally, unauthorized repository deletion could indicate account compromise, insider threats, or attempts to disrupt business operations. The impact of a repository deletion attack includes loss of intellectual property, disruption to development workflows, and potential financial losses from lost work. Early detection of unauthorized repository deletions allows security teams to investigate potential compromises and restore from backups if needed.
Show query
`github_organizations` vendor_action=repo.destroy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY actor, actor_id, actor_is_bot,
actor_location.country_code, business, business_id,
org, org_id, repo,
repo_id, user_agent, visibility,
vendor_action
| eval user=actor
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `github_organizations_repository_deleted_filter`GitHub Workflow File Creation or Modification
The following analytic hunts for any creations or modifications to GitHub Actions workflow YAML files across the organization's Linux or Windows endpoints.
This hunting query tracks all workflow file activity under .github/workflows directories to help defenders establish baselines of legitimate CI/CD workflow creation patterns, identify unusual or unauthorized changes, and detect anomalies that may indicate supply chain compromise.
GitHub Actions workflows execute with privileged access to secrets and deployment credentials, making them high-value targets for attackers.
By monitoring workflow file modifications over time, defenders can identify suspicious patterns such as unexpected workflow creation on developer workstations, modifications outside normal change windows, or activity in repositories that don't typically contain workflows.
This data is essential for detecting supply chain attacks like Shai-Hulud that inject malicious workflows across multiple repositories.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ( "*/.github/workflows/*.yaml", "*/.github/workflows/*.yml", "*\\.github\\workflows\\*.yaml", "*\\.github\\workflows\\*.yml" ) by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `github_workflow_file_creation_or_modification_filter`
Gsuite Drive Share In External Email
The following analytic detects Google Drive or Google Docs files shared externally from an internal domain. It leverages GSuite Drive logs, extracting and comparing the source and destination email domains to identify external sharing. This activity is significant as it may indicate potential data exfiltration by an attacker or insider. If confirmed malicious, this could lead to unauthorized access to sensitive information, data leakage, and potential compliance violations. Monitoring this behavior helps in early detection and mitigation of data breaches.
Show query
`gsuite_drive` NOT (email IN("", "null"))
| spath path=parameters.owner output=owner
| rex field=owner "[^@]+@(?<src_domain>[^@]+)"
| rex field=email "[^@]+@(?<dest_domain>[^@]+)"
| where src_domain = "internal_test_email.com" and not dest_domain = "internal_test_email.com"
| eval phase="plan"
| eval severity="low"
| stats values(parameters.doc_title) as doc_title,
values(parameters.doc_type) as doc_types,
values(email) as dst_email_list,
values(parameters.visibility) as visibility,
values(parameters.doc_id) as doc_id,
count min(_time) as firstTime max(_time) as lastTime
by parameters.owner ip_address phase severity
| rename parameters.owner as user ip_address as src_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_drive_share_in_external_email_filter`
Gsuite Email Suspicious Subject With Attachment
The following analytic identifies Gsuite emails with suspicious subjects and attachments commonly used in spear phishing attacks. It leverages Gsuite email logs, focusing on specific keywords in the subject line and known malicious file types in attachments. This activity is significant for a SOC as spear phishing is a prevalent method for initial compromise, often leading to further malicious actions. If confirmed malicious, this activity could result in unauthorized access, data exfiltration, or further malware deployment, posing a significant risk to the organization's security.
Show query
`gsuite_gmail` num_message_attachments > 0 subject IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "* fedex *", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") attachment{}.file_extension_type IN ("doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf", "zip", "rar", "html","htm","hta")
| rex field=source.from_header_address "[^@]+@(?<source_domain>[^@]+)"
| rex field=destination{}.address "[^@]+@(?<dest_domain>[^@]+)"
| where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com"
| eval phase="plan"
| eval severity="medium"
| stats count min(_time) as firstTime max(_time) as lastTime values(attachment{}.file_extension_type) as email_attachments, values(attachment{}.sha256) as attachment_sha256, values(payload_size) as payload_size
BY destination{}.service num_message_attachments subject
destination{}.address source.address phase
severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_email_suspicious_subject_with_attachment_filter`Gsuite Email With Known Abuse Web Service Link
The following analytic detects emails in Gsuite containing links to known abuse web services such as Pastebin, Telegram, and Discord. It leverages Gsuite Gmail logs to identify emails with these specific domains in their links. This activity is significant because these services are commonly used by attackers to deliver malicious payloads. If confirmed malicious, this could lead to the delivery of malware, phishing attacks, or other harmful activities, potentially compromising sensitive information or systems within the organization.
