Tool
Hunt pack: Agrius
1,106 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Agrius - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 1,106Wermgr Process Create Executable File
The following analytic detects the wermgr.exe process creating an executable file. It leverages Sysmon EventCode 11 to identify instances where wermgr.exe generates a .exe file. This behavior is unusual because wermgr.exe is typically associated with error reporting, not file creation. Such activity is significant as it may indicate TrickBot malware, which injects code into wermgr.exe to execute malicious actions like downloading additional payloads. If confirmed malicious, this could lead to further malware infections, data exfiltration, or system compromise.
Show query
`sysmon` EventCode=11 process_name = "wermgr.exe" TargetFilename = "*.exe"
| stats min(_time) as firstTime max(_time) as lastTime count
BY action dest file_name
file_path process_guid process_id
user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `wermgr_process_create_executable_file_filter`Wermgr Process Spawned CMD Or Powershell Process
The following analytic detects the spawning of cmd or PowerShell processes by the wermgr.exe process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process telemetry, including parent-child process relationships and command-line executions. This behavior is significant as it is commonly associated with code injection techniques used by malware like TrickBot to execute shellcode or malicious DLL modules. If confirmed malicious, this activity could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to system security.
Show query
| tstats `security_content_summariesonly` values(Processes.process) as cmdline min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name = "wermgr.exe" `process_cmd`
OR
`process_powershell`
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `wermgr_process_spawned_cmd_or_powershell_process_filter`WinEvent Scheduled Task Created Within Public Path
The following analytic detects the creation of scheduled tasks within user-writable paths using Windows Security EventCode 4698. It identifies tasks registered via schtasks.exe or TaskService that execute commands from directories like Public, ProgramData, Temp, and AppData. This behavior is significant as it may indicate an attempt to establish persistence or execute unauthorized commands. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, or execute arbitrary code, posing a severe threat to system integrity and security.
Show query
`wineventlog_security` EventCode=4698 TaskContent IN ( "*\\users\\public\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*" ) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TaskName, TaskContent, user | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_scheduled_task_created_within_public_path_filter`
WinEvent Scheduled Task Created to Spawn Shell
The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript. It leverages Windows Security EventCode 4698 to identify when such tasks are registered. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.
Show query
`wineventlog_security` EventCode=4698 TaskContent IN ("*powershell.exe*", "*wscript.exe*", "*cscript.exe*", "*cmd.exe*", "*sh.exe*", "*ksh.exe*", "*zsh.exe*", "*bash.exe*", "*scrcons.exe*", "*pwsh.exe*")
| stats count min(_time) as firstTime max(_time) as lastTime
BY Computer, TaskName, TaskContent
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `winevent_scheduled_task_created_to_spawn_shell_filter`WinEvent Windows Task Scheduler Event Action Started
The following analytic detects the execution of tasks registered in Windows Task Scheduler by monitoring EventID 200 (action run) and 201 (action completed) from the Task Scheduler logs. This detection leverages Task Scheduler logs to identify potentially suspicious or unauthorized task executions. Monitoring these events is significant for a SOC as it helps uncover evasive techniques used for persistence, unauthorized code execution, or other malicious activities. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or the execution of harmful payloads, posing a significant threat to the environment.
Show query
`wineventlog_task_scheduler` EventCode IN ("200","201") | stats count min(_time) as firstTime max(_time) as lastTime by TaskName dvc EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`WinRM Spawning a Process
The following analytic detects suspicious processes spawned by WinRM (wsmprovhost.exe). It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific child processes like cmd.exe, powershell.exe, and others. This activity is significant as it may indicate exploitation attempts of vulnerabilities like CVE-2021-31166, which could lead to system instability or compromise. If confirmed malicious, attackers could execute arbitrary commands, escalate privileges, or maintain persistence, posing a severe threat to the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name=wsmprovhost.exe Processes.process_name IN ("cmd.exe","sh.exe","bash.exe","powershell.exe","pwsh.exe","schtasks.exe","certutil.exe","whoami.exe","bitsadmin.exe","scp.exe")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `winrm_spawning_a_process_filter`Windows .Key File Creation in Root Directory
Detects the creation of a .key file in the root directory of the system drive.
This activity was seen with various ransomware before performing encryption of files.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Filesystem where
Filesystem.file_name="*.key"
by Filesystem.dest Filesystem.file_create_time
Filesystem.process_path Filesystem.process_guid
Filesystem.process_id Filesystem.file_path
Filesystem.action Filesystem.file_name
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| where match(file_path, "^[A-Za-z]:\\\\[^\\\\]+\.key$")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows__key_file_creation_in_root_directory_filter`Windows AD Abnormal Object Access Activity
The following analytic identifies a statistically significant increase in access to Active Directory objects, which may indicate attacker enumeration. It leverages Windows Security Event Code 4662 to monitor and analyze access patterns, comparing them against historical averages to detect anomalies. This activity is significant for a SOC because abnormal access to AD objects can be an early indicator of reconnaissance efforts by an attacker. If confirmed malicious, this behavior could lead to unauthorized access, privilege escalation, or further compromise of the Active Directory environment.
