Microsoft Sentinel
3,763 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 3,763Renamed Cloudflared.EXE Execution
Detects the execution of a renamed "cloudflared" binary.
Show query
(((CommandLine contains " tunnel " and CommandLine contains "cleanup ") and (CommandLine contains "-config " or CommandLine contains "-connector-id ")) or ((CommandLine contains " tunnel " and CommandLine contains " run ") and (CommandLine contains "-config " or CommandLine contains "-credentials-contents " or CommandLine contains "-credentials-file " or CommandLine contains "-token ")) or (CommandLine contains "-url" and CommandLine contains "tunnel") or (Hashes contains "SHA256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29" or Hashes contains "SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8" or Hashes contains "SHA256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039" or Hashes contains "SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28" or Hashes contains "SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7" or Hashes contains "SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373" or Hashes contains "SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670" or Hashes contains "SHA256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a" or Hashes contains "SHA256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0" or Hashes contains "SHA256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1" or Hashes contains "SHA256=ccd11f2328023a0e7929e845d5b6e7bc783fb4650d65faef3ae090239d4bbce2" or Hashes contains "SHA256=b6e5c5d2567ae8c69cc012ebcae30e6c9b5359d64a58d17ba75ec89f8bce71ac" or Hashes contains "SHA256=f813484ea441404f18caad96f28138e8aaf0cb256163c09c2ab8a3acab87f69f" or Hashes contains "SHA256=fc4a0802ab9c7409b892ca00636bec61e2acfc911bccfdeb9978b8ab5a2f828d" or Hashes contains "SHA256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499" or Hashes contains "SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b" or Hashes contains "SHA256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f" or Hashes contains "SHA256=e1e70fa42059911bc6685fafef957f9a73fc66f214d0704a9b932683a5204032" or Hashes contains "SHA256=c01356092a365b84f84f0e66870bd1a05ba3feb53cafd973fa5fea2534bee234" or Hashes contains "SHA256=b3f9c06151e30ee43d39e788a79cd918a314f24e04fe87f3de8272a2057b624f" or Hashes contains "SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058" or Hashes contains "SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c" or Hashes contains "SHA256=c2cfd23fdc6c0e1b1ffa0e545cbe556f18d11b362b4a89ba0713f6ab01c4827f" or Hashes contains "SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5" or Hashes contains "SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3" or Hashes contains "SHA256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4" or Hashes contains "SHA256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c" or Hashes contains "SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4" or Hashes contains "SHA256=d2513e58bb03ccc83affde685c6ef987924c37ce6707d8e9857e2524b0d7e90f" or Hashes contains "SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad" or Hashes contains "SHA256=b34b3c3a91e3165d1481f0b3ec23eab93a1cfba94345a6cbfe5b18ddbd48eac7" or Hashes contains "SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75" or Hashes contains "SHA256=b6fc9493778cbe3bfc062d73f5cc604bc0ff058bc5e5dc6aac87f3a4008b54b6" or Hashes contains "SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688" or Hashes contains "SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f" or Hashes contains "SHA256=d3a0e1a79158f3985cd49607ebe0cdfcc49cb9af96b8f43aefd0cdfe2f22e663" or Hashes contains "SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77" or Hashes contains "SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078")) and (not((Image endswith "\\cloudflared.exe" or Image endswith "\\cloudflared-windows-386.exe" or Image endswith "\\cloudflared-windows-amd64.exe")))
Renamed CreateDump Utility Execution
Detects uses of a renamed legitimate createdump.exe LOLOBIN utility to dump process memory
Show query
(OriginalFileName =~ "FX_VER_INTERNALNAME_STR" or ((CommandLine contains " -u " and CommandLine contains " -f " and CommandLine contains ".dmp") or (CommandLine contains " --full " and CommandLine contains " --name " and CommandLine contains ".dmp"))) and (not(Image endswith "\\createdump.exe"))
Renamed Gpg.EXE Execution
Detects the execution of a renamed "gpg.exe". Often used by ransomware and loaders to decrypt/encrypt data.