Show query
`gsuite_gmail` "link_domain{}" IN ("*pastebin.com*", "*discord*", "*telegram*","t.me")
| rex field=source.from_header_address "[^@]+@(?<source_domain>[^@]+)"
| rex field=destination{}.address "[^@]+@(?<dest_domain>[^@]+)"
| where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com"
| eval phase="plan"
| eval severity="low"
| stats values(link_domain{}) as link_domains min(_time) as firstTime max(_time) as lastTime count
BY is_spam source.address source.from_header_address
subject destination{}.address phase
severity
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_email_with_known_abuse_web_service_link_filter`Gsuite Outbound Email With Attachment To External Domain
The following analytic detects outbound emails with attachments sent from an internal email domain to an external domain. It leverages Gsuite Gmail logs, parsing the source and destination email domains, and flags emails with fewer than 20 outbound instances. This activity is significant as it may indicate potential data exfiltration or insider threats. If confirmed malicious, an attacker could use this method to exfiltrate sensitive information, leading to data breaches and compliance violations.
Show query
`gsuite_gmail` num_message_attachments > 0
| rex field=source.from_header_address "[^@]+@(?<source_domain>[^@]+)"
| rex field=destination{}.address "[^@]+@(?<dest_domain>[^@]+)"
| where source_domain="internal_test_email.com" and not dest_domain="internal_test_email.com"
| eval phase="plan"
| eval severity="low"
| stats values(subject) as subject, values(source.from_header_address) as src_domain_list, count as numEvents, dc(source.from_header_address) as numSrcAddresses, min(_time) as firstTime max(_time) as lastTime
BY dest_domain phase severity
| where numSrcAddresses < 20
| sort - numSrcAddresses
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_outbound_email_with_attachment_to_external_domain_filter`Gsuite Suspicious Shared File Name
The following analytic detects shared files in Google Drive with suspicious filenames commonly used in spear phishing campaigns. It leverages GSuite Drive logs to identify documents with titles that include keywords like "dhl," "ups," "invoice," and "shipment." This activity is significant because such filenames are often used to lure users into opening malicious documents or clicking harmful links. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further compromise of the user's system.
Show query
`gsuite_drive` parameters.owner_is_team_drive=false "parameters.doc_title" IN ("*dhl*", "* ups *", "*delivery*", "*parcel*", "*label*", "*invoice*", "*postal*", "*fedex*", "* usps *", "* express *", "*shipment*", "*Banking/Tax*","*shipment*", "*new order*") parameters.doc_type IN ("document","pdf", "msexcel", "msword", "spreadsheet", "presentation")
| rex field=parameters.owner "[^@]+@(?<source_domain>[^@]+)"
| rex field=parameters.target_user "[^@]+@(?<dest_domain>[^@]+)"
| where not source_domain="internal_test_email.com" and dest_domain="internal_test_email.com"
| eval phase="plan"
| eval severity="low"
| stats count min(_time) as firstTime max(_time) as lastTime
BY email parameters.owner parameters.target_user
parameters.doc_title parameters.doc_type phase
severity
| rename parameters.target_user AS user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `gsuite_suspicious_shared_file_name_filter`Gsuite suspicious calendar invite
The following analytic detects suspicious calendar invites sent via GSuite, potentially indicating compromised accounts or malicious internal activity. It leverages GSuite calendar logs, focusing on events where a high volume of invites (over 100) is sent within a 5-minute window. This behavior is significant as it may involve the distribution of malicious links or attachments, posing a security risk. If confirmed malicious, this activity could lead to widespread phishing attacks, unauthorized access, or malware distribution within the organization.
Show query
`gsuite_calendar`
| bin span=5m _time
| rename parameters.* as *
| search target_calendar_id!=null email="*yourdomain.com"
| stats count values(target_calendar_id) values(event_title) values(event_guest)
BY email _time
| where count >100
| `gsuite_suspicious_calendar_invite_filter`HTTP C2 Framework User Agent
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of c2 frameworks. This activity can signify malicious actors attempting to interact with hosts on the network using known default configurations of command and control tools.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.http_user_agent != null
BY Web.http_user_agent Web.http_method, Web.url,
Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup suspicious_c2_user_agents c2_user_agent AS http_user_agent OUTPUT tool, description
| where isnotnull(tool)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen
BY tool url http_user_agent
src dest description
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_c2_framework_user_agent_filter`HTTP Duplicated Header
Detects when a request has more than one of the same header. This is commonly used in request smuggling and other web based attacks. HTTP Request Smuggling exploits inconsistencies in how front-end and back-end servers parse HTTP requests by using ambiguous or malformed headers to hide malicious requests within legitimate ones. Attackers leverage duplicate headers, particularly Content-Length and Transfer-Encoding, to cause different servers in the chain to disagree on where one request ends and another begins. RFC7230 states that a sender MUST NOT generate multiple header fields with the same field name in a message unless either the entire field value for that header field is defined as a comma-separated list or the header field is a well-known exception.
