Tool
Hunt pack: Agrius
1,106 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Agrius - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 1,106Windows PowerShell Script Block With Malicious String
The following analytic detects the execution of multiple offensive toolkits and commands by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.
Show query
`powershell` ScriptBlockText=* EventCode=4104 | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Guid) as Guid values(Opcode) as Opcode values(Name) as Name values(Path) as Path values(ProcessID) as ProcessID values(ScriptBlockId) as ScriptBlockId values(ScriptBlockText) as ScriptBlockText by dest signature signature_id user_id vendor_product | eval command = mvjoin(command,"\n") | lookup malicious_powershell_strings command | where isnotnull(match) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_script_block_with_malicious_string_filter`
Windows PowerShell Script From WindowsApps Directory
The following analytic identifies the execution of PowerShell scripts from the WindowsApps directory, which is a common technique used in malicious MSIX package execution.
This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command lines and parent process paths.
This activity is significant as adversaries have been observed using MSIX packages with embedded PowerShell scripts (particularly StartingScriptWrapper.ps1) to execute malicious code.
If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Processes where
(
`process_powershell`
OR
`process_cmd`
)
AND
(
Processes.parent_process_path="*\\WindowsApps\\*"
OR
Processes.process IN ("*WindowsApps*-file *", "*WindowsApps*.ps1*")
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_script_from_windowsapps_directory_filter`Windows PowerShell Script TabExpansion Direct Call
Detects specific indicators associated with the execution of the TabExpansion internal function in PowerShell.
Calling this function directly is not normal and can be indicative of malicious activity such as TabShell.
Due to the way PowerShell internals work it can be used in conjunction with directory transversal to load any PowerShell functions even in a sandboxed session.
False positives could include legitimate usage of the TabExpansion function but calling it directly is very rare.
Show query
`powershell`
EventID="4104"
ScriptBlockText="*$lastWord*"
ScriptBlockText="*$_val=' + $_expression*"
ScriptBlockText="*function Write-Members*"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
Opcode Name Path ProcessID ScriptBlockId
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_script_tabexpansion_direct_call_filter`Windows PowerShell WMI Win32 ScheduledJob
The following analytic detects the use of the Win32_ScheduledJob WMI class via PowerShell script block logging. This class, which manages scheduled tasks, is disabled by default due to security concerns and must be explicitly enabled through registry modifications. The detection leverages PowerShell event code 4104 and script block text analysis. Monitoring this activity is crucial as it may indicate malicious intent, especially if the class was enabled by an attacker. If confirmed malicious, this could allow attackers to persist in the environment by creating scheduled tasks.
Show query
`powershell` EventCode=4104 ScriptBlockText="*win32_scheduledjob*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_wmi_win32_scheduledjob_filter`Windows PowerView AD Access Control List Enumeration
The following analytic detects the execution of PowerView PowerShell cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network.
Show query
`powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl*)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powerview_ad_access_control_list_enumeration_filter`Windows PowerView Constrained Delegation Discovery
The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.
Show query
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-TrustedToAuth*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powerview_constrained_delegation_discovery_filter`Windows PowerView Unconstrained Delegation Discovery
The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.
Show query
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-Unconstrained*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powerview_unconstrained_delegation_discovery_filter`Windows Powershell Cryptography Namespace
The following analytic detects suspicious PowerShell script execution involving the cryptography namespace via EventCode 4104. It leverages PowerShell Script Block Logging to identify scripts using cryptographic functions, excluding common hashes like SHA and MD5. This activity is significant as it is often associated with malware that decrypts or decodes additional malicious payloads. If confirmed malicious, this could allow an attacker to execute further code, escalate privileges, or establish persistence within the environment. Analysts should investigate the parent process, decrypted data, network connections, and the user executing the script.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*System.Security.Cryptography*" AND NOT(ScriptBlockText IN ("*SHA*", "*MD5*", "*DeriveBytes*"))
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_cryptography_namespace_filter`Windows Powershell History File Deletion
The following analytic detects the usage of PowerShell to delete its command history file, which may indicate an attempt to evade detection by removing evidence of executed commands. PowerShell stores command history in ConsoleHost_history.txt under the user’s profile directory. Adversaries or malicious scripts may delete this file using Remove-Item, del, or similar commands. This detection focuses on file deletion events targeting the history file, correlating them with recent PowerShell activity. While legitimate users may occasionally clear history, frequent or automated deletions should be investigated for potential defense evasion or post-exploitation cleanup activities.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*Remove-Item*" ScriptBlockText = "*.HistorySavePath"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product Guid
Opcode Name Path
ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_history_file_deletion_filter`Windows Powershell Import Applocker Policy
The following analytic detects the import of Windows PowerShell Applocker cmdlets, specifically identifying the use of "Import-Module Applocker" and "Set-AppLockerPolicy" with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) to capture and analyze script block text. This activity is significant as it may indicate an attempt to enforce restrictive Applocker policies, potentially used by malware like Azorult to disable antivirus products. If confirmed malicious, this could allow an attacker to bypass security controls, leading to further system compromise and persistence.