Show query
OriginalFileName =~ "gpg.exe" and (not((Image endswith "\\gpg.exe" or Image endswith "\\gpg2.exe")))
Renamed Jusched.EXE Execution
Detects the execution of a renamed "jusched.exe" as seen used by the cobalt group
Show query
(Description in~ ("Java Update Scheduler", "Java(TM) Update Scheduler")) and (not(Image endswith "\\jusched.exe"))Renamed Mavinject.EXE Execution
Detects the execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag
Show query
(OriginalFileName in~ ("mavinject32.exe", "mavinject64.exe")) and (not((Image endswith "\\mavinject32.exe" or Image endswith "\\mavinject64.exe")))Renamed MegaSync Execution
Detects the execution of a renamed MegaSync.exe as seen used by ransomware families like Nefilim, Sodinokibi, Pysa, and Conti.
Show query
OriginalFileName =~ "megasync.exe" and (not(Image endswith "\\megasync.exe"))
Renamed Msdt.EXE Execution
Detects the execution of a renamed "Msdt.exe" binary
Show query
OriginalFileName =~ "msdt.exe" and (not(Image endswith "\\msdt.exe"))
Microsoft Sentinel
Converted
KQL
high
Renamed NetSupport RAT Execution
Detects the execution of a renamed "client32.exe" (NetSupport RAT) via Imphash, Product and OriginalFileName strings
Show query
(Product contains "NetSupport Remote Control" or OriginalFileName contains "client32.exe" or Hashes contains "IMPHASH=A9D50692E95B79723F3E76FCF70D023E") and (not(Image endswith "\\client32.exe"))
Renamed NirCmd.EXE Execution
Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
Show query
OriginalFileName =~ "NirCmd.exe" and (not((Image endswith "\\nircmd.exe" or Image endswith "\\nircmdc.exe")))
Renamed Office Binary Execution
Detects the execution of a renamed office binary
Show query
((OriginalFileName in~ ("Excel.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "WinWord.exe", "Olk.exe")) or (Description in~ ("Microsoft Access", "Microsoft Excel", "Microsoft OneNote", "Microsoft Outlook", "Microsoft PowerPoint", "Microsoft Publisher", "Microsoft Word", "Sent to OneNote Tool"))) and (not((Image endswith "\\EXCEL.exe" or Image endswith "\\excelcnv.exe" or Image endswith "\\MSACCESS.exe" or Image endswith "\\MSPUB.EXE" or Image endswith "\\ONENOTE.EXE" or Image endswith "\\ONENOTEM.EXE" or Image endswith "\\OUTLOOK.EXE" or Image endswith "\\POWERPNT.EXE" or Image endswith "\\WINWORD.exe" or Image endswith "\\OLK.EXE")))Renamed PAExec Execution
Detects execution of renamed version of PAExec. Often used by attackers
Show query
(Description =~ "PAExec Application" or OriginalFileName =~ "PAExec.exe" or Product contains "PAExec" or (Hashes contains "IMPHASH=11D40A7B7876288F919AB819CC2D9802" or Hashes contains "IMPHASH=6444f8a34e99b8f7d9647de66aabe516" or Hashes contains "IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f" or Hashes contains "IMPHASH=1a6cca4d5460b1710a12dea39e4a592c")) and (not((Image endswith "\\paexec.exe" or Image startswith "C:\\Windows\\PAExec-")))
Renamed PingCastle Binary Execution
Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
Show query
((OriginalFileName in~ ("PingCastleReporting.exe", "PingCastleCloud.exe", "PingCastle.exe")) or (CommandLine contains "--scanner aclcheck" or CommandLine contains "--scanner antivirus" or CommandLine contains "--scanner computerversion" or CommandLine contains "--scanner foreignusers" or CommandLine contains "--scanner laps_bitlocker" or CommandLine contains "--scanner localadmin" or CommandLine contains "--scanner nullsession" or CommandLine contains "--scanner nullsession-trust" or CommandLine contains "--scanner oxidbindings" or CommandLine contains "--scanner remote" or CommandLine contains "--scanner share" or CommandLine contains "--scanner smb" or CommandLine contains "--scanner smb3querynetwork" or CommandLine contains "--scanner spooler" or CommandLine contains "--scanner startup" or CommandLine contains "--scanner zerologon") or CommandLine contains "--no-enum-limit" or (CommandLine contains "--healthcheck" and CommandLine contains "--level Full") or (CommandLine contains "--healthcheck" and CommandLine contains "--server ")) and (not((Image endswith "\\PingCastleReporting.exe" or Image endswith "\\PingCastleCloud.exe" or Image endswith "\\PingCastle.exe")))Renamed Plink Execution
Detects the execution of a renamed version of the Plink binary
Show query
(OriginalFileName =~ "Plink" or (CommandLine contains " -l forward" and CommandLine contains " -P " and CommandLine contains " -R ")) and (not(Image endswith "\\plink.exe"))
Renamed ProcDump Execution
Detects the execution of a renamed ProcDump executable.