Show query
`wineventlog_security` EventCode=4662
| stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count
BY SubjectUserName
| eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev
| eval limit = round((average+(standarddev*3)),0), user = SubjectUserName
| where ObjectName_count > limit
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_ad_abnormal_object_access_activity_filter`Windows AD Privileged Object Access Activity
The following analytic detects access attempts to privileged Active Directory objects, such as Domain Admins or Enterprise Admins. It leverages Windows Security Event Code 4662 to identify when these sensitive objects are accessed. This activity is significant because such objects should rarely be accessed by normal users or processes, and unauthorized access attempts may indicate attacker enumeration or lateral movement within the domain. If confirmed malicious, this activity could allow attackers to escalate privileges, persist in the environment, or gain control over critical domain resources.
Show query
`wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Operators,*", "CN=Administrators,*", "CN=Backup Operators,*", "CN=Cert Publishers,*", "CN=Certificate Service DCOM Access,*", "CN=Domain Admins,*", "CN=Domain Controllers,*", "CN=Enterprise Admins,*", "CN=Enterprise Read-only Domain Controllers,*", "CN=Group Policy Creator Owners,*", "CN=Incoming Forest Trust Builders,*", "CN=Microsoft Exchange Servers,*", "CN=Network Configuration Operators,*", "CN=Power Users,*", "CN=Print Operators,*", "CN=Read-only Domain Controllers,*", "CN=Replicators,*", "CN=Schema Admins,*", "CN=Server Operators,*", "CN=Exchange Trusted Subsystem,*", "CN=Exchange Windows Permission,*", "CN=Organization Management,*")
| rex field=ObjectName "CN\=(?<object_name>[^,]+)"
| stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count
BY SubjectUserName
| rename SubjectUserName as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_ad_privileged_object_access_activity_filter`Windows AD Replication Request Initiated by User Account
The following analytic detects a user account initiating an Active Directory replication request, indicative of a DCSync attack. It leverages EventCode 4662 from the Windows Security Event Log, focusing on specific object types and replication permissions. This activity is significant because it can allow an attacker with sufficient privileges to request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of the entire domain.
Show query
`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}","domainDNS")
AND Properties IN ("*Replicating Directory Changes All*","*Manage Replication Topology*","*Remove Replica In Domain*","*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*","*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*")
AND AccessMask="0x100" AND NOT (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18" OR SubjectDomainName="Window Manager" OR SubjectUserName="*$")
| stats min(_time) as _time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status dest
| rename SubjectDomainName as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId, _time as attack_time
| appendpipe
[| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"
| fields - status]
| stats min(attack_time) as _time values(TargetUserSid) as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user, values(Computer) as Computer, values(status) as status, values(src_category) as
src_category, values(src_ip) as src_ip values(action) as action values(authentication_method) as authentication_method values(dest) as dest values(signature) as signature values(signature_id) as signature_id by TargetLogonId
| `windows_ad_replication_request_initiated_by_user_account_filter`Windows AD Replication Request Initiated from Unsanctioned Location
The following analytic identifies unauthorized Active Directory replication requests initiated from non-domain controller locations. It leverages EventCode 4662 to detect when a computer account with replication permissions creates a handle to domainDNS, filtering out known domain controller IP addresses. This activity is significant as it may indicate a DCSync attack, where an attacker with privileged access can request password hashes for any or all users within the domain. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential full domain compromise.
Show query
`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
"domainDNS") AND Properties IN ("*Replicating Directory Changes All*","*Manage Replication Topology*","*Remove Replica In Domain*","*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*","*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*")
AND AccessMask="0x100" AND (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18"
OR SubjectDomainName="Window Manager" OR SubjectUserName="*$")
| stats min(_time)
as attack_time, count by SubjectDomainName, SubjectUserName, Computer, Logon_ID, ObjectName, ObjectServer, ObjectType, OperationType, status
| rename SubjectDomainName
as Target_Domain, SubjectUserName as user, Logon_ID as TargetLogonId
| appendpipe
[| map search="search `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"]
| stats min(attack_time) as _time, values(TargetUserSid)
as TargetUserSid, values(Target_Domain) as Target_Domain, values(user) as user,
values(Computer) as Computer, values(status) as status, values(src_category) as
src_category, values(src_ip) as src_ip values(action) as action values(authentication_method) as authentication_method values(dest) as dest values(signature) as signature values(signature_id) as signature_id by TargetLogonId
| search NOT src_category="domain_controller"
| `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`Windows AD Replication Service Traffic
The following analytic identifies unexpected Active Directory replication traffic from non-domain controller sources. It leverages data from the Network Traffic datamodel, specifically looking for applications related to AD replication. This activity is significant because AD replication traffic should typically only occur between domain controllers. Detection of such traffic from other sources may indicate malicious activities like DCSync or DCShadow, which are used for credential dumping. If confirmed malicious, this could allow attackers to exfiltrate sensitive credentials, leading to unauthorized access and potential domain-wide compromise.