Show query
`powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*Set-AppLockerPolicy*" ScriptBlockText="* -XMLPolicy *"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_import_applocker_policy_filter`Windows Powershell Logoff User via Quser
The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*quser*logoff*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_logoff_user_via_quser_filter`Windows Powershell RemoteSigned File
The following analytic identifies the use of the "remotesigned" execution policy for PowerShell scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing "remotesigned" and "-File". This activity is significant because the "remotesigned" policy allows locally created scripts to run without restrictions, posing a potential security risk. If confirmed malicious, an attacker could execute unauthorized scripts, leading to code execution, privilege escalation, or persistence within the environment.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_powershell` Processes.process="* remotesigned *" Processes.process="* -File *"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_remotesigned_file_filter`Windows Privilege Escalation Attempt Via MSI Rollback
Detects an attacker abusing the Windows Installer rollback mechanism to escalate privileges from a standard user to SYSTEM without triggering a UAC prompt, using a technique known as FolderContentsDeleteToFolderDelete.
Windows Installer (msiexec.exe) creates rollback scripts during software installation to undo changes if an installation fails.
These rollback scripts are generated and executed by the Windows Installer service, which runs as SYSTEM.
The FolderContentsDeleteToFolderDelete technique abuses this trusted mechanism by crafting a malicious rollback script that instructs the SYSTEM-level Installer service to delete attacker-chosen files or directories — effectively giving a low-privileged attacker the ability to make SYSTEM-level filesystem modifications without any privilege prompt.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process="*/target \"C:\\Config.msi\" *"
Processes.process="*/initial*"
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_privilege_escalation_attempt_via_msi_rollback_filter`Windows Privileged Group Modification
This analytic detects modifications to privileged groups in Active Directory, including addition, creation, deletion, and changes to various types of groups such as local, global, universal, and LDAP query groups.
It specifically monitors for changes to high-privilege groups like "Administrators", "Domain Admins", "Enterprise Admins", and "ESX Admins", among others.
This detection is particularly relevant in the context of potential exploitation of vulnerabilities like the VMware ESXi Active Directory Integration Authentication Bypass (CVE-2024-37085), where attackers may attempt to manipulate privileged groups to gain unauthorized access to systems.
Show query
`wineventlog_security`
EventCode IN (
4727,
4731,
4744,
4749,
4754,
4756,
4759,
4783,
4790
)
TargetUserName IN (
"Account Operators",
"Administrators",
"Admins DNS",
"Backup Operators",
"DnsAdmins",
"Domain Admins",
"Enterprise Admins",
"Enterprise Key Admins",
"ESX Admins",
"ESXi Admins",
"Group Policy Creator Owners",
"Hyper-V Administrators",
"Key Admins",
"Print Operators",
"Remote Desktop Users",
"Remote Management Users",
"Replicators",
"Schema Admins",
"Server Operators"
)
| eval object_category=case(
EventCode="4727", "Global Group (Security)",
EventCode="4731", "Local Group (Security)",
EventCode="4744", "Local Group (Distribution)",
EventCode="4749", "Global Group (Distribution)",
EventCode="4754", "Universal Group (Security)",
EventCode="4756", "Universal Group (Security)",
EventCode="4759", "Universal Group (Distribution)",
EventCode="4783", "Basic Application Group",
EventCode="4790", "LDAP Query Group"
)
| rename Computer as dest
result as change_type
TargetUserName as object
TargetSid as object_path
| stats count min(_time) as firstTime
max(_time) as lastTime
BY EventCode src_user object_category
object object_path dest
change_type status
| `windows_privileged_group_modification_filter`Windows Process Commandline Discovery
The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) to retrieve information about running processes, specifically targeting the command lines used to launch those processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on logs containing process details and command-line executions. This activity is significant as it may indicate suspicious behavior, such as a user or process gathering detailed process information, which is uncommon for non-technical users. If confirmed malicious, this could allow an attacker to gain insights into running processes, aiding in further exploitation or lateral movement.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic` Processes.process= "* process *" Processes.process= "* get *" Processes.process= "*CommandLine*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_process_commandline_discovery_filter`Windows Process Execution From ProgramData
The following analytic identifies processes running from file paths within
the ProgramData directory, a common location abused by adversaries for executing
malicious code while evading detection. Threat actors often drop and execute payloads
from this directory to bypass security controls, as it typically has write permissions
for standard users. While this behavior can indicate malware execution or persistence
techniques, it is important to note that some legitimate software, installers, and
update mechanisms also run from ProgramData, leading to potential false positives.