Show query
`suricata` http.request_headers{}.name="*"
| rename dest_ip as dest
| spath path=http.request_headers{}.name output=header_names
| mvexpand header_names
| where lower(header_names) != "set-cookie"
| stats count
BY _raw, header_names, src_ip,
dest
| where count > 1
| stats values(header_names) as duplicate_headers
BY _raw, count, src_ip,
dest
| `http_duplicated_header_filter`HTTP Malware User Agent
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of malware. This activity can signify possible compromised hosts on the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.http_user_agent != null
BY Web.http_user_agent Web.http_method, Web.url,
Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup malware_user_agents malware_user_agent AS http_user_agent OUTPUT malware
| where isnotnull(malware)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen
BY malware url http_user_agent
src dest
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_malware_user_agent_filter`HTTP PUA User Agent
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of unwanted applications. This activity can signify possible compromised hosts on the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.http_user_agent != null
BY Web.http_user_agent Web.http_method, Web.url,
Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup pua_user_agents pua_user_agent AS http_user_agent OUTPUT tool
| where isnotnull(tool)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen
BY tool url http_user_agent
src dest
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_pua_user_agent_filter`HTTP Possible Request Smuggling
HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. This detection identifies a common request smuggling technique of using both Content-Length and Transfer-Encoding headers to cause a parsing confusion between the frontend and backend.
Show query
`suricata` (http.request_headers{}.name="*Content-Length*" http.request_headers{}.name="*Transfer-Encoding*") OR (http.request_headers{}.name="*Content-Length*" http.request_headers{}.value="*Transfer-Encoding*") OR (http.request_headers{}.value="*Content-Length*" http.request_headers{}.name="*Transfer-Encoding*") OR (http.request_headers{}.name="*Content-Length*" http.request_headers{}.value="0")
| rename dest_ip as dest
| rex field=_raw "request_headers.:\[(?<headers>.*)\]"
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest, dest_port, src_ip,
http.url, http.http_method, http.http_user_agent,
http.protocol, http.status, headers
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `http_possible_request_smuggling_filter`HTTP RMM User Agent
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of Remote Monitoring and Mangement applications. This activity can signify possible compromised hosts on the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.http_user_agent != null
BY Web.http_user_agent Web.http_method, Web.url,
Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup rmm_user_agents rmm_user_agent AS http_user_agent OUTPUT tool
| where isnotnull(tool)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen
BY tool url http_user_agent
src dest
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_rmm_user_agent_filter`HTTP Rapid POST with Mixed Status Codes
This detection identifies rapid-fire POST request attacks where an attacker sends more than 20 POST requests within a 5-second window, potentially attempting to exploit race conditions or overwhelm request handling. The pattern is particularly suspicious when responses vary in size or status codes, indicating successful exploitation attempts or probing for vulnerable endpoints.
Show query
`nginx_access_logs` http_method="POST"
| bin _time span=5s
| rename dest_ip as dest
| stats count, values(status) as status_codes, values(bytes_out) as bytes_out, values(uri_path) as uris
BY _time, src_ip, dest,
http_user_agent
| where count>20
| table _time, dest, src_ip, count, status_codes, bytes_out, http_user_agent
| `http_rapid_post_with_mixed_status_codes_filter`HTTP Request to Reserved Name on IIS Server
Detects attempts to exploit a request smuggling technique against IIS that leverages a Windows quirk where requests for reserved Windows device names such as "/con" trigger an early server response before the request body is received.
When combined with a Content-Length desynchronization, this behavior can lead to a parsing confusion between frontend and backend.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url IN (
"*/aux",
"*/com1",
"*/com2",
"*/com3",
"*/com4",
"*/com5",
"*/com6",
"*/com7",
"*/con",
"*/nul",
"*/prn"
)
BY Web.src Web.dest Web.http_user_agent
Web.url Web.url_domain Web.status Web.http_method
| `drop_dm_object_name("Web")`
```
We have to add the logic below because the TA does not extract the URI path from the URL, and the anchors are short. Hence to avoid false positives, we need to extract the URI path from the URL and check if it is a reserved name.
