Tool
Hunt pack: Akira
957 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Akira - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 957Confluence CVE-2023-22515 Trigger Vulnerability
The following analytic identifies potential exploitation attempts of the Confluence CVE-2023-22515 vulnerability. It detects successful accesses (HTTP status 200) to specific vulnerable endpoints by analyzing web logs within the Splunk 'Web' Data Model. This activity is significant for a SOC as it indicates possible privilege escalation attempts in Confluence. If confirmed malicious, attackers could gain unauthorized access or create accounts with escalated privileges, leading to potential data breaches or further exploitation within the environment.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN ("*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=false*","*/server-info.action?bootstrapStatusProvider.applicationConfig.setupComplete=0&*") Web.http_method=GET Web.status=200
BY Web.http_user_agent, Web.status Web.http_method,
Web.url, Web.url_length, Web.src,
Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `confluence_cve_2023_22515_trigger_vulnerability_filter`Confluence Data Center and Server Privilege Escalation
The following analytic identifies potential exploitation attempts on a known vulnerability in Atlassian Confluence, specifically targeting the /setup/*.action* URL pattern. It leverages web logs within the Splunk 'Web' Data Model, filtering for successful accesses (HTTP status 200) to these endpoints. This activity is significant as it suggests attackers might be exploiting a privilege escalation flaw in Confluence. If confirmed malicious, it could result in unauthorized access or account creation with escalated privileges, leading to potential data breaches or further exploitation within the environment.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN ("*/setup/setupadministrator.action*", "*/setup/finishsetup.action*", "*/json/setup-restore-local.action*", "*/json/setup-restore-progress.action*", "*/json/setup-restore.action*", "*/bootstrap/selectsetupstep.action*") Web.status=200
BY Web.http_user_agent, Web.status Web.http_method,
Web.url, Web.url_length, Web.src,
Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `confluence_data_center_and_server_privilege_escalation_filter`Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527
The following analytic identifies attempts to exploit a critical template injection vulnerability (CVE-2023-22527) in outdated Confluence Data Center and Server versions. It detects POST requests to the "/template/aui/text-inline.vm" endpoint with HTTP status codes 200 or 202, indicating potential OGNL injection attacks. This activity is significant as it allows unauthenticated attackers to execute arbitrary code remotely. If confirmed malicious, attackers could gain full control over the affected Confluence instance, leading to data breaches, system compromise, and further network infiltration. Immediate patching is essential to mitigate this threat.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url="*/template/aui/text-inline.vm*" Web.http_method=POST Web.status IN (200, 202)
BY Web.src, Web.dest, Web.http_user_agent,
Web.url, Web.status
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527_filter`ConnectWise ScreenConnect Authentication Bypass
The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows attackers to bypass authentication via an alternate path or channel. It leverages web request logs to identify access to the SetupWizard.aspx page, indicating potential exploitation. This activity is significant as it can lead to unauthorized administrative access and remote code execution. If confirmed malicious, attackers could create administrative users and gain full control over the affected system, posing severe security risks. Immediate remediation by updating to version 23.9.8 or above is recommended.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN ("*/SetupWizard.aspx/*","*/SetupWizard/") Web.status=200 Web.http_method=POST
BY Web.src, Web.dest, Web.http_user_agent,
Web.url, Web.status, Web.http_method,
sourcetype, source
| rex field=Web.url "/SetupWizard.aspx/(?<randomPath>.+)"
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `connectwise_screenconnect_authentication_bypass_filter`ConnectWise ScreenConnect Path Traversal
The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint datamodel Filesystem node to identify suspicious file system events, specifically targeting paths and filenames associated with ScreenConnect. This activity is significant as it can lead to unauthorized access to sensitive files and directories, potentially resulting in data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access and control over the host system, posing a severe security risk.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\ScreenConnect\\App_Extensions\\*") Filesystem.file_name IN ("*.aspx","*.ashx") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_filter`ConnectWise ScreenConnect Path Traversal Windows SACL
The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability using Windows SACL EventCode 4663. It identifies path traversal attacks by monitoring file system events related to the ScreenConnect service. This activity is significant as it allows unauthorized access to sensitive files and directories, potentially leading to data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access to critical data or execute harmful code, compromising the integrity and security of the affected system. Immediate remediation by updating to version 23.9.8 or above is recommended.