Security teams should validate detections by correlating with other indicators,
such as unusual parent processes, unsigned binaries, or anomalous network activity.
Show query
| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*:\\ProgramData\\*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_execution_from_programdata_filter`
Windows Process Execution From RDP Share
The following analytic identifies process executions originating from RDP shares on Windows endpoints.
Remote Desktop Protocol (RDP) shares, typically accessed via the "tsclient" path, allow users to share files between their local machine and a remote desktop session. However, threat actors may exploit RDP shares to execute malicious processes or transfer harmful files onto a compromised system.
This detection focuses on identifying any process executions that originate from RDP shares, which could indicate unauthorized access or malicious activity.
Security teams should investigate any instances of such process executions, especially if they are found on systems that should not be using RDP shares or if the executed processes are unfamiliar or suspicious.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process = "*\\\\tsclient\\*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_process_execution_from_rdp_share_filter`
Windows Process Writing File to World Writable Path
The following analytic identifies a process writing a .txt file to a world writable path. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on file creation events within specific directories. This activity is significant as adversaries often use such techniques to deliver payloads to a system, which is uncommon for legitimate processes. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a significant security risk.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name=*.txt Filesystem.file_path IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") by Filesystem.dest, Filesystem.user, Filesystem.file_name Filesystem.file_path | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_writing_file_to_world_writable_path_filter`Windows Proxy Execution of .NET Utilities via Scripts
The following analytic detects the launch of common .NET-related utilities—aspnet_compiler.exe, msbuild.exe, regasm.exe, InstallUtil.exe, or vbc.exe when the parent appears to be a script (batch, CMD, PowerShell, JScript, VBScript, or HTML) running from an unusual or user-writable Windows location (for example Public, Temp, Fonts, Debug, Recycle Bin, Prefetch, or similar paths), and the child process shows little or no command-line variation from the image path or name.
That pattern is consistent with adversaries using trusted .NET binaries as a proxy to run code while hiding execution behind script parents in low-trust folders, behavior associated with techniques such as signed binary proxy execution.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process_name IN (
"aspnet_compiler.exe",
"InstallUtil.exe",
"msbuild.exe",
"regasm.exe",
"vbc.exe",
)
Processes.parent_process IN (
"*.bat*",
"*.cmd*",
"*.html*",
"*.js*",
"*.ps1*",
"*.vbe*",
"*.vbs*"
)
Processes.parent_process IN (
":\\Windows\\repair\\*",
"*:\\Microsoft\\Windows\\Libraries\\*",
"*:\\Temp\\*",
"*:\\Users\\Administrator\\Music\\*",
"*:\\Users\\Public\\*",
"*:\\Windows\\Cursors\\*",
"*:\\Windows\\debug\\*",
"*:\\Windows\\Fonts\\*",
"*:\\Windows\\INF\\*",
"*:\\Windows\\Media\\*",
"*:\\Windows\\Prefetch\\*",
"*:\\Windows\\Temp\\*",
"*\\AppData\\Local\\Temp\\*",
"*\\PerfLogs\\*",
"*Recycle.bin*"
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| where (isnull(Processes.process) OR Processes.process=Processes.process_path OR Processes.process=Processes.process_name)
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_proxy_execution_of__net_utilities_via_scripts_filter`Windows Proxy Via Netsh
The following analytic identifies the use of netsh.exe to configure a connection proxy, which can be leveraged for persistence by executing a helper DLL. It detects this activity by analyzing process creation events from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "portproxy" and "v4tov4" parameters. This activity is significant because it indicates potential unauthorized network configuration changes, which could be used to maintain persistence or redirect network traffic. If confirmed malicious, this could allow an attacker to maintain covert access or manipulate network communications, posing a significant security risk.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_proxy_via_netsh_filter`Windows Proxy Via Registry
The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path "*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`
Windows PuTTY Suite Utility Execution
This analytic detects the execution of programs associated with the PuTTY SSH client suite, including putty.exe, pscp.exe, plink.exe, psftp.exe, and puttygen.exe.
This activity is significant because these tools can be used to establish unauthorized remote connections, transfer files, or execute commands on remote systems.