```
| eval uri=replace(url, url_domain, "")
| where uri IN (
"/aux",
"/com1",
"/com2",
"/com3",
"/com4",
"/com5",
"/com6",
"/com7",
"/con",
"/nul",
"/prn"
)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `http_request_to_reserved_name_on_iis_server_filter`HTTP Scripting Tool User Agent
This Splunk query analyzes web access logs to identify and categorize non-browser user agents, detecting various types of security tools, scripting languages, automation frameworks, and suspicious patterns. This activity can signify malicious actors attempting to interact with web endpoints in non-standard ways.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Web where
Web.http_user_agent =*
NOT Web.http_user_agent IN (
"-",
"unknown"
)
by Web.http_user_agent Web.dest Web.src Web.status
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Web)`
| eval http_user_agent = lower(http_user_agent)
| lookup scripting_tools_user_agents tool_user_agent AS http_user_agent OUTPUT tool
| where isnotnull(tool)
| stats count
min(firstTime) as first_seen
max(lastTime) as last_seen
values(tool) as tool
by http_user_agent dest src status
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_scripting_tool_user_agent_filter`Headless Browser Mockbin or Mocky Request
The following analytic detects headless browser activity accessing mockbin.org or mocky.io. It identifies processes with the "--headless" and "--disable-gpu" command line arguments, along with references to mockbin.org or mocky.io. This behavior is significant as headless browsers are often used for automated tasks, including malicious activities like web scraping or automated attacks. If confirmed malicious, this activity could indicate an attempt to bypass traditional browser security measures, potentially leading to data exfiltration or further exploitation of web applications.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process="*--headless*"
AND
Processes.process="*--disable-gpu*"
AND
(Processes.process="*mockbin.org/*"
OR
Processes.process="*mocky.io/*")
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `headless_browser_mockbin_or_mocky_request_filter`Headless Browser Usage
The following analytic detects the usage of headless browsers within an organization. It identifies processes containing the "--headless" and "--disable-gpu" command line arguments, which are indicative of headless browsing. This detection leverages data from the Endpoint.Processes datamodel to identify such processes. Monitoring headless browser usage is significant as these tools can be exploited by adversaries for malicious activities like web scraping, automated testing, and undetected web interactions. If confirmed malicious, this activity could lead to unauthorized data extraction, automated attacks, or other covert operations on web applications.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe") (Processes.process="*--headless*" AND Processes.process="*--disable-gpu*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `headless_browser_usage_filter`Hide User Account From Sign-In Screen
The following analytic detects a suspicious registry modification that hides a user account from the Windows Login screen. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" with a value of "0x00000000". This activity is significant as it may indicate an adversary attempting to create a hidden admin account to avoid detection and maintain persistence on the compromised machine. If confirmed malicious, this could allow the attacker to maintain undetected access and control over the system, posing a severe security risk.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\Userlist*" AND Registry.registry_value_data = "0x00000000") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `hide_user_account_from_sign_in_screen_filter`
Hiding Files And Directories With Attrib exe
The following analytic detects the use of the Windows binary attrib.exe to hide files or directories by marking them with specific flags. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments that include the "+h" flag. This activity is significant because hiding files can be a tactic used by attackers to conceal malicious files or tools from users and security software. If confirmed malicious, this behavior could allow an attacker to persist in the environment undetected, potentially leading to further compromise or data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=attrib.exe (Processes.process=*+h*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `hiding_files_and_directories_with_attrib_exe_filter`High Frequency Copy Of Files In Network Share
The following analytic detects a high frequency of file copying or moving within network shares, which may indicate potential data sabotage or exfiltration attempts. It leverages Windows Security Event Logs (EventCode 5145) to monitor access to specific file types and network shares. This activity is significant as it can reveal insider threats attempting to transfer classified or internal files, potentially leading to data breaches or evidence tampering. If confirmed malicious, this behavior could result in unauthorized data access, data loss, or compromised sensitive information.
Show query
`wineventlog_security` EventCode=5145 RelativeTargetName IN ("*.doc","*.docx","*.xls","*.xlsx","*.ppt","*.pptx","*.log","*.txt","*.db","*.7z","*.zip","*.rar","*.tar","*.gz","*.jpg","*.gif","*.png","*.bmp","*.pdf","*.rtf","*.key") ObjectType=File ShareName IN ("\\\\*\\C$","\\\\*\\IPC$","\\\\*\\admin$") AccessMask= "0x2" | bucket _time span=5m | stats values(RelativeTargetName) as valRelativeTargetName, values(ShareName) as valShareName, values(ObjectType) as valObjectType, values(AccessMask) as valAccessmask, values(src_port) as valSrcPort, values(SourceAddress) as valSrcAddress count as numShareName by dest, _time, EventCode, src_user, src_ip | eventstats avg(numShareName) as avgShareName, stdev(numShareName) as stdShareName, count as numSlots by dest, _time, EventCode, src_user | eval upperThreshold=(avgShareName + stdShareName *3) | eval isOutlier=if(avgShareName > 20 and avgShareName >= upperThreshold, 1, 0) | search isOutlier=1 | `high_frequency_copy_of_files_in_network_share_filter`High Number of Login Failures from a single source
The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account.
Show query
`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon
| bucket span=5m _time
| stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent values(dest) as dest values(vendor_account) as vendor_account values(vendor_product) as vendor_product
BY _time, src_ip
| where failed_attempts > 10
| `high_number_of_login_failures_from_a_single_source_filter`High Process Termination Frequency
The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.
