Tool
Hunt pack: Agrius
930 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Agrius - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 930AWS Exfiltration via Anomalous GetObject API Activity
The following analytic identifies anomalous GetObject API activity in AWS, indicating potential data exfiltration attempts. It leverages AWS CloudTrail logs and uses the `anomalydetection` command to detect unusual patterns in the frequency of GetObject API calls by analyzing fields such as "count," "user_type," and "user_arn" within a 10-minute window. This activity is significant as it may indicate unauthorized data access or exfiltration from S3 buckets. If confirmed malicious, attackers could exfiltrate sensitive data, leading to data breaches and compliance violations.
Show query
`cloudtrail` eventName=GetObject
| bin _time span=10m
| rename user_name as user
| stats count values(requestParameters.bucketName) as bucketName
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| anomalydetection "count" "user" action=annotate
| search probable_cause=*
| `aws_exfiltration_via_anomalous_getobject_api_activity_filter`AWS Exfiltration via Batch Service
The following analytic identifies the creation of AWS Batch jobs that could potentially abuse the AWS Bucket Replication feature on S3 buckets. It leverages AWS CloudTrail logs to detect the `JobCreated` event, analyzing job details and their status. This activity is significant because attackers can exploit this feature to exfiltrate data by creating malicious batch jobs. If confirmed malicious, this could lead to unauthorized data transfer between S3 buckets, resulting in data breaches and loss of sensitive information.
Show query
`cloudtrail` eventName = JobCreated
| fillnull
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_exfiltration_via_batch_service_filter`AWS Exfiltration via DataSync Task
The following analytic detects the creation of an AWS DataSync task, which could indicate potential data exfiltration. It leverages AWS CloudTrail logs to identify the `CreateTask` event from the DataSync service. This activity is significant because attackers can misuse DataSync to transfer sensitive data from a private AWS location to a public one, leading to data compromise. If confirmed malicious, this could result in unauthorized access to sensitive information, causing severe data breaches and compliance violations.
Show query
`cloudtrail` eventName = CreateTask eventSource="datasync.amazonaws.com"
| rename requestParameters.* as *
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product destinationLocationArn
sourceLocationArn
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_exfiltration_via_datasync_task_filter`AWS IAM Successful Group Deletion
The following analytic identifies the successful deletion of an IAM group in AWS. It leverages CloudTrail logs to detect `DeleteGroup` events with a success status. This activity is significant as it could indicate potential changes in user permissions or access controls, which may be a precursor to further unauthorized actions. If confirmed malicious, an attacker could disrupt access management, potentially leading to privilege escalation or unauthorized access to sensitive resources. Analysts should review related IAM events, such as recent user additions or new group creations, to assess the broader context.
Show query
`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com)
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_iam_successful_group_deletion_filter`AWS SAML Update identity provider
The following analytic detects updates to the SAML provider in AWS. It leverages AWS CloudTrail logs to identify the `UpdateSAMLProvider` event, analyzing fields such as `sAMLProviderArn`, `sourceIPAddress`, and `userIdentity` details. Monitoring updates to the SAML provider is crucial as it may indicate a perimeter compromise of federated credentials or unauthorized backdoor access set by an attacker. If confirmed malicious, this activity could allow attackers to manipulate identity federation, potentially leading to unauthorized access to cloud resources and sensitive data.
Show query
`cloudtrail` eventName=UpdateSAMLProvider
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.sAMLProviderArn) as request_parameters
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_saml_update_identity_provider_filter`AWS SetDefaultPolicyVersion
The following analytic detects when a user sets a default policy version in AWS. It leverages AWS CloudTrail logs to identify the `SetDefaultPolicyVersion` event from the IAM service. This activity is significant because attackers may exploit this technique for privilege escalation, especially if previous policy versions grant more extensive permissions than the current one. If confirmed malicious, this could allow an attacker to gain elevated access to AWS resources, potentially leading to unauthorized actions and data breaches.
Show query
`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_setdefaultpolicyversion_filter`AWS Successful Single-Factor Authentication
The following analytic identifies a successful Console Login authentication event for an AWS IAM user account without Multi-Factor Authentication (MFA) enabled. It leverages AWS CloudTrail logs to detect instances where MFA was not used during login. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the AWS environment, potentially leading to data exfiltration, resource manipulation, or further privilege escalation.