This often done by attackers or malware in order to evade defensive mechanisms.
Show query
(OriginalFileName =~ "procdump" or ((CommandLine contains " -ma " or CommandLine contains " /ma " or CommandLine contains " –ma " or CommandLine contains " —ma " or CommandLine contains " ―ma " or CommandLine contains " -mp " or CommandLine contains " /mp " or CommandLine contains " –mp " or CommandLine contains " —mp " or CommandLine contains " ―mp ") and (CommandLine contains " -accepteula" or CommandLine contains " /accepteula" or CommandLine contains " –accepteula" or CommandLine contains " —accepteula" or CommandLine contains " ―accepteula"))) and (not((Image endswith "\\procdump.exe" or Image endswith "\\procdump64.exe")))
Microsoft Sentinel
Converted
KQL
high
Renamed PsExec Service Execution
Detects suspicious launch of a renamed version of the PSEXESVC service with, which is not often used by legitimate administrators
Show query
OriginalFileName =~ "psexesvc.exe" and (not(Image =~ "C:\\Windows\\PSEXESVC.exe"))
Renamed Schtasks Execution
Detects the execution of renamed schtasks.exe binary, which is a legitimate Windows utility used for scheduling tasks.
One of the very common persistence techniques is schedule malicious tasks using schtasks.exe.
Since, it is heavily abused, it is also heavily monitored by security products. To evade detection, threat actors may rename the schtasks.exe binary to schedule their malicious tasks.
Show query
(((CommandLine contains " -create " or CommandLine contains " /create " or CommandLine contains " –create " or CommandLine contains " —create " or CommandLine contains " ―create " or CommandLine contains " -delete " or CommandLine contains " /delete " or CommandLine contains " –delete " or CommandLine contains " —delete " or CommandLine contains " ―delete " or CommandLine contains " -query " or CommandLine contains " /query " or CommandLine contains " –query " or CommandLine contains " —query " or CommandLine contains " ―query " or CommandLine contains " -change " or CommandLine contains " /change " or CommandLine contains " –change " or CommandLine contains " —change " or CommandLine contains " ―change " or CommandLine contains " -run " or CommandLine contains " /run " or CommandLine contains " –run " or CommandLine contains " —run " or CommandLine contains " ―run " or CommandLine contains " -end " or CommandLine contains " /end " or CommandLine contains " –end " or CommandLine contains " —end " or CommandLine contains " ―end ") and (CommandLine contains " -tn " or CommandLine contains " /tn " or CommandLine contains " –tn " or CommandLine contains " —tn " or CommandLine contains " ―tn " or CommandLine contains " -tr " or CommandLine contains " /tr " or CommandLine contains " –tr " or CommandLine contains " —tr " or CommandLine contains " ―tr " or CommandLine contains " -sc " or CommandLine contains " /sc " or CommandLine contains " –sc " or CommandLine contains " —sc " or CommandLine contains " ―sc " or CommandLine contains " -st " or CommandLine contains " /st " or CommandLine contains " –st " or CommandLine contains " —st " or CommandLine contains " ―st " or CommandLine contains " -ru " or CommandLine contains " /ru " or CommandLine contains " –ru " or CommandLine contains " —ru " or CommandLine contains " ―ru " or CommandLine contains " -fo " or CommandLine contains " /fo " or CommandLine contains " –fo " or CommandLine contains " —fo " or CommandLine contains " ―fo ")) and (not(CommandLine contains "schtasks"))) or (OriginalFileName =~ "schtasks.exe" and (not(Image endswith "\\schtasks.exe")))
Renamed SysInternals DebugView Execution