If identified in an unusual context, such as non-administrative accounts or unexpected systems, it may indicate attempts to bypass security controls, perform lateral movement, or exfiltrate data, which could lead to further network compromise.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.process_name IN (
"putty.exe",
"pscp.exe",
"plink.exe",
"psftp.exe",
"puttygen.exe"
)
OR
Processes.original_file_name IN (
"PuTTY",
"PSCP",
"Plink",
"PSFTP",
"PuTTYgen"
)
)
by Processes.process Processes.vendor_product Processes.user_id
Processes.process_hash Processes.parent_process_name
Processes.parent_process_exec Processes.action Processes.dest
Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name
Processes.parent_process Processes.parent_process_path
Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id
Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_putty_suite_utility_execution_filter`Windows RDP Bitmap Cache File Creation
This detection identifies the creation of Remote Desktop Protocol (RDP) bitmap cache files on a Windows system, typically located in the user’s profile under the Terminal Server Client cache directory. These files (*.bmc, cache*.bin) are generated when a user initiates an RDP session using the built-in mstsc.exe client. Their presence can indicate interactive remote access activity and may be useful in detecting lateral movement or unauthorized RDP usage. Monitoring this behavior is especially important, as attackers may attempt to delete or suppress these artifacts to evade forensic analysis.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\Terminal Server Client\\Cache\\*.bmc", "*\\Terminal Server Client\\Cache\\cache*.bin") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`drop_dm_object_name(Filesystem)` | `windows_rdp_bitmap_cache_file_creation_filter`Windows RDP Cache File Deletion
This detection identifies the deletion of RDP bitmap cache files—specifically .bmc and .bin files—typically stored in the user profile under the Terminal Server Client\Cache directory. These files are created by the native Windows Remote Desktop Client (mstsc.exe) and store graphical elements from remote sessions to improve performance. Deleting these files may indicate an attempt to remove forensic evidence of RDP usage. While rare in legitimate user behavior, this action is commonly associated with defense evasion techniques used by attackers or red teamers who wish to hide traces of interactive remote access. When observed in conjunction with recent logon activity, RDP session indicators, or script execution, this behavior should be treated as potentially malicious. Monitoring for deletion of these files provides valuable visibility into anti-forensic actions that often follow lateral movement or hands-on-keyboard activity.
Show query
`sysmon` EventCode IN ("23", "26") TargetFilename IN ("*\\Terminal Server Client\\Cache\\*.bmc", "*\\Terminal Server Client\\Cache\\cache*.bin") | stats count min(_time) as firstTime, max(_time) as lastTime by action dest dvc file_path file_hash file_name file_modify_time process_exec process_guid process_id process_name process_path signature signature_id user user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rdp_cache_file_deletion_filter`Windows RDP Client Launched with Admin Session
This detection identifies the execution of the Windows Remote Desktop Client (mstsc.exe) with the "/v" and /admin command-line arguments. The "/v" flag specifies the remote host to connect to, while the /admin flag initiates a connection to the target system’s console session, often used for administrative purposes. This combination may indicate that a user or attacker is performing privileged remote access, potentially to manage a system without disrupting existing user sessions. While such usage may be legitimate for IT administrators, it is less common in typical user behavior. Threat actors may abuse this capability during lateral movement to maintain stealthy access to high-value systems. Monitoring for this pattern can help detect interactive hands-on-keyboard activity, privilege abuse, or attempts to access critical infrastructure without leaving typical login traces associated with non-admin RDP sessions.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = "mstsc.exe" Processes.process = "*/v:*" Processes.process = "*/admin*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_rdp_client_launched_with_admin_session_filter`Windows RDP Login Session Was Established
The following analytic detects instances where a successful Remote Desktop Protocol (RDP) login session was established, as indicated by Windows Security Event ID 4624 with Logon Type 10. This event confirms that a user has not only provided valid credentials but has also initiated a full interactive RDP session. It is a key indicator of successful remote access to a Windows system. When correlated with Event ID 1149, which logs RDP authentication success, this analytic helps distinguish between mere credential acceptance and actual session establishment—critical for effective monitoring and threat detection.
Show query
`wineventlog_security` EventCode=4624 Logon_Type=10
| stats count min(_time) as firstTime max(_time) as lastTime
BY action app authentication_method
dest dvc process
process_id process_name process_path
signature signature_id src
src_port status subject
user user_group vendor_product
Logon_Type
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_rdp_login_session_was_established_filter`Windows RDP Server Registry Deletion
This detection identifies the deletion of registry keys under HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\, which store records of previously connected remote systems via Remote Desktop Protocol (RDP). These keys are created automatically when a user connects to a remote host using the native Windows RDP client (mstsc.exe) and can be valuable forensic artifacts for tracking remote access activity. Malicious actors aware of this behavior may delete these keys after using RDP to hide evidence of their activity and avoid detection during incident response. This form of artifact cleanup is a known defense evasion technique, often performed during or after lateral movement. Legitimate users rarely delete these keys manually, making such actions highly suspicious—especially when correlated with RDP usage, unusual logon behavior, or other signs of compromise. Detecting the deletion of these registry entries can provide crucial insight into attempts to cover tracks following interactive remote access.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\Microsoft\\Terminal Server Client\\Servers\\*" Registry.action = deleted by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_rdp_server_registry_deletion_filter`
Windows RDP Server Registry Entry Created
This detection identifies the creation of registry keys under HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\, which occur when a user initiates a Remote Desktop Protocol (RDP) connection using the built-in Windows RDP client (mstsc.exe). These registry entries store information about previously connected remote hosts, including usernames and display settings. Their creation is a strong indicator that an outbound RDP session was initiated from the system. While the presence of these keys is normal during legitimate RDP use, their appearance can be used to track remote access activity, especially in environments where RDP is tightly controlled. In post-compromise scenarios, these artifacts may be created by threat actors using RDP for lateral movement or command-and-control. Monitoring the creation of these registry entries can help defenders detect initial use of RDP from a compromised host, particularly when correlated with unusual user behavior, logon patterns, or network activity.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\Microsoft\\Terminal Server Client\\Servers\\*" Registry.action != deleted by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_rdp_server_registry_entry_created_filter`
Windows RDPClient Connection Sequence Events
This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.