Show query
`cloudtrail` eventName= ConsoleLogin errorCode=success "additionalEventData.MFAUsed"=No
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_successful_single_factor_authentication_filter`AWS UpdateLoginProfile
The following analytic detects an AWS CloudTrail event where a user with permissions updates the login profile of another user. It leverages CloudTrail logs to identify instances where the user making the change is different from the user whose profile is being updated. This activity is significant because it can indicate privilege escalation attempts, where an attacker uses a compromised account to gain higher privileges. If confirmed malicious, this could allow the attacker to escalate their privileges, potentially leading to unauthorized access and control over sensitive resources within the AWS environment.
Show query
`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success
| eval match=if(match(userIdentity.userName,requestParameters.userName), 1,0)
| search match=0
| rename user_name as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY signature dest user
user_agent src vendor_account
vendor_region vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_updateloginprofile_filter`Access LSASS Memory for Dump Creation
The following analytic detects attempts to dump the LSASS process memory, a common technique in credential dumping attacks. It leverages Sysmon logs, specifically EventCode 10, to identify suspicious call traces to dbgcore.dll and dbghelp.dll associated with lsass.exe. This activity is significant as it often precedes the theft of sensitive login credentials, posing a high risk of unauthorized access to systems and data. If confirmed malicious, attackers could gain access to critical credentials, enabling further compromise and lateral movement within the network.
Show query
`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll*
| stats count min(_time) as firstTime max(_time) as lastTime
BY CallTrace EventID GrantedAccess
Guid Opcode ProcessID
SecurityID SourceImage SourceProcessGUID
SourceProcessId TargetImage TargetProcessGUID
TargetProcessId UserID dest
granted_access parent_process_exec parent_process_guid
parent_process_id parent_process_name parent_process_path
process_exec process_guid process_id
process_name process_path signature
signature_id user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `access_lsass_memory_for_dump_creation_filter`Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint
The following analytic identifies access to the /api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark endpoint, which is associated with CVE-2023-46805 and CVE-2024-21887 vulnerabilities. It detects this activity by monitoring for GET requests that receive a 403 Forbidden response with an empty body. This behavior is significant as it indicates potential exploitation attempts against Ivanti Connect Secure systems. If confirmed malicious, attackers could exploit these vulnerabilities to gain unauthorized access or control over the affected systems, leading to potential data breaches or system compromise.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url="*/api/v1/configuration/users/user-roles/user-role/rest-userrole1/web/web-bookmarks/bookmark*" Web.http_method=GET Web.status=403
BY Web.src, Web.dest, Web.http_user_agent,
Web.status, Web.url source
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint_filter`Adobe ColdFusion Access Control Bypass
The following analytic detects potential exploitation attempts against Adobe ColdFusion vulnerabilities CVE-2023-29298 and CVE-2023-26360.
It monitors requests to specific ColdFusion Administrator endpoints, especially those with an unexpected additional forward slash, using the Web datamodel.
This activity is significant for a SOC as it indicates attempts to bypass access controls, which can lead to unauthorized access to ColdFusion administration endpoints.
If confirmed malicious, this could result in data theft, brute force attacks, or further exploitation of other vulnerabilities, posing a serious security risk to the environment.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url IN (
"*//CFIDE/adminapi*",
"*//CFIDE/administrator*",
"*//CFIDE/componentutils*",
"*//CFIDE/main*",
"*//CFIDE/restplay*",
"*//CFIDE/servermanager*",
"*//CFIDE/wizards*",
"*//restplay*",
)
Web.status=200
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `adobe_coldfusion_access_control_bypass_filter`Adobe ColdFusion Unauthenticated Arbitrary File Read
The following analytic detects potential exploitation of the Adobe ColdFusion vulnerability, CVE-2023-26360, which allows unauthenticated arbitrary file read.
It monitors POST requests to the "/cf_scripts/scripts/ajax/ckeditor/*" endpoint using the Web datamodel.
This activity can be significant due to the vulnerability's high CVSS score of 9.8, indicating severe risk.