Detects suspicious renamed SysInternals DebugView execution
Show query
Product =~ "Sysinternals DebugView" and (not((OriginalFileName =~ "Dbgview.exe" and Image endswith "\\Dbgview.exe")))
Renamed Sysinternals Sdelete Execution
Detects the use of a renamed SysInternals Sdelete, which is something an administrator shouldn't do (the renaming)
Show query
OriginalFileName =~ "sdelete.exe" and (not((Image endswith "\\sdelete.exe" or Image endswith "\\sdelete64.exe")))
Renamed Visual Studio Code Tunnel Execution
Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel
Show query
(((isnull(OriginalFileName) and CommandLine endswith ".exe tunnel") or (CommandLine contains ".exe tunnel" and CommandLine contains "--accept-server-license-terms") or (CommandLine contains "tunnel " and CommandLine contains "service" and CommandLine contains "internal-run" and CommandLine contains "tunnel-service.log")) and (not((Image endswith "\\code-tunnel.exe" or Image endswith "\\code.exe")))) or ((ParentCommandLine endswith " tunnel" and Image endswith "\\cmd.exe" and (CommandLine contains "/d /c " and CommandLine contains "\\servers\\Stable-" and CommandLine contains "code-server.cmd")) and (not((ParentImage endswith "\\code-tunnel.exe" or ParentImage endswith "\\code.exe"))))
Renamed Vmnat.exe Execution
Detects renamed vmnat.exe or portable version that can be used for DLL side-loading
Show query
OriginalFileName =~ "vmnat.exe" and (not(Image endswith "vmnat.exe"))
Microsoft Sentinel
Converted
KQL
high
Renamed VsCode Code Tunnel Execution - File Indicator
Detects the creation of a file with the name "code_tunnel.json" which indicate execution and usage of VsCode tunneling utility by an "Image" or "Process" other than VsCode.
Show query
TargetFilename endswith "\\code_tunnel.json" and (not((Image endswith "\\code-tunnel.exe" or Image endswith "\\code.exe")))
Renamed ZOHO Dctask64 Execution
Detects a renamed "dctask64.exe" execution, a signed binary by ZOHO Corporation part of ManageEngine Endpoint Central.
This binary can be abused for DLL injection, arbitrary command and process execution.
Show query
(Hashes contains "IMPHASH=6834B1B94E49701D77CCB3C0895E1AFD" or Hashes contains "IMPHASH=1BB6F93B129F398C7C4A76BB97450BBA" or Hashes contains "IMPHASH=FAA2AC19875FADE461C8D89DCF2710A3" or Hashes contains "IMPHASH=F1039CED4B91572AB7847D26032E6BBF") and (not(Image endswith "\\dctask64.exe"))
Replay Attack Detected
Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
Show query
EventID == 4649
Restore Public AWS RDS Instance
Detects the recovery of a new public database instance from a snapshot. It may be a part of data exfiltration.
Show query
eventSource =~ "rds.amazonaws.com" and 'responseElements.publiclyAccessible' =~ "true" and eventName =~ "RestoreDBInstanceFromDBSnapshot"
Restricted Software Access By SRP
Detects restricted access to applications by the Software Restriction Policies (SRP) policy
Show query
Provider_Name =~ "Microsoft-Windows-SoftwareRestrictionPolicies" and (EventID in~ ("865", "866", "867", "868", "882"))RestrictedAdminMode Registry Value Tampering
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Show query
TargetObject endswith "System\\CurrentControlSet\\Control\\Lsa\\DisableRestrictedAdmin"
RestrictedAdminMode Registry Value Tampering - ProcCreation
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
Show query
CommandLine contains "\\System\\CurrentControlSet\\Control\\Lsa" and CommandLine contains "DisableRestrictedAdmin"
Roles Activated Too Frequently
Identifies when the same privilege role has multiple activations by the same user.