Show query
`sysmon` EventCode=5
| bin _time span=3s
| stats values(process) as process values(process_exec) as process_exec values(process_guid) as process_guid values(process_id) as process_id values(process_name) as process_name values(process_path) as process_path values(user_id) as user_id min(_time) as firstTime max(_time) as lastTime count
BY _time dest EventCode
ProcessID signature signature_id
vendor_product
| where count >= 15
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `high_process_termination_frequency_filter`High Volume of Bytes Out to Url
The following analytic detects a high volume of outbound web traffic, specifically over 1GB of data sent to a URL within a 2-minute window. It leverages the Web data model to identify significant uploads by analyzing the sum of bytes out. This activity is significant as it may indicate potential data exfiltration by malware or malicious insiders. If confirmed as malicious, this behavior could lead to unauthorized data transfer, resulting in data breaches and loss of sensitive information. Immediate investigation is required to determine the legitimacy of the transfer and mitigate any potential threats.
Show query
| tstats `security_content_summariesonly` count sum(Web.bytes_out) as sum_bytes_out values(Web.user) as user values(Web.app) as app values(Web.dest) as dest FROM datamodel=Web
BY _time span=2m Web.url
Web.src sourcetype
| search sum_bytes_out > 1070000000
| `drop_dm_object_name("Web")`
| `high_volume_of_bytes_out_to_url_filter`Hosts receiving high volume of network traffic from email server
The following analytic identifies hosts receiving an unusually high volume of network traffic from an email server. It leverages the Network_Traffic data model to sum incoming bytes to clients from email servers, comparing current traffic against historical averages and standard deviations. This activity is significant as it may indicate data exfiltration by a malicious actor using the email server. If confirmed malicious, this could lead to unauthorized data access and potential data breaches, compromising sensitive information and impacting organizational security.
Show query
| tstats `security_content_summariesonly` sum(All_Traffic.bytes_in) as bytes_in from datamodel=Network_Traffic where All_Traffic.dest_category=email_server by All_Traffic.src_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_in) as avg_bytes_in stdev(bytes_in) as stdev_bytes_in | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_avg_bytes_in stdev(eval(if(_time < relative_time(now(), "@d"), bytes_in, null))) as per_source_stdev_bytes_in by src_ip | eval minimum_data_samples = 4, deviation_threshold = 3
| where num_data_samples >= minimum_data_samples AND bytes_in > (avg_bytes_in + (deviation_threshold * stdev_bytes_in)) AND bytes_in > (per_source_avg_bytes_in + (deviation_threshold * per_source_stdev_bytes_in)) AND _time >= relative_time(now(), "@d")
| eval num_standard_deviations_away_from_server_average = round(abs(bytes_in - avg_bytes_in) / stdev_bytes_in, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_in - per_source_avg_bytes_in) / per_source_stdev_bytes_in, 2)
| table src_ip, _time, bytes_in, avg_bytes_in, per_source_avg_bytes_in, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average
| `hosts_receiving_high_volume_of_network_traffic_from_email_server_filter`
Hunting 3CXDesktopApp Software
The following analytic detects the presence of any version of the 3CXDesktopApp, also known as the 3CX Desktop App, on Mac or Windows systems. It leverages the Endpoint data model's Processes node to identify instances of the application running, although it does not provide file version information. This activity is significant because 3CX has identified vulnerabilities in versions 18.12.407 and 18.12.416, which could be exploited by attackers. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the affected systems.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=3CXDesktopApp.exe
OR
Processes.process_name="3CX Desktop App"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `hunting_3cxdesktopapp_software_filter`Hunting for Log4Shell
The following analytic detects potential exploitation attempts of the Log4Shell vulnerability (CVE-2021-44228) by analyzing HTTP headers for specific patterns. It leverages the Web Datamodel and evaluates various indicators such as the presence of `{jndi:`, environment variables, and common URI paths. This detection is significant as Log4Shell allows remote code execution, posing a severe threat to systems. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, and potentially compromise sensitive data, leading to extensive damage and data breaches.