Show query
`wineventlog_rdp` EventCode=1024
| rename host as dest
| stats count as "Event Count", min(_time) as firstTime, max(_time) as lastTime, values(Message) as messages
BY dest, source, LogName,
EventCode, category
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_rdpclient_connection_sequence_events_filter`Windows RMM Tool Execution
Detects process creation events of various remote access tools.
Remote management tools, when used for legitimate purposes, can help IT professionals and system administrators remotely access and manage computer systems.
However, threat actors may exploit these tools for malicious purposes.
Show query
`sysmon`
EventID = 1
(
Company IN (
"AmidaWare*",
"Ammyy LLC*",
"AnyDesk Software*",
"ATERA Networks*",
"bomgar*",
"FleetDeck*",
"GoTo, Inc*",
"IDrive Inc*",
"LogMeIn, Inc*",
"MMSOFT Design*",
"N-able*",
"NetSupport Ltd*",
"NinjaRMM*",
"Remote Utilities*",
"SimpleHelp*",
"Servably*",
"ScreenConnect*",
"Splashtop*",
"TeamViewer Germany*",
"ZOHO Corporation*"
)
OR Description IN (
"Advanced Monitoring Agent*",
"AnyDesk*",
"Ammyy Admin*",
"AteraAgent*",
"BeyondTrust Remote Support*",
"FleetDeck*",
"GoToAssist*",
"GoToMyPC*",
"Kaseya Live Connect*",
"N-able*",
"NetSupport Client Application*",
"NinjaRMM*",
"Pulseway*",
"RemotePC*",
"Remote Utilities*",
"ScreenConnect*",
"SimpleHelp Remote*",
"Splashtop*",
"Tactical RMM Agentz*",
"Take Control Agent*",
"Zoho Assist*"
)
OR Product IN (
"Advanced Monitoring Agent*",
"AnyDesk*",
"Ammyy Admin*",
"AteraAgent*",
"BeyondTrust Remote Support*",
"FleetDeck*",
"GoToAssist*",
"GoToMyPC*",
"Kaseya Live Connect*",
"NetSupport Remote Control*",
"NetSupport Manager*",
"NinjaRMM*",
"Pulseway*",
"Remote Access*",
"Remote Support*",
"Remote Utilities*",
"RemotePC*",
"Syncro*",
"ScreenConnect*",
"Splashtop*",
"Tactical RMM Agent*",
"Take Control Agent*",
"TeamViewer*",
"Zoho Assist*"
)
OR Image IN (
"*AgentPackage*",
"*AnyDesk.exe*",
"*AteraAgent.exe*",
"*BASupSrvc*",
"*fleetdeck*",
"*level.exe*",
"*MeshAgent*",
"*MspPlatform\\PME\\Installers*",
"*NableCommand*",
"*N-able Technologies*",
"*NinjaRMM*",
"*nxexec.exe*",
"*nxserv*",
"*nxplayer*",
"*PCMonitor*",
"*Pulseway*",
"*remcmdstub.exe*",
"*rustdesk.exe*",
"*ScreenConnect*",
"*Splashtop*",
"*SRAgent.exe*",
"*tacticalrmm.exe*",
"*TakeControlTechConsole*",
"*tailscale*",
"*TeamViewer*",
"*ZA_Connect*",
"*ZMAgent*",
"*ZohoMeeting*"
)
)
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer Company Description Product Image action
dest original_file_name parent_process
parent_process_exec parent_process_guid
parent_process_id parent_process_name
parent_process_path process_hash
process_integrity_level user user_id
vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_rmm_tool_execution_filter`Windows Rapid Authentication On Multiple Hosts
The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.
Show query
`wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$"
| bucket span=5m _time
| stats dc(Computer) AS unique_targets values(Computer) as host_targets values(dest) as dest values(src) as src values(user) as user
BY _time, IpAddress, TargetUserName,
action, app, authentication_method,
signature, signature_id
| where unique_targets > 30
| `windows_rapid_authentication_on_multiple_hosts_filter`Windows Rdp AutomaticDestinations Deletion
This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.