If confirmed malicious, it could lead to unauthorized data access, further attacks, or severe operational disruptions.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/cf_scripts/scripts/ajax/ckeditor/*"
Web.status=200
Web.http_method=POST
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `adobe_coldfusion_unauthenticated_arbitrary_file_read_filter`AdsiSearcher Account Discovery
The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify script blocks containing `[adsisearcher]`, `objectcategory=user`, and `.findAll()`. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*objectcategory=user*" ScriptBlockText = "*.findAll()*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `adsisearcher_account_discovery_filter`Allow Inbound Traffic By Firewall Rule Registry
The following analytic detects suspicious modifications to firewall rule registry settings that allow inbound traffic on specific ports with a public profile. It leverages data from the Endpoint.Registry data model, focusing on registry paths and values indicative of such changes. This activity is significant as it may indicate an adversary attempting to grant remote access to a machine by modifying firewall rules. If confirmed malicious, this could enable unauthorized remote access, potentially leading to further exploitation, data exfiltration, or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_data = "*|Action=Allow|*" Registry.registry_value_data = "*|Dir=In|*" Registry.registry_value_data = "*|LPort=*") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`
Allow Inbound Traffic In Firewall Rule
The following analytic detects a suspicious PowerShell command that allows inbound traffic to a specific local port within the public profile. It leverages PowerShell script block logging (EventCode 4104) to identify commands containing keywords like "firewall," "Inbound," "Allow," and "-LocalPort." This activity is significant because it may indicate an attacker attempting to establish remote access by modifying firewall rules. If confirmed malicious, this could allow unauthorized access to the machine, potentially leading to further exploitation and data exfiltration.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*firewall*" ScriptBlockText = "*Inbound*" ScriptBlockText = "*Allow*" ScriptBlockText = "*-LocalPort*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `allow_inbound_traffic_in_firewall_rule_filter`Azure AD Authentication Failed During MFA Challenge
The following analytic identifies failed authentication attempts against an Azure AD tenant during the Multi-Factor Authentication (MFA) challenge, specifically flagged by error code 500121. It leverages Azure AD SignInLogs to detect these events. This activity is significant as it may indicate an adversary attempting to authenticate using compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing effort to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.
Show query
`azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as *, authenticationDetails{}.* as * | eval time=strptime(authenticationStepDateTime,"%Y-%m-%dT%H:%M:%S") | eval auth_detail=mvzip(strftime(time, "%Y-%m-%dT%H:%M:%S"),authenticationStepResultDetail," - "), auth_msg=mvappend('status.additionalDetails', authenticationStepResultDetail) | eval auth_method=mvmap(authenticationMethod, if(isnull(mvfind('mfaDetail.authMethod',authenticationMethod)), authenticationMethod, null())) | search NOT auth_msg="MFA successfully completed" | rename userAgent as user_agent | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product auth_method auth_msg user_agent signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter`Azure AD AzureHound UserAgent Detected
This detection identifies the presence of the default AzureHound user-agent string within Microsoft Graph Activity logs and NonInteractive SignIn Logs. AzureHound is a tool used for gathering information about Azure Active Directory environments, often employed by security professionals for legitimate auditing purposes. However, it can also be leveraged by malicious actors to perform reconnaissance activities, mapping out the Azure AD infrastructure to identify potential vulnerabilities and targets for further exploitation. Detecting its usage can help in identifying unauthorized access attempts and preemptively mitigating potential security threats to your Azure environment.
Show query
`azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound*
| rename properties.userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
| iplocation src
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_azurehound_useragent_detected_filter`Azure AD External Guest User Invited
The following analytic detects the invitation of an external guest user within Azure AD. It leverages Azure AD AuditLogs to identify events where an external user is invited, using fields such as operationName and initiatedBy. Monitoring these invitations is crucial as they can lead to unauthorized access if abused. If confirmed malicious, this activity could allow attackers to gain access to internal resources, potentially leading to data breaches or further exploitation of the environment.
Show query
`azure_monitor_aad` operationName="Invite external user"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.type as type
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
initiatedBy type signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_external_guest_user_invited_filter`Azure AD Multiple AppIDs and UserAgents Authentication Spike
The following analytic detects unusual authentication activity in Azure AD, specifically when a single user account has over 8 authentication attempts using 3+ unique application IDs and 5+ unique user agents within a short period. It leverages Azure AD audit logs, focusing on authentication events and using statistical thresholds. This behavior is significant as it may indicate an adversary probing for MFA requirements. If confirmed malicious, it suggests a compromised account, potentially leading to further exploitation, lateral movement, and data exfiltration. Early detection is crucial to prevent substantial harm.