Show query
| from datamodel Web.Web | eval jndi=if(match(_raw, "(\{|%7B)[jJnNdDiI]{4}:"),4,0) | eval jndi_fastmatch=if(match(_raw, "[jJnNdDiI]{4}"),2,0) | eval jndi_proto=if(match(_raw,"(?i)jndi:(ldap[s]?|rmi|dns|nis|iiop|corba|nds|http|https):"),5,0) | eval all_match = if(match(_raw, "(?i)(%(25){0,}20|\s)*(%(25){0,}24|\$)(%(25){0,}20|\s)*(%(25){0,}7B|{)(%(25){0,}20|\s)*(%(25){0,}(6A|4A)|J)(%(25){0,}(6E|4E)|N)(%(25){0,}(64|44)|D)(%(25){0,}(69|49)|I)(%(25){0,}20|\s)*(%(25){0,}3A|:)[\w\%]+(%(25){1,}3A|:)(%(25){1,}2F|\/)[^\n]+"),5,0) | eval env_var = if(match(_raw, "env:") OR match(_raw, "env:AWS_ACCESS_KEY_ID") OR match(_raw, "env:AWS_SECRET_ACCESS_KEY"),5,0) | eval uridetect = if(match(_raw, "(?i)Basic\/Command\/Base64|Basic\/ReverseShell|Basic\/TomcatMemshell|Basic\/JBossMemshell|Basic\/WebsphereMemshell|Basic\/SpringMemshell|Basic\/Command|Deserialization\/CommonsCollectionsK|Deserialization\/CommonsBeanutils|Deserialization\/Jre8u20\/TomcatMemshell|Deserialization\/CVE_2020_2555\/WeblogicMemshell|TomcatBypass|GroovyBypass|WebsphereBypass"),4,0) | eval keywords = if(match(_raw,"(?i)\$\{ctx\:loginId\}|\$\{map\:type\}|\$\{filename\}|\$\{date\:MM-dd-yyyy\}|\$\{docker\:containerId\}|\$\{docker\:containerName\}|\$\{docker\:imageName\}|\$\{env\:USER\}|\$\{event\:Marker\}|\$\{mdc\:UserId\}|\$\{java\:runtime\}|\$\{java\:vm\}|\$\{java\:os\}|\$\{jndi\:logging/context-name\}|\$\{hostName\}|\$\{docker\:containerId\}|\$\{k8s\:accountName\}|\$\{k8s\:clusterName\}|\$\{k8s\:containerId\}|\$\{k8s\:containerName\}|\$\{k8s\:host\}|\$\{k8s\:labels.app\}|\$\{k8s\:labels.podTemplateHash\}|\$\{k8s\:masterUrl\}|\$\{k8s\:namespaceId\}|\$\{k8s\:namespaceName\}|\$\{k8s\:podId\}|\$\{k8s\:podIp\}|\$\{k8s\:podName\}|\$\{k8s\:imageId\}|\$\{k8s\:imageName\}|\$\{log4j\:configLocation\}|\$\{log4j\:configParentLocation\}|\$\{spring\:spring.application.name\}|\$\{main\:myString\}|\$\{main\:0\}|\$\{main\:1\}|\$\{main\:2\}|\$\{main\:3\}|\$\{main\:4\}|\$\{main\:bar\}|\$\{name\}|\$\{marker\}|\$\{marker\:name\}|\$\{spring\:profiles.active[0]|\$\{sys\:logPath\}|\$\{web\:rootDir\}|\$\{sys\:user.name\}"),4,0) | eval obf = if(match(_raw, "(\$|%24)[^ /]*({|%7b)[^ /]*(j|%6a)[^ /]*(n|%6e)[^ /]*(d|%64)[^ /]*(i|%69)[^ /]*(:|%3a)[^ /]*(:|%3a)[^ /]*(/|%2f)"),5,0) | eval lookups = if(match(_raw, "(?i)({|%7b)(main|sys|k8s|spring|lower|upper|env|date|sd)"),4,0) | addtotals fieldname=Score, jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, obf, lookups | where Score > 2 | stats values(Score) by jndi, jndi_proto, env_var, uridetect, all_match, jndi_fastmatch, keywords, lookups, obf, dest, src, http_method, _raw | `hunting_for_log4shell_filter`ICACLS Grant Command
The following analytic detects the use of the ICACLS command to grant
additional access permissions to files or directories. It leverages data from Endpoint
Detection and Response (EDR) agents, focusing on specific process names and command-line
arguments. This activity is significant because it is commonly used by Advanced
Persistent Threats (APTs) and coinminer scripts to evade detection and maintain
control over compromised systems. If confirmed malicious, this behavior could allow
attackers to manipulate file permissions, potentially leading to unauthorized access,
data exfiltration, or further system compromise.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where
Processes.process_name IN ( "icacls.exe", "cacls.exe", "xcacls.exe") AND
Processes.process IN ("*/grant*", "*/g:*", "*/g *")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `icacls_grant_command_filter`
Icacls Deny Command
The following analytic detects instances where an adversary modifies
security permissions of a file or directory using commands like "icacls.exe", "cacls.exe",
or "xcacls.exe" with deny options. It leverages data from Endpoint Detection and
Response (EDR) agents, focusing on process names and command-line executions. This
activity is significant as it is commonly used by Advanced Persistent Threats (APTs)
and coinminer scripts to evade detection and impede access to critical files. If
confirmed malicious, this could allow attackers to maintain persistence and hinder
incident response efforts.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where
Processes.process_name IN ( "icacls.exe", "cacls.exe", "xcacls.exe") AND
Processes.process IN ("*/deny*", "*/d:*", "*/d ")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `icacls_deny_command_filter`
IcedID Exfiltrated Archived File Creation
The following analytic detects the creation of suspicious files named passff.tar and cookie.tar, which are indicative of archived stolen browser information such as history and cookies on a machine compromised with IcedID. It leverages Sysmon EventCode 11 to identify these specific filenames. This activity is significant because it suggests that sensitive browser data has been exfiltrated, which could lead to further exploitation or data breaches. If confirmed malicious, this could allow attackers to access personal information, conduct further phishing attacks, or escalate their presence within the network.