Show query
| tstats `security_content_summariesonly` count values(All_Traffic.transport) as transport values(All_Traffic.user) as user values(All_Traffic.src_category) as src_category values(All_Traffic.dest_category) as dest_category min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic
WHERE All_Traffic.app IN ("ms-dc-replication","*drsr*","ad drs")
BY All_Traffic.src All_Traffic.dest All_Traffic.app
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `windows_ad_replication_service_traffic_filter`Windows AI Platform DNS Query
The following analytic detects DNS queries initiated by the Windows AI Platform to domains associated with Hugging Face, OpenAI, and other popular providers of machine learning models and services. Monitoring these DNS requests is important because it can reveal when systems are accessing external AI platforms, which may indicate the use of third-party AI resources or the transfer of sensitive data outside the organization’s environment. Detecting such activity enables organizations to enforce data governance policies, prevent unapproved use of external AI services, and maintain visibility into potential data exfiltration risks. Proactive monitoring provides better control over AI model usage and helps safeguard organizational data flows.
Show query
`sysmon` EventCode=22 QueryName IN ("router.huggingface.co", "api.openai.com")
| lookup update=true browser_app_list browser_process_name AS process_name OUTPUT isAllowed | search isAllowed!=true
| rename dvc as dest
| stats count min(_time) as firstTime max(_time) as lastTime
by answer answer_count dest process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id Image
vendor_product QueryName QueryResults QueryStatus
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_ai_platform_dns_query_filter`
Windows Account Access Removal via Logoff Exec
The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = logoff.exe Processes.parent_process_name IN ("cmd.exe", "powershell.exe", "pwsh.exe")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_account_access_removal_via_logoff_exec_filter`Windows Account Discovery With NetUser PreauthNotRequire
The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_account_discovery_with_netuser_preauthnotrequire_filter`Windows Account Discovery for None Disable User Account
The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating an attempt to enumerate Active Directory user accounts that are not disabled. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the specific script block text. Monitoring this activity is significant as it may indicate reconnaissance efforts by an attacker to identify active user accounts for further exploitation. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_account_discovery_for_none_disable_user_account_filter`Windows Account Discovery for Sam Account Name
The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser, specifically querying for "samaccountname" and "pwdlastset" attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information from Active Directory, which is a common reconnaissance step in lateral movement or privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to map out user accounts, potentially leading to further exploitation and unauthorized access within the network.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText IN ("*samaccountname*", "*pwdlastset*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_account_discovery_for_sam_account_name_filter`Windows AdFind Exe
The following analytic identifies the execution of `adfind.exe` standalone or with specific command-line arguments related to Active Directory queries. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent Processes. This activity is significant because `adfind.exe` is a powerful tool often used by threat actors like Wizard Spider and FIN6 to gather sensitive AD information. If confirmed malicious, this activity could allow attackers to map the AD environment, facilitating further attacks such as privilege escalation or lateral movement.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.process_name = "AdFind.exe"
OR
Processes.original_file_name = "AdFind.exe"
)
OR
(
Processes.process IN ("* -f *", "* /f*")
Processes.process = "*objectcategory=*"
)
OR
(
Processes.process IN ("* -sc *", "* /sc *")
Processes.process IN ("* -gcb *", "* /gcb *")
)
OR
(
Processes.process IN ("* -sc *", "* /sc *")
Processes.process IN (
"* trustdmp*",
"* dclist*",
"* dcdmp*",
"* adobjcnt*",
"* adamobjcnt*",
"* sdump*",
"* exchaddresses*",
"* getacl*",
"* domainlist*",
"* export_user*",
"* export_group*",
"* admincountdmp*"
)
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_adfind_exe_filter`
Windows Admin Permission Discovery
The following analytic identifies the creation of a suspicious file named 'win.dat' in the root directory (C:\). It leverages data from the Endpoint.Filesystem datamodel to detect this activity. This behavior is significant as it is commonly used by malware like NjRAT to check for administrative privileges on a compromised host. If confirmed malicious, this activity could indicate that the malware has administrative access, allowing it to perform high-privilege actions, potentially leading to further system compromise and persistence.
Show query
|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe", "*.js", "*.bat", "*.cmd", "*.pif", "*.lnk", "*.dat") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | eval dropped_file_path = split(file_path, "\\") | eval dropped_file_path_split_count = mvcount(dropped_file_path) | eval root_drive = mvindex(dropped_file_path,0) | where LIKE(root_drive, "C:") AND dropped_file_path_split_count = 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_permission_discovery_filter`Windows Administrative Shares Accessed On Multiple Hosts
The following analytic detects a source computer accessing Windows administrative shares (C$, Admin$, IPC$) on 30 or more remote endpoints within a 5-minute window. It leverages Event IDs 5140 and 5145 from file share events. This behavior is significant as it may indicate an adversary enumerating network shares to locate sensitive files, a common tactic used by threat actors. If confirmed malicious, this activity could lead to unauthorized access to critical data, lateral movement, and potential compromise of multiple systems within the network.