Show query
`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" (properties.authenticationRequirement="multiFactorAuthentication" properties.status.additionalDetails="MFA required in Azure AD") OR (properties.authenticationRequirement=singleFactorAuthentication "properties.authenticationDetails{}.succeeded"=true)
| bucket span=5m _time
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count dc(appId) as unique_app_ids dc(user_agent) as unique_user_agents min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user_agent) as user_agent
BY user src vendor_account
vendor_product signature
| where count > 5 and unique_app_ids > 2 and unique_user_agents > 5
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`Azure AD Multiple Failed MFA Requests For User
The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA attempts within 10 minutes. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication prompts. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise user accounts and potentially escalate their privileges within the environment.
Show query
`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication"
| rename properties.* as *
| bucket span=10m _time
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(src) as src
BY user, status.additionalDetails, appDisplayName,
user_agent, vendor_account, vendor_product,
signature
| where count > 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_failed_mfa_requests_for_user_filter`Azure AD Multiple Service Principals Created by SP
The following analytic detects when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span. It leverages Azure AD audit logs, specifically monitoring the 'Add service principal' operation initiated by service principals. This behavior is significant as it may indicate an attacker using a compromised or malicious service principal to rapidly establish multiple service principals, potentially staging an attack. If confirmed malicious, this activity could facilitate network infiltration or expansion, allowing the attacker to gain unauthorized access and persist within the environment.
Show query
`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=*
| rename properties.* as *
| bucket span=10m _time
| rename targetResources{}.displayName as displayName
| rename targetResources{}.type as type
| rename initiatedBy.app.displayName as src_user
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime dc(displayName) as unique_apps values(displayName) as displayName values(dest) as dest values(src) as src values(user) as user values(user_agent) as user_agent
BY src_user vendor_account vendor_product
signature
| where unique_apps > 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_service_principals_created_by_sp_filter`Azure AD Multiple Service Principals Created by User
The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD. It detects this activity by monitoring the 'Add service principal' operation and aggregating data in 10-minute intervals. This behavior is significant as it may indicate an adversary rapidly creating multiple service principals to stage an attack or expand their foothold within the network. If confirmed malicious, this activity could allow attackers to establish persistence, escalate privileges, or access sensitive information within the Azure environment.
Show query
`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=*
| rename properties.* as *
| bucket span=10m _time
| rename targetResources{}.displayName as displayName
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime dc(displayName) as unique_apps values(displayName) as displayName values(dest) as dest values(src) as src values(user) as user values(user_agent) as user_agent
BY src_user vendor_account vendor_product
signature
| where unique_apps > 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_service_principals_created_by_user_filter`Azure AD Privileged Authentication Administrator Role Assigned
The following analytic detects the assignment of the Privileged Authentication Administrator role to an Azure AD user. It leverages Azure Active Directory audit logs to identify when this specific role is assigned. This activity is significant because users in this role can set or reset authentication methods for any user, including those in privileged roles like Global Administrators. If confirmed malicious, an attacker could change credentials and assume the identity and permissions of high-privilege users, potentially leading to unauthorized access to sensitive information and critical configurations.
Show query
`azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\""
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product initiatedBy
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_privileged_authentication_administrator_role_assigned_filter`Azure AD Privileged Graph API Permission Assigned
The following analytic detects the assignment of high-risk Graph API permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs for 'Update application' operations, identifying when these permissions are assigned. This activity is significant as it grants broad control over Azure AD, including application and directory settings. If confirmed malicious, it could lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. Immediate investigation is required.
Show query
`azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"=" 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId" ="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId" ="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product Permissions signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter`Azure AD Service Principal Authentication
The following analytic identifies authentication events of service principals in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically targeting "Sign-in activity" within ServicePrincipalSignInLogs. This detection gathers details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring these events is significant for SOC teams to distinguish between normal application authentication and potential anomalies, which could indicate compromised credentials or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment.
Show query
`azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs
| rename properties.* as *
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product resourceDisplayName
resourceId signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_authentication_filter`Azure AD Service Principal Created
The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the "Add service principal" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity.
Show query
`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=*
| rename properties.* as *
| rename targetResources{}.displayName as displayName
| rename targetResources{}.type as type
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product displayName
result signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_created_filter`Azure AD Service Principal Enumeration
This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools.