Show query
riskEventType =~ "sequentialActivationRenewalsAlertIncident"
Roles Activation Doesn't Require MFA
Identifies when a privilege role can be activated without performing mfa.
Show query
riskEventType =~ "noMfaOnRoleActivationAlertIncident"
Roles Are Not Being Used
Identifies when a user has been assigned a privilege role and are not using that role.
Show query
riskEventType =~ "redundantAssignmentAlertIncident"
Roles Assigned Outside PIM
Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.
Show query
riskEventType =~ "rolesAssignedOutsidePrivilegedIdentityManagementAlertConfiguration"
Root Certificate Installed From Susp Locations
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Show query
(CommandLine contains "Import-Certificate" and CommandLine contains " -FilePath " and CommandLine contains "Cert:\\LocalMachine\\Root") and (CommandLine contains "\\AppData\\Local\\Temp\\" or CommandLine contains ":\\Windows\\TEMP\\" or CommandLine contains "\\Desktop\\" or CommandLine contains "\\Downloads\\" or CommandLine contains "\\Perflogs\\" or CommandLine contains ":\\Users\\Public\\")
RottenPotato Like Attack Pattern
Detects logon events that have characteristics of events generated during an attack with RottenPotato and the like
Show query
EventID == 4624 and LogonType == 3 and TargetUserName =~ "ANONYMOUS LOGON" and WorkstationName =~ "-" and (IpAddress in~ ("127.0.0.1", "::1"))Run PowerShell Script from ADS
Detects PowerShell script execution from Alternate Data Stream (ADS)
Show query
(ParentImage endswith "\\powershell.exe" or ParentImage endswith "\\pwsh.exe") and (Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe") and (CommandLine contains "Get-Content" and CommandLine contains "-Stream")
Run PowerShell Script from Redirected Input Stream
Detects PowerShell script execution via input stream redirect
Show query
(Image endswith "\\powershell.exe" or Image endswith "\\pwsh.exe") and CommandLine matches regex "\\s-\\s*<"
RunDLL32 Spawning Explorer
Detects RunDLL32.exe spawning explorer.exe as child, which is very uncommon, often observes Gamarue spawning the explorer.exe process in an unusual way
Show query
(ParentImage endswith "\\rundll32.exe" and Image endswith "\\explorer.exe") and (not(ParentCommandLine contains "\\shell32.dll,Control_RunDLL"))
RunMRU Registry Key Deletion
Detects deletion of the RunMRU registry key, which stores the history of commands executed via the Run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
Show query
(Image endswith "\\reg.exe" or OriginalFileName =~ "reg.exe") and (CommandLine contains " del" and CommandLine contains "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU")
RunMRU Registry Key Deletion - Registry
Detects attempts to delete the RunMRU registry key, which stores the history of commands executed via the run dialog.
In the clickfix techniques, the phishing lures instruct users to open a run dialog through (Win + R) and execute malicious commands.
Adversaries may delete this key to cover their tracks after executing commands.