Show query
`wineventlog_security` EventCode=5140 OR EventCode=5145 (ShareName="\\\\*\\ADMIN$" OR ShareName="\\\\*\\IPC$" OR ShareName="\\\\*\\C$") | bucket span=5m _time | stats dc(Computer) AS unique_targets values(Computer) as host_targets values(ShareName) as shares values(dest) as dest by _time, IpAddress, SubjectUserName, EventCode | where unique_targets > 30 | `windows_administrative_shares_accessed_on_multiple_hosts_filter`
Windows Anomalous Registry Value Length in Environment Key
The following analytic detects creation or modification of registry values under a user or system Environment key (paths matching *\Environment\*) where the stored value exceeds 2,000 characters.
Legitimate environment variables are typically short strings (paths, tokens, or flags); unusually long values can indicate adversaries or malware staging encoded payloads, bloated malicious PATH entries, or other data in a location that is loaded for every interactive session.
This behavior has been observed in contexts such as .NET infostealer activity. Analysts should validate the writing process, value content, and whether the change aligns with trusted software deployment or administrative tasks.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Registry WHERE
Registry.action IN ("created", "modified")
Registry.registry_path= "*\\Environment\\*"
Registry.registry_value_name != "Path"
by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_key_name Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product Registry.registry_value_data Registry.registry_path
| `drop_dm_object_name(Registry)`
| eval registry_value_data_len = len(registry_value_data)
| where registry_value_data_len > 2000
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_anomalous_registry_value_length_in_environment_key_filter`Windows Apache Benchmark Binary
The following analytic detects the execution of the Apache Benchmark binary (ab.exe), commonly used by MetaSploit payloads. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where the original file name is ab.exe. This activity is significant as it may indicate the presence of a MetaSploit attack, which uses Apache Benchmark to generate malicious payloads. If confirmed malicious, this could lead to unauthorized network connections, further system compromise, and potential data exfiltration. Immediate investigation is required to determine the intent and scope of the activity.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.original_file_name=ab.exe
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_apache_benchmark_binary_filter`Windows App Layer Protocol Qakbot NamedPipe
The following analytic detects a suspicious process creating or connecting to a potential Qakbot named pipe. It leverages Sysmon EventCodes 17 and 18, focusing on specific processes known to be abused by Qakbot and identifying randomly generated named pipes in GUID form. This activity is significant as Qakbot malware uses named pipes for inter-process communication after code injection, facilitating data theft. If confirmed malicious, this behavior could indicate a Qakbot infection, leading to unauthorized data access and potential exfiltration from the compromised host.
Show query
`sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPipe") Image IN ("*\\calc.exe", "*\\notepad.exe", "*\\rdpclip.exe", "*\\explorer.exe", "*\\wermgr.exe", "*\\ping.exe", "*\\OneDriveSetup.exe", "*\\dxdiag.exe", "*\\mobsync.exe", "*\\msra.exe", "*\\xwizard.exe") | regex PipeName="^\\\{[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{8}" | stats min(_time) as firstTime max(_time) as lastTime count by dest dvc pipe_name process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product Image PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_app_layer_protocol_qakbot_namedpipe_filter`Windows App Layer Protocol Wermgr Connect To NamedPipe
The following analytic detects the wermgr.exe process creating or connecting to a named pipe. It leverages Sysmon EventCodes 17 and 18 to identify these actions. This activity is significant because wermgr.exe, a legitimate Windows OS Problem Reporting application, is often abused by malware such as Trickbot and Qakbot to execute malicious code. If confirmed malicious, this behavior could indicate that an attacker has injected code into wermgr.exe, potentially allowing them to communicate covertly, escalate privileges, or persist within the environment.
Show query
`sysmon` EventCode IN (17, 18) Image= "*\\wermgr.exe" EventType IN ( "CreatePipe", "ConnectPipe") | stats min(_time) as firstTime max(_time) as lastTime count by dest dvc pipe_name process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product Image PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_app_layer_protocol_wermgr_connect_to_namedpipe_filter`
Windows AppLocker Block Events
The following analytic detects attempts to bypass application restrictions by identifying Windows AppLocker policy violations. It leverages Windows AppLocker event logs, specifically EventCodes 8007, 8004, 8022, 8025, 8029, and 8040, to pinpoint blocked actions. This activity is significant for a SOC as it highlights potential unauthorized application executions, which could indicate malicious intent or policy circumvention. If confirmed malicious, this activity could allow an attacker to execute unauthorized applications, potentially leading to further system compromise or data exfiltration.
Show query
`applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040)
| spath input=UserData_Xml
| rename RuleAndFileData.* as *, TargetUser as user, Computer as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest, PolicyName, RuleId,
user, TargetProcessId, FilePath,
FullFilePath, EventCode
| lookup applockereventcodes EventCode OUTPUT Description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_applocker_block_events_filter`Windows AppLocker Execution from Uncommon Locations
The following analytic identifies the execution of applications or scripts from uncommon or suspicious file paths, potentially indicating malware or unauthorized activity. It leverages Windows AppLocker event logs and uses statistical analysis to detect anomalies. By calculating the average and standard deviation of execution counts per file path, it flags paths with execution counts significantly higher than expected. This behavior is significant as it can uncover malicious activities or policy violations. If confirmed malicious, this activity could allow attackers to execute unauthorized code, leading to potential system compromise or data breaches.