Show query
`sysmon` EventCode=23 TargetFilename IN ("*\\Recent\\AutomaticDestinations*") | stats count min(_time) as firstTime, max(_time) as lastTime by action dest dvc file_path file_hash file_name file_modify_time process_exec process_guid process_id process_name process_path signature signature_id user user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rdp_automaticdestinations_deletion_filter`Windows Registry Delete Task SD
The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task.
It leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions of the SD value.
This activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion.
If confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Registry where
Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*")
Registry.user="SYSTEM"
(
Registry.registry_value_name="SD"
OR
Registry.registry_key_name="SD"
)
Registry.action=deleted
by Registry.action Registry.dest Registry.process_guid
Registry.process_id Registry.registry_hive
Registry.registry_path Registry.registry_key_name
Registry.registry_value_data Registry.registry_value_name
Registry.registry_value_type Registry.status Registry.user
Registry.vendor_product
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_registry_delete_task_sd_filter`
Windows Registry Payload Injection
The following analytic detects suspiciously long data written to the Windows registry, a behavior often linked to fileless malware or persistence techniques. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry events with data lengths exceeding 512 characters. This activity is significant as it can indicate an attempt to evade traditional file-based defenses, making it crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers to maintain persistence, execute code, or manipulate system configurations without leaving a conventional file footprint.
Show query
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
WHERE Registry.registry_value_data=*
BY _time span=1h Registry.dest
Registry.registry_path Registry.registry_value_name Registry.process_guid
Registry.registry_value_data Registry.registry_key_name Registry.registry_hive
Registry.status Registry.action Registry.process_id
Registry.user Registry.vendor_product
| `drop_dm_object_name(Registry)`
| eval reg_data_len = len(registry_value_data)
| where reg_data_len > 512
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_registry_payload_injection_filter`Windows Regsvr32 Renamed Binary
The following analytic identifies instances where the regsvr32.exe binary has been renamed and executed. This detection leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original filename metadata. Renaming regsvr32.exe is significant as it can be an evasion technique used by attackers to bypass security controls. If confirmed malicious, this activity could allow an attacker to execute arbitrary DLLs, potentially leading to code execution, privilege escalation, or persistence within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name != regsvr32.exe
AND
Processes.original_file_name=regsvr32.exe
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_regsvr32_renamed_binary_filter`Windows Remote Access Software RMS Registry
The following analytic detects the creation or modification of Windows registry entries related to the Remote Manipulator System (RMS) Remote Admin tool. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths containing "SYSTEM\\Remote Manipulator System." This activity is significant because RMS, while legitimate, is often abused by adversaries, such as in the Azorult malware campaigns, to gain unauthorized remote access. If confirmed malicious, this could allow attackers to remotely control the targeted host, leading to potential data exfiltration, system manipulation, or further network compromise.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\SYSTEM\\Remote Manipulator System*" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_access_software_rms_registry_filter`
Windows Remote Host Computer Management Access
The following analytic detects the use of mmc.exe to launch Computer Management (compmgmt.msc) and connect to a remote machine. This technique allows administrators to access system management tools, including Event Viewer, Services, Shared Folders, and Local Users & Groups, without initiating a full remote desktop session. While commonly used for legitimate administrative purposes, adversaries may leverage this method for remote reconnaissance, privilege escalation, or persistence. Monitoring the execution of mmc.exe with the /computer:{hostname/ip} argument can help detect unauthorized system administration attempts or lateral movement within a network.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name="mmc.exe"
AND
Processes.process = "*compmgmt.msc *"
AND
Processes.process = "*/computer:*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_host_computer_management_access_filter`Windows Remote Management Execute Shell
The following analytic detects the execution of winrshost.exe initiating CMD or PowerShell processes as part of a potential payload execution. winrshost.exe is associated with Windows Remote Management (WinRM) and is typically used for remote execution. By monitoring for this behavior, the detection identifies instances where winrshost.exe is leveraged to run potentially malicious commands or payloads via CMD or PowerShell. This behavior may indicate exploitation of remote management tools for unauthorized access or lateral movement within a compromised environment, signaling a potential security incident.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name="winrshost.exe"
AND
Processes.process_name IN ("cmd.exe","*powershell*", "pwsh.exe")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_management_execute_shell_filter`Windows Remote Service Rdpwinst Tool Execution
The following analytic detects the execution of the RDPWInst.exe tool, which is an RDP wrapper library used to enable remote desktop host support and concurrent RDP sessions. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, original file names, and specific command-line arguments. This activity is significant because adversaries can abuse this tool to establish unauthorized RDP connections, facilitating remote access and potential lateral movement within the network. If confirmed malicious, this could lead to unauthorized access, data exfiltration, and further compromise of the targeted host.