Show query
TargetObject endswith "\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU"
Rundll32 Execution Without CommandLine Parameters
Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity
Show query
(CommandLine endswith "\\rundll32.exe" or CommandLine endswith "\\rundll32.exe\"" or CommandLine endswith "\\rundll32") and (not((ParentImage contains "\\AppData\\Local\\" or ParentImage contains "\\Microsoft\\Edge\\")))
Rundll32 Execution Without Parameters
Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
Show query
CommandLine in~ ("rundll32.exe", "rundll32")Rundll32 Registered COM Objects
load malicious registered COM objects
Show query
(Image endswith "\\rundll32.exe" or OriginalFileName =~ "RUNDLL32.EXE") and ((CommandLine contains "-sta " or CommandLine contains "-localserver ") and (CommandLine contains "{" and CommandLine contains "}"))Rundll32 UNC Path Execution
Detects rundll32 execution where the DLL is located on a remote location (share)
Show query
(Image endswith "\\rundll32.exe" or OriginalFileName =~ "RUNDLL32.EXE" or CommandLine contains "rundll32") and CommandLine contains " \\\\"
Running Chrome VPN Extensions via the Registry 2 VPN Extension
Running Chrome VPN Extensions via the Registry install 2 vpn extension
Show query
(TargetObject contains "Software\\Wow6432Node\\Google\\Chrome\\Extensions" and TargetObject endswith "update_url") and (TargetObject contains "fdcgdnkidjaadafnichfpabhfomcebme" or TargetObject contains "fcfhplploccackoneaefokcmbjfbkenj" or TargetObject contains "bihmplhobchoageeokmgbdihknkjbknd" or TargetObject contains "gkojfkhlekighikafcpjkiklfbnlmeio" or TargetObject contains "jajilbjjinjmgcibalaakngmkilboobh" or TargetObject contains "gjknjjomckknofjidppipffbpoekiipm" or TargetObject contains "nabbmpekekjknlbkgpodfndbodhijjem" or TargetObject contains "kpiecbcckbofpmkkkdibbllpinceiihk" or TargetObject contains "nlbejmccbhkncgokjcmghpfloaajcffj" or TargetObject contains "omghfjlpggmjjaagoclmmobgdodcjboh" or TargetObject contains "bibjcjfmgapbfoljiojpipaooddpkpai" or TargetObject contains "mpcaainmfjjigeicjnlkdfajbioopjko" or TargetObject contains "jljopmgdobloagejpohpldgkiellmfnc" or TargetObject contains "lochiccbgeohimldjooaakjllnafhaid" or TargetObject contains "nhnfcgpcbfclhfafjlooihdfghaeinfc" or TargetObject contains "ookhnhpkphagefgdiemllfajmkdkcaim" or TargetObject contains "namfblliamklmeodpcelkokjbffgmeoo" or TargetObject contains "nbcojefnccbanplpoffopkoepjmhgdgh" or TargetObject contains "majdfhpaihoncoakbjgbdhglocklcgno" or TargetObject contains "lnfdmdhmfbimhhpaeocncdlhiodoblbd" or TargetObject contains "eppiocemhmnlbhjplcgkofciiegomcon" or TargetObject contains "cocfojppfigjeefejbpfmedgjbpchcng" or TargetObject contains "foiopecknacmiihiocgdjgbjokkpkohc" or TargetObject contains "hhdobjgopfphlmjbmnpglhfcgppchgje" or TargetObject contains "jgbaghohigdbgbolncodkdlpenhcmcge" or TargetObject contains "inligpkjkhbpifecbdjhmdpcfhnlelja" or TargetObject contains "higioemojdadgdbhbbbkfbebbdlfjbip" or TargetObject contains "hipncndjamdcmphkgngojegjblibadbe" or TargetObject contains "iolonopooapdagdemdoaihahlfkncfgg" or TargetObject contains "nhfjkakglbnnpkpldhjmpmmfefifedcj" or TargetObject contains "jpgljfpmoofbmlieejglhonfofmahini" or TargetObject contains "fgddmllnllkalaagkghckoinaemmogpe" or TargetObject contains "ejkaocphofnobjdedneohbbiilggdlbi" or TargetObject contains "keodbianoliadkoelloecbhllnpiocoi" or