Show query
`applocker`
| spath input=UserData_Xml
| rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest, PolicyName, RuleId,
user, TargetProcessId, FilePath,
FullFilePath
| eventstats avg(count) as avg, stdev(count) as stdev
| eval upperBound=(avg+stdev*2), anomaly=if(count > upperBound, "Yes", "No")
| where anomaly="Yes"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_applocker_execution_from_uncommon_locations_filter`Windows AppLocker Privilege Escalation via Unauthorized Bypass
The following analytic utilizes Windows AppLocker event logs to identify attempts to bypass application restrictions. AppLocker is a feature that allows administrators to specify which applications are permitted to run on a system. This analytic is designed to identify attempts to bypass these restrictions, which could be indicative of an attacker attempting to escalate privileges. The analytic uses EventCodes 8007, 8004, 8022, 8025, 8029, and 8040 to identify these attempts. The analytic will identify the host, full file path, and target user associated with the bypass attempt. These EventCodes are related to block events and focus on 5 attempts or more.
Show query
`applocker` EventCode IN (8007, 8004, 8022, 8025, 8029, 8040)
| spath input=UserData_Xml
| rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user
| stats count AS attempt_count min(_time) as firstTime max(_time) as lastTime
BY dest, PolicyName, RuleId,
user, TargetProcessId, FilePath,
FullFilePath, EventCode
| where attempt_count > 5
| sort - attempt_count
| lookup applockereventcodes EventCode OUTPUT Description
| `windows_applocker_privilege_escalation_via_unauthorized_bypass_filter`Windows AppLocker Rare Application Launch Detection
The following analytic detects the launch of rarely used applications within the environment, which may indicate the use of potentially malicious software or tools by attackers. It leverages Windows AppLocker event logs, aggregating application launch counts over time and flagging those that significantly deviate from the norm. This behavior is significant as it helps identify unusual application activity that could signal a security threat. If confirmed malicious, this activity could allow attackers to execute unauthorized code, potentially leading to further compromise of the system.
Show query
`applocker`
| spath input=UserData_Xml
| rename RuleAndFileData.* as *, Computer as dest, TargetUser AS user
| stats dc(_time) as days, count
BY FullFilePath dest user
| eventstats avg(count) as avg, stdev(count) as stdev
| eval upperBound=(avg+stdev*3), lowerBound=(avg-stdev*3)
| where count > upperBound OR count < lowerBound
| `windows_applocker_rare_application_launch_detection_filter`Windows Application Layer Protocol RMS Radmin Tool Namedpipe
The following analytic detects the use of default or publicly known named pipes associated with the RMX remote admin tool. It leverages Sysmon EventCodes 17 and 18 to identify named pipe creation and connection events. This activity is significant as the RMX tool has been abused by adversaries and malware like Azorult to collect data from targeted hosts. If confirmed malicious, this could indicate unauthorized remote administration capabilities, leading to data exfiltration or further compromise of the affected system. Immediate investigation is required to determine the legitimacy of this tool's presence.
Show query
`sysmon` EventCode IN (17, 18) EventType IN ( "CreatePipe", "ConnectPipe") PipeName IN ("\\RManFUSServerNotify32", "\\RManFUSCallbackNotify32", "\\RMSPrint*") | stats min(_time) as firstTime max(_time) as lastTime count by dest dvc pipe_name process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product Image PipeName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_application_layer_protocol_rms_radmin_tool_namedpipe_filter`Windows Application Whitelisting Bypass Attempt via Rundll32
The following analytic detects the execution of rundll32.exe calling one of the following DLLs:
- Advpack.dll
- Ieadvpack.dll
- Syssetup.dll
- Setupapi.dll
with one of the following functions: "LaunchINFSection", "InstallHinfSection", "SetupInfObjectInstallAction".
This method is identified through Endpoint Detection and Response (EDR) telemetry,
focusing on command-line executions and process details.
This activity is significant as it indicates a potential application
control or whitelisting bypass, allowing script code execution from a file.
If confirmed malicious, an attacker could execute arbitrary code, potentially leading to privilege escalation,
persistence, or further network compromise.
Investigate the script content, network connections, and any spawned child processes for further context.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_rundll32`
Processes.process IN ("*syssetup*", "*advpack*", "*setupapi*")
Processes.process IN ("*LaunchINFSection*", "*InstallHinfSection*", "*SetupInfObjectInstallAction*")
NOT (Processes.parent_process_name="msiexec.exe" Processes.process="* C:\\Program Files (x86)\\Netskope\\EPDLP Deployment\\*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_application_whitelisting_bypass_attempt_via_rundll32_filter`
Windows AutoIt3 Execution
The following analytic detects the execution of AutoIt3, a scripting
language often used for automating Windows GUI tasks and general scripting.