Show query
| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\passff.tar" OR Filesystem.file_path="*\\cookie.tar" by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `icedid_exfiltrated_archived_file_creation_filter`
Impacket Lateral Movement Commandline Parameters
The following analytic identifies the use of suspicious command-line parameters associated with Impacket tools, such as `wmiexec.py`, `smbexec.py`, `dcomexec.py`, and `atexec.py`, which are used for lateral movement and remote code execution. It detects these activities by analyzing process execution logs from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns. This activity is significant because Impacket tools are commonly used by adversaries and Red Teams to move laterally within a network. If confirmed malicious, this could allow attackers to execute commands remotely, potentially leading to further compromise and data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process = "*/Q /c * \\\\127.0.0.1\\*$*" AND Processes.process IN ("*2>&1*","*2>&1*")) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_commandline_parameters_filter`Impacket Lateral Movement WMIExec Commandline Parameters
The following analytic detects the use of Impacket's `wmiexec.py` tool for lateral movement by identifying specific command-line parameters. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on processes spawned by `wmiprvse.exe` with command-line patterns indicative of Impacket usage. This activity is significant as Impacket tools are commonly used by adversaries for remote code execution and lateral movement within a network. If confirmed malicious, this could allow attackers to execute arbitrary commands on remote systems, potentially leading to further compromise and data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | where match(process, "(?i)cmd\.exe\s+\/Q\s+\/c") AND match(process, "\\\\127\.0\.0\.1\\.*") AND match(process, "__\\d{1,10}\\.\\d{1,10}") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `impacket_lateral_movement_wmiexec_commandline_parameters_filter`Impacket Lateral Movement smbexec CommandLine Parameters
The following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of Impacket tool usage. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement. If confirmed malicious, this activity could allow attackers to execute commands on remote endpoints, potentially leading to unauthorized access, data exfiltration, or further compromise of the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | where match(process, "(?i)cmd\.exe\s+\/Q\s+\/c") AND match(process,"(?i)echo\s+cd") AND match(process, "(?i)\\__output") AND match(process, "(?i)C:\\\\Windows\\\\[a-zA-Z]{1,8}\\.bat") AND match(process, "\\\\127\.0\.0\.1\\.*") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `impacket_lateral_movement_smbexec_commandline_parameters_filter`Interactive Session on Remote Endpoint with PowerShell
The following analytic detects the use of the `Enter-PSSession` cmdlet to establish an interactive session on a remote endpoint via the WinRM protocol. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity by searching for specific script block text patterns. This behavior is significant as it may indicate lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this activity could allow attackers to execute commands remotely, potentially leading to further compromise of the network and unauthorized access to sensitive information.
Show query
`powershell` EventCode=4104 (ScriptBlockText="*Enter-PSSession*" AND ScriptBlockText="*-ComputerName*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `interactive_session_on_remote_endpoint_with_powershell_filter`Internal Horizontal Port Scan
This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.
Show query
| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone values(All_Traffic.src_port) as src_port count FROM datamodel=Network_Traffic
WHERE All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
BY All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip
All_Traffic.transport All_Traffic.rule span=1s
_time
| `drop_dm_object_name("All_Traffic")`
| eval gtime=_time
| bin span=1h gtime
| stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip dest_port gtime
transport
| where totalDestIPCount>=250
| eval dest_port=transport + "/" + dest_port
| stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone
BY src_ip gtime
| fields - gtime
| `internal_horizontal_port_scan_filter`Internal Horizontal Port Scan NMAP Top 20
This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using on of the NMAP top 20 ports. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, potentially signaling malicious intent or misconfiguration. By monitoring network traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
dc(All_Traffic.dest_ip) as totalDestIPCount
values(All_Traffic.action) as action
values(All_Traffic.dest_zone) as dest_zone
values(All_Traffic.rule) as rule
values(All_Traffic.src_category) as src_category
values(All_Traffic.src_port) as src_port
values(All_Traffic.src_zone) as src_zone
from datamodel=Network_Traffic where
All_Traffic.src_ip IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
)
All_Traffic.dest_port IN (
21, 22, 23, 25, 53, 80, 110, 111,
135, 139, 143, 443, 445, 993, 995,
1723, 3306, 3389, 5900, 8080
)
by span=1h _time
All_Traffic.src_ip All_Traffic.dest_port
All_Traffic.transport
| `drop_dm_object_name("All_Traffic")`
| where totalDestIPCount>=250
| eval dest_port=transport + "/" + dest_port
| stats min(firstTime) as firstTime
max(lastTime) as lastTime
dc(dest_port) as num_ports_scanned
sum(totalDestIPCount) as totalDestIPCount
values(action) as action