TargetObject contains "hoapmlpnmpaehilehggglehfdlnoegck" or TargetObject contains "poeojclicodamonabcabmapamjkkmnnk" or TargetObject contains "dfkdflfgjdajbhocmfjolpjbebdkcjog" or TargetObject contains "kcdahmgmaagjhocpipbodaokikjkampi" or TargetObject contains "klnkiajpmpkkkgpgbogmcgfjhdoljacg" or TargetObject contains "lneaocagcijjdpkcabeanfpdbmapcjjg" or TargetObject contains "pgfpignfckbloagkfnamnolkeaecfgfh" or TargetObject contains "jplnlifepflhkbkgonidnobkakhmpnmh" or TargetObject contains "jliodmnojccaloajphkingdnpljdhdok" or TargetObject contains "hnmpcagpplmpfojmgmnngilcnanddlhb" or TargetObject contains "ffbkglfijbcbgblgflchnbphjdllaogb" or TargetObject contains "kcndmbbelllkmioekdagahekgimemejo" or TargetObject contains "jdgilggpfmjpbodmhndmhojklgfdlhob" or TargetObject contains "bihhflimonbpcfagfadcnbbdngpopnjb" or TargetObject contains "ppajinakbfocjfnijggfndbdmjggcmde" or TargetObject contains "oofgbpoabipfcfjapgnbbjjaenockbdp" or TargetObject contains "bhnhkdgoefpmekcgnccpnhjfdgicfebm" or TargetObject contains "knmmpciebaoojcpjjoeonlcjacjopcpf" or TargetObject contains "dhadilbmmjiooceioladdphemaliiobo" or TargetObject contains "jedieiamjmoflcknjdjhpieklepfglin" or TargetObject contains "mhngpdlhojliikfknhfaglpnddniijfh" or TargetObject contains "omdakjcmkglenbhjadbccaookpfjihpa" or TargetObject contains "npgimkapccfidfkfoklhpkgmhgfejhbj" or TargetObject contains "akeehkgglkmpapdnanoochpfmeghfdln" or TargetObject contains "gbmdmipapolaohpinhblmcnpmmlgfgje" or TargetObject contains "aigmfoeogfnljhnofglledbhhfegannp" or TargetObject contains "cgojmfochfikphincbhokimmmjenhhgk" or TargetObject contains "ficajfeojakddincjafebjmfiefcmanc" or TargetObject contains "ifnaibldjfdmaipaddffmgcmekjhiloa" or TargetObject contains "jbnmpdkcfkochpanomnkhnafobppmccn" or TargetObject contains "apcfdffemoinopelidncddjbhkiblecc" or TargetObject contains "mjolnodfokkkaichkcjipfgblbfgojpa" or TargetObject contains "oifjbnnafapeiknapihcmpeodaeblbkn" or TargetObject contains "plpmggfglncceinmilojdkiijhmajkjh" or TargetObject contains "mjnbclmflcpookeapghfhapeffmpodij" or TargetObject contains "bblcccknbdbplgmdjnnikffefhdlobhp" or TargetObject contains "aojlhgbkmkahabcmcpifbolnoichfeep" or TargetObject contains "lcmammnjlbmlbcaniggmlejfjpjagiia" or TargetObject contains "knajdeaocbpmfghhmijicidfcmdgbdpm" or TargetObject contains "bdlcnpceagnkjnjlbbbcepohejbheilk" or TargetObject contains "edknjdjielmpdlnllkdmaghlbpnmjmgb" or TargetObject contains "eidnihaadmmancegllknfbliaijfmkgo" or TargetObject contains "ckiahbcmlmkpfiijecbpflfahoimklke" or TargetObject contains "macdlemfnignjhclfcfichcdhiomgjjb" or TargetObject contains "chioafkonnhbpajpengbalkececleldf" or TargetObject contains "amnoibeflfphhplmckdbiajkjaoomgnj" or TargetObject contains "llbhddikeonkpbhpncnhialfbpnilcnc" or TargetObject contains "pcienlhnoficegnepejpfiklggkioccm" or TargetObject contains "iocnglnmfkgfedpcemdflhkchokkfeii" or TargetObject contains "igahhbkcppaollcjeaaoapkijbnphfhb" or TargetObject contains "njpmifchgidinihmijhcfpbdmglecdlb" or TargetObject contains "ggackgngljinccllcmbgnpgpllcjepgc" or TargetObject contains "kchocjcihdgkoplngjemhpplmmloanja" or TargetObject contains "bnijmipndnicefcdbhgcjoognndbgkep" or TargetObject contains "lklekjodgannjcccdlbicoamibgbdnmi" or TargetObject contains "dbdbnchagbkhknegmhgikkleoogjcfge" or TargetObject contains "egblhcjfjmbjajhjhpmnlekffgaemgfh" or