Show query
`azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals)
| fillnull
| rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P<servicePrincipalb>.*?)\/"
| rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P<servicePrincipalv1>.*?)\/"
| eval spn=coalesce(servicePrincipalb,servicePrincipalv1)
| fillnull
| stats count min(_time) as _time dc(spn) as spn_count values(user_id) as user_id
BY dest user src
vendor_account vendor_product signature
| where spn_count>9
| `azure_ad_service_principal_enumeration_filter`Azure AD Successful PowerShell Authentication
The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs to identify successful logins where the appDisplayName is "Microsoft Azure PowerShell." This activity is significant because it is uncommon for regular, non-administrative users to authenticate using PowerShell, and it may indicate enumeration and discovery techniques by an attacker. If confirmed malicious, this activity could allow attackers to perform extensive reconnaissance, potentially leading to privilege escalation or further exploitation within the Azure environment.
Show query
`azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell"
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_successful_powershell_authentication_filter`Azure AD Successful Single-Factor Authentication
The following analytic identifies a successful single-factor authentication event against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment.
Show query
`azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_successful_single_factor_authentication_filter`Azure Automation Account Created
The following analytic detects the creation of a new Azure Automation account within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when an account is created or updated. This activity is significant because Azure Automation accounts can be used to automate tasks and orchestrate actions across Azure and on-premise environments. If an attacker creates an Automation account with elevated privileges, they could maintain persistence, execute malicious runbooks, and potentially escalate privileges or execute code on virtual machines, posing a significant security risk.
Show query
`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/write" status.value=Succeeded
| dedup object
| rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as signature
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product object
object_path signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_automation_account_created_filter`Azure Automation Runbook Created
The following analytic detects the creation of a new Azure Automation Runbook within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when a new Runbook is created or updated. This activity is significant because adversaries with privileged access can use Runbooks to maintain persistence, escalate privileges, or execute malicious code. If confirmed malicious, this could lead to unauthorized actions such as creating Global Administrators, executing code on VMs, and compromising the entire Azure environment.
Show query
`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/runbooks/write" object!=AzureAutomationTutorial* status.value=Succeeded
| dedup object
| rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as operationName
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product object
object_path
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_automation_runbook_created_filter`Azure Runbook Webhook Created
The following analytic detects the creation of a new Automation Runbook Webhook within an Azure tenant. It leverages Azure Audit events, specifically the "Create or Update an Azure Automation webhook" operation, to identify this activity. This behavior is significant because Webhooks can trigger Automation Runbooks via unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed malicious, an attacker could use this to execute code, create users, or maintain persistence within the environment, potentially leading to unauthorized access and control over Azure resources.
Show query
`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/webhooks/write" status.value=Succeeded
| dedup object
| rename claims.ipaddr as src_ip
| rename caller as user
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest
BY object user, src_ip,
resourceGroupName, object_path
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_runbook_webhook_created_filter`CHCP Command Execution
The following analytic detects the execution of the chcp.com utility, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=chcp.com
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `chcp_command_execution_filter`CMD Carry Out String Command Parameter
The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_cmd`
AND
Processes.process IN ("*/c*", "*/k*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cmd_carry_out_string_command_parameter_filter`CMD Echo Pipe - Escalation
The following analytic identifies the use of named-pipe impersonation for privilege escalation, commonly associated with Cobalt Strike and similar frameworks. It detects command-line executions where `cmd.exe` uses `echo` to write to a named pipe, such as `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential privilege escalation attempts. If confirmed malicious, attackers could gain elevated privileges, enabling further compromise and persistence within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_cmd`
OR
Processes.process=*%comspec%* (Processes.process=*echo*
AND
Processes.process=*pipe*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cmd_echo_pipe___escalation_filter`CMLUA Or CMSTPLUA UAC Bypass
The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.
Show query
`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`CSC Net On The Fly Compilation
The following analytic detects the use of the .NET compiler csc.exe for on-the-fly compilation of potentially malicious .NET code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with csc.exe. This activity is significant because adversaries and malware often use this technique to evade detection by compiling malicious code at runtime. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=csc.exe
OR
Processes.original_file_name=csc.exe
)
Processes.process = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `csc_net_on_the_fly_compilation_filter`CertUtil With Decode Argument
The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_certutil` Processes.process=*decode*
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `certutil_with_decode_argument_filter`Check Elevated CMD using whoami
The following analytic identifies the execution of the "whoami" command with the "/group" flag, where the results are passed to the "find" command in order to look for a the string "12288". This string represents the SID of the group "Mandatory Label\High Mandatory Level" effectively checking if the current process is running as a "High" integrity process or with Administrator privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because it is commonly used by attackers, such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, this behavior could indicate an attacker is assessing their privilege level, potentially leading to further privilege escalation or persistence within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process = "*whoami*" Processes.process = "*/group*" Processes.process = "* find *" Processes.process = "*12288*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `check_elevated_cmd_using_whoami_filter`Child Processes of Spoolsv exe
The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.