values(dest_port) as dest_ports
values(dest_zone) as dest_zone
values(rule) as rule
values(src_category) as src_category
values(src_zone) as src_zone
by _time src_ip
| fields - _time
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `internal_horizontal_port_scan_nmap_top_20_filter`
Internal Vertical Port Scan
This analytic detects instances where an internal host attempts to communicate with over 500 ports on a single destination IP address. It includes filtering criteria to exclude applications performing scans over ephemeral port ranges, focusing on potential reconnaissance or scanning activities. Monitoring network traffic logs allows for timely detection and response to such behavior, enhancing network security by identifying and mitigating potential threats promptly.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
values(All_Traffic.action) as action
values(All_Traffic.src_category) as src_category
values(All_Traffic.dest_zone) as dest_zone
values(All_Traffic.src_zone) as src_zone
from datamodel=Network_Traffic where
All_Traffic.src_ip IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
)
by span=1s _time
All_Traffic.src_ip All_Traffic.dest_port
All_Traffic.dest_ip All_Traffic.transport
All_Traffic.rule
| `drop_dm_object_name("All_Traffic")`
| eval gtime=_time
| bin span=1h gtime
| stats min(_time) as _time
values(action) as action
dc(eval(if(dest_port<1024 AND transport="tcp",dest_port,null))) as privilegedDestTcpPortCount
dc(eval(if(transport="tcp",dest_port,null))) as totalDestTcpPortCount
dc(eval(if(dest_port<1024 AND transport="udp",dest_port,null))) as privilegedDestUdpPortCount
dc(eval(if(transport="udp",dest_port,null))) as totalDestUdpPortCount
values(src_category) as src_category
values(dest_zone) as dest_zone
values(src_zone) as src_zone
by src_ip dest_ip transport gtime
| eval totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount,
privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount
| where (totalDestPortCount>=500 AND privilegedDestPortCount>=20)
| fields - gtime
| `internal_vertical_port_scan_filter`
Internal Vulnerability Scan
This analytic detects internal hosts triggering multiple IDS signatures, which may include either more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. Such patterns can indicate active vulnerability scanning activities within the network. By monitoring IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, enhancing the network's security posture and preventing potential exploits.
Show query
| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) as dest_category count FROM datamodel=Intrusion_Detection.IDS_Attacks
WHERE IDS_Attacks.src IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, high, medium)
BY IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature
IDS_Attacks.dest IDS_Attacks.dest_port IDS_Attacks.transport
span=1s _time
| `drop_dm_object_name("IDS_Attacks")`
| eval gtime=_time
| bin span=1h gtime
| eventstats count as sevCount
BY severity src
| eventstats count as sigCount
BY signature src
| eval severity=severity +"("+sevCount+")"
| eval signature=signature +"("+sigCount+")"
| eval dest_port=transport + "/" + dest_port
| stats min(_time) as _time values(action) as action dc(dest) as destCount dc(signature) as sigCount values(signature) values(src_category) as src_category values(dest_category) as dest_category values(severity) as severity values(dest_port) as dest_ports
BY src gtime
| fields - gtime
| where destCount>25 OR sigCount>25
| `internal_vulnerability_scan_filter`Ivanti Connect Secure Command Injection Attempts
The following analytic identifies attempts to exploit the CVE-2023-46805 and CVE-2024-21887 vulnerabilities in Ivanti Connect Secure. It detects POST requests to specific URIs that leverage command injection to execute arbitrary commands. The detection uses the Web datamodel to monitor for these requests and checks for a 200 OK response, indicating a successful exploit attempt. This activity is significant as it can lead to unauthorized command execution on the server. If confirmed malicious, attackers could gain control over the system, leading to potential data breaches or further network compromise.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN("*/api/v1/totp/user-backup-code/../../system/maintenance/archiving/cloud-server-test-connection*","*/api/v1/totp/user-backup-code/../../license/keys-status/*") Web.http_method IN ("POST", "GET") Web.status=200
BY Web.src, Web.dest, Web.http_user_agent,
Web.url, Web.http_method, Web.status
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_connect_secure_command_injection_attempts_filter`Ivanti Connect Secure SSRF in SAML Component
The following analytic identifies POST requests targeting endpoints vulnerable to the SSRF issue (CVE-2024-21893) in Ivanti's products. It leverages the Web data model, focusing on endpoints such as /dana-ws/saml20.ws, /dana-ws/saml.ws, /dana-ws/samlecp.ws, and /dana-na/auth/saml-logout.cgi. The detection filters for POST requests that received an HTTP 200 OK response, indicating successful execution. This activity is significant as it may indicate an attempt to exploit SSRF vulnerabilities, potentially allowing attackers to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access and data exfiltration.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN ("*/dana-ws/saml20.ws*","*/dana-ws/saml.ws*","*/dana-ws/samlecp.ws*","*/dana-na/auth/saml-logout.cgi/*") Web.http_method=POST Web.status=200
BY Web.src, Web.dest, Web.http_user_agent,
Web.url, Web.status, Web.http_method
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ivanti_connect_secure_ssrf_in_saml_component_filter`Showing 601-650 of 2,101