It identifies instances where AutoIt3 or its variants are executed by searching for process names
or original file names matching 'autoit3.exe'.
This activity is significant because attackers frequently use AutoIt3 to automate malicious actions, such as executing malware.
If confirmed malicious, this activity could lead to unauthorized code execution,
system compromise, or further propagation of malware within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where ( Processes.process_name = "autoit*.exe" OR Processes.original_file_name = "autoit*.exe" ) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_autoit3_execution_filter`
Windows Binary Proxy Execution Mavinject DLL Injection
The following analytic detects the use of mavinject.exe for DLL injection into running processes, identified by specific command-line parameters such as /INJECTRUNNING and /HMODULE. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it indicates potential arbitrary code execution, a common tactic for malware deployment and persistence. If confirmed malicious, this could allow attackers to execute unauthorized code, escalate privileges, and maintain persistence within the environment, posing a severe security risk.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=mavinject.exe Processes.process IN ("*injectrunning*", "*hmodule=0x*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_binary_proxy_execution_mavinject_dll_injection_filter`Windows BitLockerToGo Process Execution
The following analytic detects BitLockerToGo.exe execution, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits. However, note that if legitimate use of BitLockerToGo.exe is in the organization, this detection will
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=bitlockertogo.exe
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_bitlockertogo_process_execution_filter`Windows BitLockerToGo with Network Activity
The following analytic detects suspicious usage of BitLockerToGo.exe, which has been observed being abused by Lumma stealer malware. The malware leverages this legitimate Windows utility to manipulate registry keys, search for cryptocurrency wallets and credentials, and exfiltrate sensitive data. This activity is significant because BitLockerToGo.exe provides functionality for viewing, copying, and writing files as well as modifying registry branches - capabilities that the Lumma stealer exploits for malicious purposes. If confirmed malicious, this could indicate an active data theft campaign targeting cryptocurrency wallets, browser credentials, and password manager archives. The detection focuses on identifying BitLockerToGo.exe execution patterns that deviate from normal system behavior.
Show query
`sysmon` EventCode=22 process_name="bitlockertogo.exe"
| stats count min(_time) as firstTime max(_time) as lastTime
BY answer answer_count dvc
process_exec process_guid process_name
query query_count reply_code_id
signature signature_id src
user_id vendor_product QueryName
QueryResults QueryStatus
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_bitlockertogo_with_network_activity_filter`Windows Cached Domain Credentials Reg Query
The following analytic identifies a process command line querying the CachedLogonsCount registry value in the Winlogon registry. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and registry queries. Monitoring this activity is significant as it can indicate the use of post-exploitation tools like Winpeas, which gather information about login caching settings. If confirmed malicious, this activity could help attackers understand login caching configurations, potentially aiding in credential theft or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_reg` AND Processes.process = "* query *" AND Processes.process = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Processes.process = "*CACHEDLOGONSCOUNT*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cached_domain_credentials_reg_query_filter`
Windows Cloud Files Filter Log Created by Non-System Process
Detects a non-system process causing creation of CldFlt0.etl under C:\Windows\System32\LogFiles\CloudFiles\.
This path is initialised by the CldFlt driver when a process calls CfRegisterSyncRoot() or CfConnectSyncRoot().
In the RedSun exploit this is a side-effect of the DoCloudStuff() function that registers a fake sync provider to create the cloud-tagged bait file.
Legitimate cloud providers (OneDrive etc.) register sync roots from SYSTEM-level service processes, not from user-context executables.
Show query
`sysmon`
EventCode=11
TargetFilename = "*\\Windows\\System32\\LogFiles\\CloudFiles\\*"
NOT Image IN (
"*:\\Windows\\System32*",
"*:\\Windows\\SysWOW64*",
"*:\\Program Files\\WindowsApps\\*"
)
| stats count min(_time) as firstTime
max(_time) as lastTime
by action dest file_name file_path Image process_guid
process_id user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_cloud_files_filter_log_created_by_non_system_process_filter`Windows Cmdline Tool Execution From Non-Shell Process
The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`, or similar tools are executed by a non-standard shell parent process, excluding CMD, PowerShell, or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry to monitor process creation events. Such behavior is significant as it may indicate adversaries using injected processes to perform system discovery, a tactic observed in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers to gather critical host information, aiding in further exploitation or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("ipconfig.exe", "systeminfo.exe", "net1.exe", "arp.exe", "nslookup.exe", "route.exe", "netstat.exe", "hostname.exe", "whoami.exe") AND NOT Processes.parent_process_name IN ("cmd.exe", "powershell.exe", "powershell_ise.exe", "pwsh.exe", "explorer.exe", "-", "unknown") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cmdline_tool_execution_from_non_shell_process_filter`Windows Command Obfuscation with Environment Variable Substrings
Detects command obfuscation by using a technique to build a target command using character indexes from environment variables.
This hides the true intent of the command by building it on the fly.