Show query
| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name=spoolsv.exe
AND
Processes.process_name!=regsvr32.exe
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `child_processes_of_spoolsv_exe_filter`Cisco ASA - New Local User Account Created
This analytic detects creation of new user accounts on Cisco ASA devices via CLI or ASDM.
Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated.
The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account.
Investigate unexpected account creations, especially those with elevated privileges (level 15), accounts created outside business hours, accounts with suspicious or generic names, or accounts created by non-administrative users.
Show query
`cisco_asa`
message_id IN (502101)
| fillnull
| stats count earliest(_time) as firstTime
latest(_time) as lastTime
values(action) as action
values(message_id) as message_id
values(result) as result
values(privilege_level) as privilege_level
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___new_local_user_account_created_filter`
Cisco ASA - User Privilege Level Change
This analytic detects privilege level changes for user accounts on Cisco ASA devices via CLI or ASDM.
Adversaries may escalate account privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. Privilege levels on Cisco ASA range from 0 (lowest) to 15 (full administrative access), with level 15 providing complete device control.
The detection monitors for ASA message ID 502103, which is generated whenever a user account's privilege level is modified, capturing both the old and new privilege levels along with the username and administrator who made the change.
Investigate unexpected privilege changes, especially escalations to level 15, substantial privilege increases (e.g., from level 1 to 15), changes performed outside business hours, changes by non-administrative users, or changes without corresponding change management tickets.
Show query
`cisco_asa`
message_id IN (502103)
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(action) as action
values(message_id) as message_id
values(old_privilege_level) as old_privilege_level
values(new_privilege_level) as new_privilege_level
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___user_privilege_level_change_filter`
Cisco IOS XE Implant Access
The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface.
It monitors POST requests to the "/webui/logoutconfirm.html?logon_hash=*" endpoint using the Web datamodel.
This activity can be significant as it indicates potential access request to the implant
If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/webui/logoutconfirm.html?logon_hash=*"
Web.http_method=POST
Web.status=200
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_implant_access_filter`Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal
This analytic detects Cisco IOS-XE command sequences where show logging, clear logging, and exit occur within a short period.
It also detects the pattern where a loopback interface is removed before clearing logs and exiting.
Show query
`cisco_ios`
facility IN ("AAA", "HA_EM", "PARSER")
mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG", "CFGLOG_LOGGEDCMD")
message_text IN ("*show logging*", "*clear logging*", "*exit*", "*no interface Loopback*")
| eval cmd=lower(coalesce(command, message_text))
| eval event_type=case(
like(cmd, "%show logging%"), "show_logging",
like(cmd, "%clear logging%"), "clear_logging",
like(cmd, "%exit%"), "exit",
like(cmd, "%no interface loopback%"), "remove_loopback"
)
| where isnotnull(event_type)
| eval dest=coalesce(host, dvc, dest, "unknown")
| bin _time span=2m
| stats count min(_time) as firstTime
max(_time) as lastTime
values(event_type) as event_types
values(message_text) as message_text
values(cmd) as cmd
by _time dest
| where mvfind(event_types, "clear_logging") >= 0
AND
mvfind(event_types, "exit") >= 0
AND
(
mvfind(event_types, "show_logging") >= 0
OR
mvfind(event_types, "remove_loopback") >= 0
)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal_filter`Cisco Isovalent - Cron Job Creation
The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.
Show query
`cisco_isovalent_process_exec` process_name IN ("crond","cron","crontab")
| search pod_name!=""
| stats count
min(_time) as firstTime
max(_time) as lastTime
values(process) as process
by cluster_name pod_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___cron_job_creation_filter`
Cisco Isovalent - Kprobe Spike
This analytic detects excessive kernel probe (kprobe) events in a Kubernetes cluster over a short period of time.
Kprobes are a Linux kernel debugging and instrumentation mechanism that allows dynamic monitoring and tracing of kernel functions and system calls.