Show query
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name="RDPWInst.exe"
OR
Processes.original_file_name="RDPWInst.exe"
)
AND Processes.process IN ("* -i*", "* -s*", "* -o*", "* -w*", "* -r*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_service_rdpwinst_tool_execution_filter`Windows Remote Services Allow Rdp In Firewall
The following analytic detects modifications to the Windows firewall to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "netsh.exe" to allow TCP port 3389. This activity is significant as it may indicate an adversary attempting to gain remote access to a compromised host, a common tactic for lateral movement. If confirmed malicious, this could allow attackers to remotely control the system, leading to potential data exfiltration or further network compromise.
Show query
| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name = "netsh.exe"
OR
Processes.original_file_name= "netsh.exe"
)
AND Processes.process = "*firewall*" AND Processes.process = "*add*" AND Processes.process = "*protocol=TCP*" AND Processes.process = "*localport=3389*" AND Processes.process = "*action=allow*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_remote_services_allow_rdp_in_firewall_filter`Windows Remote Services Allow Remote Assistance
The following analytic detects modifications in the Windows registry to enable remote desktop assistance on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "Control\\Terminal Server\\fAllowToGetHelp" registry path. This activity is significant because enabling remote assistance via registry is uncommon and often associated with adversaries or malware like Azorult. If confirmed malicious, this could allow an attacker to remotely access and control the compromised host, leading to potential data exfiltration or further system compromise.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fAllowToGetHelp*" Registry.registry_value_data="0x00000001" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_allow_remote_assistance_filter`
Windows Remote Services Rdp Enable
The following analytic detects modifications in the Windows registry to enable Remote Desktop Protocol (RDP) on a targeted machine. It leverages data from the Endpoint.Registry datamodel, specifically monitoring changes to the "fDenyTSConnections" registry value. This activity is significant as enabling RDP via registry is uncommon and often associated with adversaries or malware attempting to gain remote access. If confirmed malicious, this could allow attackers to remotely control the compromised host, potentially leading to further exploitation and lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Control\\Terminal Server\\fDenyTSConnections*" Registry.registry_value_data="0x00000000" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_remote_services_rdp_enable_filter`
Windows Renamed Powershell Execution
The following analytic identifies instances where the PowerShell executable has been renamed and executed under an alternate filename. This behavior is commonly associated with attempts to evade security controls or bypass logging mechanisms that monitor standard PowerShell usage. While rare in legitimate environments, renamed PowerShell binaries are frequently observed in malicious campaigns leveraging Living-off-the-Land Binaries (LOLBins) and fileless malware techniques. This detection flags executions of PowerShell where the process name does not match the default powershell.exe or pwsh.exe, especially when invoked from unusual paths or accompanied by suspicious command-line arguments.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.original_file_name = PowerShell.EXE
Processes.process_name != powershell.exe
)
OR
(
Processes.original_file_name = pwsh.dll
Processes.process_name != pwsh.exe
)
OR
(
Processes.original_file_name = powershell_ise.EXE
Processes.process_name != powershell_ise.exe
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_renamed_powershell_execution_filter`
Windows Root Domain linked policies Discovery
The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for root domain linked policies. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory Discovery. If confirmed malicious, this activity could allow attackers to map out domain policies, potentially aiding in further exploitation or lateral movement within the network.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*.SearchRooT*" ScriptBlockText = "*.gplink*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_root_domain_linked_policies_discovery_filter`Windows Routing and Remote Access Service Registry Key Change
This analytic identifies the modification of the Windows RemoteAccess Registry Entry.
This technique can be used by malware, adversaries, threat actors and red teamers to gain persistence on a system by tampering with the key to add a custom DLL to be loaded.
This technique was also observed to be used by Gh0st RAT malware.
Upon seeing this behavior, it is recommended to review the system services events especially the remote access services.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Registry WHERE
Registry.registry_path="*\\Services\\RemoteAccess\\RouterManagers\\Ip*"
Registry.action=modified
by Registry.action Registry.dest Registry.process_guid
Registry.process_id Registry.registry_hive
Registry.registry_path Registry.registry_key_name
Registry.registry_value_data Registry.registry_value_name
Registry.registry_value_type Registry.status
Registry.user Registry.vendor_product
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_routing_and_remote_access_service_registry_key_change_filter`Windows RunMRU Registry Key or Value Deleted
The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, to remove forensic evidence of commands executed via the Windows Run dialog or other system utilities. This activity aims to obscure their actions, hinder incident response efforts, and evade detection. Detection focuses on monitoring for changes (deletion of values or modification of the MRUList value) to these specific registry paths, particularly when performed by unusual processes or outside of typical user behavior. Anomalous deletion events can indicate an attempt at defense evasion or post-exploitation cleanup by a malicious actor.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" Registry.action = deleted by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_runmru_registry_key_or_value_deleted_filter`
Windows Rundll32 Apply User Settings Changes
The following analytic detects the execution of rundll32 with a call to the user32 DLL, specifically the UpdatePerUserSystemParameters function.