In Windows command prompt, you can use the :~ format to extract substrings from environment variable values.
This behavior has been observed in various malware families, including Cobalt Strike and Meterpreter.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process="*%%*:~*,*"
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name
Processes.parent_process Processes.parent_process_path
Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id
Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_command_obfuscation_with_environment_variable_substrings_filter`Windows Command Shell DCRat ForkBomb Payload
The following analytic detects the execution of a DCRat "forkbomb" payload, which spawns multiple cmd.exe processes that launch notepad.exe instances in quick succession. This detection leverages Endpoint Detection and Response (EDR) data, focusing on the rapid creation of cmd.exe and notepad.exe processes within a 30-second window. This activity is significant as it indicates a potential DCRat infection, a known Remote Access Trojan (RAT) with destructive capabilities. If confirmed malicious, this behavior could lead to system instability, resource exhaustion, and potential disruption of services.
Show query
| tstats `security_content_summariesonly` values(Processes.user) as user values(Processes.action) as action values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid) as parent_process_guid values(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_path) as parent_process_path values(Processes.process) as process values(Processes.process_exec) as process_exec values(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_id) as process_id values(Processes.process_integrity_level) as process_integrity_level values(Processes.process_path) as process_path values(Processes.user_id) as user_id values(Processes.vendor_product) as vendor_product dc(Processes.parent_process_id) as parent_process_id_count dc(Processes.process_id) as process_id_count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name= "cmd.exe" (Processes.process_name = "notepad.exe"
OR
Processes.original_file_name= "notepad.exe") Processes.parent_process = "*.bat*"
BY Processes.parent_process_name Processes.process_name Processes.original_file_name
Processes.parent_process Processes.dest Processes.user
_time span=30s
| where parent_process_id_count>= 10 AND process_id_count >=10
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_command_shell_dcrat_forkbomb_payload_filter`Windows Command and Scripting Interpreter Hunting Path Traversal
The following analytic identifies path traversal command-line executions,
leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns
in command-line arguments indicative of path traversal techniques, such as multiple
instances of "/..", "\..", or "\\..". This activity is significant as it often indicates
attempts to evade defenses by executing malicious code, such as through msdt.exe.
If confirmed malicious, this behavior could allow attackers to execute arbitrary
code, potentially leading to system compromise, data exfiltration, or further lateral
movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Processes where
Processes.process IN ("*\\..*", "*//..*", "*\..*", "*/..*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval count_of_pattern1 = (mvcount(split(process,"/.."))-1)
| eval count_of_pattern2 = (mvcount(split(process,"\.."))-1)
| eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1)
| eval count_of_pattern4 = (mvcount(split(process,"//.."))-1)
| search count_of_pattern1 > 1
OR
count_of_pattern2 > 1
OR
count_of_pattern3 > 1
OR
count_of_pattern4 > 1
| `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`
Windows Command and Scripting Interpreter Path Traversal Exec
The following analytic detects path traversal command-line execution, often used in malicious documents to execute code via msdt.exe for defense evasion. It leverages Endpoint Detection and Response (EDR) data, focusing on specific patterns in process paths. This activity is significant as it can indicate an attempt to bypass security controls and execute unauthorized code. If confirmed malicious, this behavior could lead to code execution, privilege escalation, or persistence within the environment, potentially allowing attackers to deploy malware or leverage other living-off-the-land binaries (LOLBins).
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where NOT Processes.os="Linux" Processes.process="*\/..\/..\/..\/*" OR Processes.process="*\\..\\..\\..\\*" OR Processes.process="*\/\/..\/\/..\/\/..\/\/*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_command_and_scripting_interpreter_path_traversal_exec_filter`Windows Computer Account Changed to Domain Controller
Detects a modification to the User Account Control flags for a computer account where the `SERVER_TRUST_ACCOUNT` flag is set.
This flag is normally associated with domain controller computer accounts.
This activity may indicate a legitimate domain controller promotion or, if unexpected, an attempt to grant a computer account domain controller-like trust within Active Directory.
Show query
`wineventlog_security`
EventID=4742
UserAccountControl="*%%2088*"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer TargetUserName UserAccountControl EventID
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_computer_account_changed_to_domain_controller_filter`Windows ConsoleHost History File Deletion
The following analytic detects the deletion of the ConsoleHost_history.txt file, which stores command history for PowerShell sessions. Attackers may attempt to remove this file to cover their tracks and evade detection during post-exploitation activities. This detection focuses on file deletion commands executed via PowerShell, Command Prompt, or scripting languages that specifically target ConsoleHost_history.txt, typically located at %APPDATA%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt. Identifying such activity can help uncover potential anti-forensic behavior and suspicious administrative actions.
Show query
`sysmon` EventCode IN ("23","26") TargetFilename = "*\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt" | stats count min(_time) as firstTime, max(_time) as lastTime by action dest dvc file_path file_hash file_name file_modify_time process_name process_exec process_id process_path user_id vendor_product process_guid signature signature_id user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_consolehost_history_file_deletion_filter`Windows Create Local Account
The following analytic detects the creation of a new local user account on a Windows system. It leverages Windows Security Audit logs, specifically event ID 4720, to identify this activity. Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network. If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.