In containerized or cloud-native environments, kprobes are occasionally used for legitimate low-level diagnostics; however, monitoring a spike in kprobe activity is important because malware or attackers may abuse this mechanism to gain insights into the kernel, attempt privilege escalation, or tamper with host processes.
More than 10 kprobe events within 5 minutes may indicate suspicious activity, such as an attacker probing the kernel through repeated system calls (e.g., nsenter, mount, sethostname).
Such abnormal volume and frequency of kprobe usage within application pods or on nodes can signal container escape attempts or low-level tampering with the host, thereby representing a potential security threat.
Show query
`cisco_isovalent` process_kprobe.action!=""
| bin _time span=5m | rename process_kprobe.parent.pod.name as pod_name
| stats count as kprobe_count
values(process_kprobe.function_name) as functions
values(process_kprobe.process.binary) as binaries
values(process_kprobe.args{}.string_arg) as args
by pod_name _time
| where kprobe_count > 10 | `cisco_isovalent___kprobe_spike_filter`
Cisco NVM - Installation of Typosquatted Python Package
This analytic detects suspicious python package installations where the package name resembles popular Python libraries but may be typosquatted or slightly altered.
Typosquatting is a common technique used by attackers to trick users into installing malicious packages that mimic legitimate ones.
This detection leverages Cisco NVM flow telemetry and checks for pip or poetry package managers with the "install" or "add" flags, making outbound connections to package repository such as `pypi.org` with known or suspected typo package names.
Show query
`cisco_network_visibility_module_flowdata`
dest_hostname IN ("*.pythonhosted.org", "*pypi.org", "*python-poetry.org")
(
(process_arguments = "*pip*" process_arguments = "*install*")
OR
(process_arguments = "*poetry*" process_arguments = "*add*")
)
| rex field=process_arguments "(?i)(?:pip|poetry)[^|]*?\s+(?:install|add)\s+(?P<package_name>[^\s\"']+)$"
| lookup typo_squatted_python_packages
typosquatted_package_name as package_name
OUTPUTNEW comment package_official_url
| where isnotnull(comment)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport package_name comment package_official_url
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest_hostname dest dest_port transport package_name comment package_official_url
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
| `cisco_nvm___installation_of_typosquatted_python_package_filter`
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
This analytic detects suspicious use of 'mshta.exe' or 'rundll32.exe' invoking 'mshtml.dll'
or the 'RunHTMLApplication' export without including a direct HTTP/HTTPS URL in the command line.
This pattern could be associated with obfuscated script execution used by threat actors during
initial access or payload staging. The absence of a visible URL may indicate attempts to evade static
detections by embedding the URL via string concatenation, encoding (e.g., hex), or indirect script loaders
like 'GetObject()'.
Show query
`cisco_network_visibility_module_flowdata`
(
(
process_name = "mshta.exe"
process_arguments IN ("*javascript*", "*vbscript*")
)
OR
( process_name = "rundll32.exe" AND
process_arguments = "*mshtml*" AND
process_arguments = "*RunHTMLApplication*"
)
)
NOT process_arguments IN ("*http://*", "*https://*")
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli_filter`
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
This analytic detects suspicious use of `rundll32.exe` in combination with `mshtml.dll` and the export `RunHTMLApplication`.
This behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or
bypassing script execution policies and bypassing the usage of the "mshta.exe" binary.
The detection leverages Cisco Network Visibility Module telemetry which offers network flow activity
along with process information such as command-line arguments
If confirmed malicious, this activity may indicate initial access or payload download.
Show query
`cisco_network_visibility_module_flowdata`
process_name = "rundll32.exe"
process_arguments = "*mshtml*"
process_arguments IN ("*135*", "*RunHTMLApplication*")
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download_filter`
Cisco NVM - Susp Script From Archive Triggering Network Activity
This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using
`explorer.exe`, `winrar.exe`, or `7zFM.exe`.
When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers.
It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection.
This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.
Show query
`cisco_network_visibility_module_flowdata`
parent_process_name IN ("explorer.exe", "winrar.exe", "7zFM.exe")
process_name IN ("wscript.exe", "cscript.exe")
process_arguments = "*\\AppData\\Local\\Temp\\*"
process_arguments IN ("*\\rar*", "*\\7z*", "*.zip*")
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_name parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___susp_script_from_archive_triggering_network_activity_filter`
Showing 151-200 of 930