This function is responsible for updating system parameters, such as desktop backgrounds, display settings, and visual themes.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions.
This activity can be significant as it is an uncommon way to apply settings. It was also observed as part of Rhysida Ransomware activity.
If confirmed malicious, this could allow an attacker to disguise activities or make unauthorized system changes, potentially leading to persistent unauthorized access.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_rundll32`
Processes.process = "*user32.dll*"
Processes.process = "*UpdatePerUserSystemParameters*"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_rundll32_apply_user_settings_changes_filter`
Windows Rundll32 Load DLL in Temp Dir
This detection identifies instances where rundll32.exe is used to load a DLL from a temporary directory, such as C:\Users\<User>\AppData\Local\Temp\ or C:\Windows\Temp\. While rundll32.exe is a legitimate Windows utility used to execute functions exported from DLLs, its use to load libraries from temporary locations is highly suspicious. These directories are commonly used by malware and red team tools to stage payloads or execute code in-memory without writing it to more persistent locations. This behavior often indicates defense evasion, initial access, or privilege escalation, especially when the DLL is unsigned, recently written, or executed shortly after download. In normal user workflows, DLLs are not typically loaded from Temp paths, making this a high-fidelity indicator of potentially malicious activity. Monitoring this pattern is essential for detecting threats that attempt to blend in with native system processes while bypassing traditional application controls.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` AND Processes.process IN ("*temp\\*", "*\\tmp\\*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rundll32_load_dll_in_temp_dir_filter`Windows Rundll32 with Non-Standard File Extension
This analytic identifies the instance of rundll32.exe process loading a non-standard Windows modules file extension.
This behavior is not common and can be associated with malicious activities, such as the Gh0st RAT backdoor. This technique is to evade possible detection by security tools that monitors a suspicious dll loading activity.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE
`process_rundll32`
(
Processes.parent_process_path IN (
"*:\\PerfLogs\\*",
"*:\\ProgramData\\*",
"*:\\Recycle.bin\\*",
"*:\\Users\\Administrator\\Music\\*",
"*:\\Users\\Public\\*",
"*:\\Windows\\Cursors\\*",
"*:\\Windows\\debug\\*",
"*:\\Windows\\fonts\\*",
"*:\\Windows\\INF\\*",
"*:\\Windows\\Media\\*",
"*:\\Windows\\Prefetch\\*",
"*:\\Windows\\repair\\*",
"*:\\Windows\\Tasks\\*",
"*\\Temp\\*"
)
OR
Processes.parent_process_name IN (
"*cmd.exe*",
"*cscript.exe*",
"*mshta.exe*",
"*powershell.exe*",
"*pwsh.exe*",
"*regsvr32.exe*",
"*wscript.exe*"
)
)
NOT Processes.process IN (
"*.cpl*",
"*.dll*",
"*.drv*",
"*.inf*",
"*.mui*",
"*.ocx*"
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_path
Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level
Processes.process_path Processes.user Processes.user_id
Processes.vendor_product Processes.parent_process_name
Processes.parent_process Processes.process_name Processes.process
| `drop_dm_object_name(Processes)`
| rex field=process "^(?<cmd_base_process>[^\s]+)\s+\"?(?<cmd_base_first_param>[^,^\"^\s]+).*?,(?<cmd_args>.*)$"
| rex field=cmd_base_first_param "^(?<root>[^\\\\]+)\\\\(?<subdirs>[^\\\\]+)"
| eval folder_count = mvcount(split(cmd_base_first_param, "\\"))
| where (
folder_count = 3
AND
NOT lower(subdirs) IN (
"windows",
"program files",
"program files (x86)"
)
)
OR
like(cmd_base_first_param, "%:\\ProgramData\\%")
OR
like(cmd_base_first_param, "%:\\Users\\Public\\%")
OR
like(cmd_base_first_param, "%\\AppData\\Local\\Temp\\%")
OR
like(cmd_base_first_param, "%\\AppData\\Roaming\\%")
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_rundll32_with_non_standard_file_extension_filter`Windows SOAPHound Binary Execution
The following analytic detects the execution of the SOAPHound binary (`soaphound.exe`) with specific command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and other process-related metadata. This activity is significant because SOAPHound is a known tool used for credential dumping and other malicious activities. If confirmed malicious, this behavior could allow an attacker to extract sensitive information, escalate privileges, or persist within the environment, posing a severe threat to organizational security.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name="soaphound.exe"
OR
Processes.original_file_name="soaphound.exe"
AND
Processes.process IN ("*--buildcache *", "*--bhdump *", "*--certdump *", "*--dnsdump *", "*-c *", "*--cachefilename *", "*-o *", "*--outputdirectory *")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_soaphound_binary_execution_filter`Showing 1001-1050 of 1,106