TargetObject contains "ehbhfpfdkmhcpaehaooegfdflljcnfec" or TargetObject contains "bkkgdjpomdnfemhhkalfkogckjdkcjkg" or TargetObject contains "almalgbpmcfpdaopimbdchdliminoign" or TargetObject contains "akkbkhnikoeojlhiiomohpdnkhbkhieh" or TargetObject contains "gbfgfbopcfokdpkdigfmoeaajfmpkbnh" or TargetObject contains "bniikohfmajhdcffljgfeiklcbgffppl" or TargetObject contains "lejgfmmlngaigdmmikblappdafcmkndb" or TargetObject contains "ffhhkmlgedgcliajaedapkdfigdobcif" or TargetObject contains "gcknhkkoolaabfmlnjonogaaifnjlfnp" or TargetObject contains "pooljnboifbodgifngpppfklhifechoe" or TargetObject contains "fjoaledfpmneenckfbpdfhkmimnjocfa" or TargetObject contains "aakchaleigkohafkfjfjbblobjifikek" or TargetObject contains "dpplabbmogkhghncfbfdeeokoefdjegm" or TargetObject contains "padekgcemlokbadohgkifijomclgjgif" or TargetObject contains "bfidboloedlamgdmenmlbipfnccokknp")
SAM Registry Hive Handle Request
Detects handles requested to SAM registry hive
Show query
EventID == 4656 and ObjectType =~ "Key" and ObjectName endswith "\\SAM"
SAML Token Issuer Anomaly
Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
Show query
riskEventType =~ "tokenIssuerAnomaly"
SMB Create Remote File Admin Share
Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
Show query
(EventID == 5145 and ShareName endswith "C$" and AccessMask =~ "0x2") and (not(SubjectUserName endswith "$")) and (not(IpAddress =~ "::1"))
SQL Injection Strings In URI
Detects potential SQL injection attempts via GET requests in access logs.
Show query
'cs-method' =~ "GET" and ("@@version" or "%271%27%3D%271" or "=select " or "=select(" or "=select%20" or "concat_ws(" or "CONCAT(0x" or "from mysql.innodb_table_stats" or "from%20mysql.innodb_table_stats" or "group_concat(" or "information_schema.tables" or "json_arrayagg(" or "or 1=1#" or "or%201=1#" or "order by " or "order%20by%20" or "select * " or "select database()" or "select version()" or "select%20*%20" or "select%20database()" or "select%20version()" or "select%28sleep%2810%29" or "SELECTCHAR(" or "table_schema" or "UNION ALL SELECT" or "UNION SELECT" or "UNION%20ALL%20SELECT" or "UNION%20SELECT" or "'1'='1") and (not('sc-status' == 404))SQLite Chromium Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Chromium-based browsers for potential data stealing.
Show query
(Product =~ "SQLite" or (Image endswith "\\sqlite.exe" or Image endswith "\\sqlite3.exe")) and (CommandLine contains "\\User Data\\" or CommandLine contains "\\Opera Software\\" or CommandLine contains "\\ChromiumViewer\\") and (CommandLine contains "Login Data" or CommandLine contains "Cookies" or CommandLine contains "Web Data" or CommandLine contains "History" or CommandLine contains "Bookmarks")
SQLite Firefox Profile Data DB Access
Detect usage of the "sqlite" binary to query databases in Firefox and other Gecko-based browsers for potential data stealing.
Show query
(Product =~ "SQLite" or (Image endswith "\\sqlite.exe" or Image endswith "\\sqlite3.exe")) and (CommandLine contains "cookies.sqlite" or CommandLine contains "places.sqlite")
SafeBoot Registry Key Deleted Via Reg.EXE
Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
Show query
(Image endswith "reg.exe" or OriginalFileName =~ "reg.exe") and (CommandLine contains " delete " and CommandLine contains "\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot")
Showing 1001-1050 of 3,763