Show query
| tstats `security_content_summariesonly`
values(All_Changes.result_id) as result_id
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Change where
All_Changes.result_id=4720
by All_Changes.user All_Changes.dest All_Changes.result All_Changes.action
| `drop_dm_object_name("All_Changes")`
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `windows_create_local_account_filter`
Windows Create Local Administrator Account Via Net
The following analytic detects the creation of a local administrator account using the "net.exe" command. It leverages Endpoint Detection and Response (EDR) data to identify processes named "net.exe" with the "/add" parameter and keywords related to administrator accounts. This activity is significant as it may indicate an attacker attempting to gain persistent access or escalate privileges. If confirmed malicious, this could lead to unauthorized access, data theft, or further system compromise. Review the process details, user context, and related artifacts to determine the legitimacy of the activity.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_net`
AND
Processes.process=*/add*
AND
Processes.process IN ("*administrators*", "*administratoren*", "*administrateurs*", "*administrador*", "*amministratori*", "*administratorer*", "*Rendszergazda*", "*Администратор*", "*Administratör*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_create_local_administrator_account_via_net_filter`Windows Credential Dumping LSASS Memory Createdump
The following analytic detects the use of CreateDump.exe to perform a process dump. This binary is not native to Windows and is often introduced by third-party applications, including PowerShell 7. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, GUIDs, and complete command-line executions. This activity is significant as it may indicate an attempt to dump LSASS memory, which can be used to extract credentials. If confirmed malicious, this could lead to unauthorized access and lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=createdump.exe
OR
Processes.original_file_name="FX_VER_INTERNALNAME_STR" Processes.process="*-u *"
AND
Processes.process="*-f *"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_credential_dumping_lsass_memory_createdump_filter`Windows Crowdstrike RTR Script Execution
Detects usage of Crowdstrike Real Time Response (RTR) to execute a "runscript" command.
This can be used by malicious actors with access to the Crowdstrike Dashboard to execute commands on remote managed hosts.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.parent_process_name="dllhost.exe"
Processes.parent_process="*/Processid:{BD07DDB9-1C61-4DCE-9202-A2BA1757CDB2}*"
Processes.process_name="powershell.exe"
Processes.process="* -Version 5.1 -s -NoLogo -NoProfile -EncodedCommand*"
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_crowdstrike_rtr_script_execution_filter`Windows DNS Query Request by Telegram Bot API
The following analytic detects the execution of a DNS query by a process to the associated Telegram API domain, which could indicate access via a Telegram bot commonly used by malware for command and control (C2) communications. By monitoring DNS queries related to Telegram's infrastructure, the detection identifies potential attempts to establish covert communication channels between a compromised system and external malicious actors. This behavior is often observed in cyberattacks where Telegram bots are used to receive commands or exfiltrate data, making it a key indicator of suspicious or malicious activity within a network.
Show query
`sysmon` EventCode=22 query = "api.telegram.org" process_name != "telegram.exe"
| stats count min(_time) as firstTime max(_time) as lastTime
BY answer answer_count dvc
process_exec process_guid process_name
query query_count reply_code_id
signature signature_id src
user_id vendor_product QueryName
QueryResults QueryStatus
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_dns_query_request_by_telegram_bot_api_filter`Windows Data Destruction Recursive Exec Files Deletion
The following analytic identifies a suspicious process that is recursively deleting executable files on a compromised host. It leverages Sysmon Event Codes 23 and 26 to detect this activity by monitoring for a high volume of deletions or overwrites of files with extensions like .exe, .sys, and .dll. This behavior is significant as it is commonly associated with destructive malware such as CaddyWiper, DoubleZero, and SwiftSlicer, which aim to make file recovery impossible. If confirmed malicious, this activity could lead to significant data loss and system instability, severely impacting business operations.
Show query
`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll")
| bin _time span=2m
| stats count min(_time) as firstTime, max(_time) as lastTime values(file_path) as file_path values(file_hash) as file_hash values(file_name) as file_name values(file_modify_time) as file_modify_time values(process_name) as process_name values(process_path) as process_path values(process_guid) as process_guid values(process_id) as process_id values(process_exec) as process_exec
BY action dest dvc
signature signature_id user
user_id vendor_product
| where count >=100
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_data_destruction_recursive_exec_files_deletion_filter`Windows Debugger Tool Execution
This analysis detects the use of debugger tools within a production environment. While these tools are legitimate for file analysis and debugging, they are abused by malware like PlugX and DarkGate for malicious DLL side-loading. The hunting query aids Security Operations Centers (SOCs) in identifying potentially suspicious tool executions, particularly for non-technical users in the production network.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = "x32dbg.exe"
OR
Processes.process_name = "x64dbg.exe"
OR
Processes.process_name = "windbg.exe"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_debugger_tool_execution_filter`Showing 801-850 of 1,106