Show query
`wineventlog_security` EventCode=4663 ProcessName=*\\ScreenConnect.Service.exe file_path IN ("*\\ScreenConnect\\App_Extensions\\*") file_name IN ("*.aspx","*.ashx") | stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name | rename Computer as dest Caller_User_Name as user ProcessName as process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `connectwise_screenconnect_path_traversal_windows_sacl_filter`Conti Common Exec parameter
The following analytic detects the execution of suspicious command-line arguments commonly associated with Conti ransomware, specifically targeting local drives and network shares for encryption. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because it indicates a potential ransomware attack, which can lead to widespread data encryption and operational disruption. If confirmed malicious, the impact could be severe, resulting in data loss, system downtime, and potential ransom demands.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process IN ("*-m local", "*-m local *", "*-m net", "*-m net *", "*-m all","*-m all *", "*-nomutex", "*-nomutex *")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `conti_common_exec_parameter_filter`Create Remote Thread into LSASS
The following analytic detects the creation of a remote thread in the Local Security Authority Subsystem Service (LSASS). This behavior is identified using Sysmon EventID 8 logs, focusing on processes that create remote threads in lsass.exe. This activity is significant because it is commonly associated with credential dumping, a tactic used by adversaries to steal user authentication credentials. If confirmed malicious, this could allow attackers to gain unauthorized access to sensitive information, leading to potential compromise of the entire network. Analysts should investigate to differentiate between legitimate tools and potential threats.
Show query
`sysmon` EventID=8 TargetImage=*lsass.exe
| stats count min(_time) as firstTime max(_time) as lastTime
BY EventID Guid NewThreadId
ProcessID SecurityID SourceImage
SourceProcessGuid SourceProcessId StartAddress
StartFunction StartModule TargetImage
TargetProcessGuid TargetProcessId UserID
dest parent_process_exec parent_process_guid
parent_process_id parent_process_name parent_process_path
process_exec process_guid process_id
process_name process_path signature
signature_id user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `create_remote_thread_into_lsass_filter`Create or delete windows shares using net exe
The following analytic detects the creation or deletion of Windows shares using the net.exe command. It leverages Endpoint Detection and Response (EDR) data to identify processes involving net.exe with actions related to share management. This activity is significant because it may indicate an attacker attempting to manipulate network shares for malicious purposes, such as data exfiltration, malware distribution, or establishing persistence. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, service disruption, or malware introduction. Immediate investigation is required to determine the intent and mitigate potential threats.
Show query
| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_net`
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search process IN ("*share* /delete*", "*share* /REMARK:*", "*share* /CACHE:*")
| `create_or_delete_windows_shares_using_net_exe_filter`Creation of Shadow Copy
The following analytic detects the creation of shadow copies using Vssadmin or Wmic. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because creating shadow copies can be a precursor to ransomware attacks or data exfiltration, allowing attackers to bypass file locks and access sensitive data. If confirmed malicious, this behavior could enable attackers to maintain persistence, recover deleted files, or prepare for further malicious activities, posing a significant risk to the integrity and confidentiality of the system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*
)
OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `creation_of_shadow_copy_filter`Creation of Shadow Copy with wmic and powershell
The following analytic detects the creation of shadow copies using "wmic" or "Powershell" commands. It leverages the Endpoint.Processes data model in Splunk to identify processes where the command includes "shadowcopy" and "create". This activity is significant because it may indicate an attacker attempting to manipulate or access data in an unauthorized manner, potentially leading to data theft or manipulation. If confirmed malicious, this behavior could allow attackers to backup and exfiltrate sensitive data or hide their tracks by restoring files to a previous state after an attack.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic`
OR
`process_powershell` Processes.process=*shadowcopy* Processes.process=*create*
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `creation_of_shadow_copy_with_wmic_and_powershell_filter`Creation of lsass Dump with Taskmgr
The following analytic detects the creation of an lsass.exe process dump using Windows Task Manager. It leverages Sysmon EventID 11 to identify file creation events where the target filename matches *lsass*.dmp. This activity is significant because creating an lsass dump can be a precursor to credential theft, as the dump file contains sensitive information such as user passwords. If confirmed malicious, an attacker could use the lsass dump to extract credentials and escalate privileges, potentially compromising the entire network.
Show query
`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp
| stats count min(_time) as firstTime max(_time) as lastTime
BY action dest file_name
file_path process_guid process_id
user_id vendor_product process_name
TargetFilename
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `creation_of_lsass_dump_with_taskmgr_filter`Credential Dumping via Copy Command from Shadow Copy
The following analytic detects the use of the copy command to dump credentials from a shadow copy. It leverages Endpoint Detection and Response (EDR) data to identify processes with command lines referencing critical files like "sam", "security", "system", and "ntds.dit" in system directories. This activity is significant as it indicates an attempt to extract credentials, a common technique for unauthorized access and privilege escalation. If confirmed malicious, this could lead to attackers gaining sensitive login information, escalating privileges, moving laterally within the network, or accessing sensitive data.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_cmd` (Processes.process=*\\system32\\config\\sam* OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter`
Credential Dumping via Symlink to Shadow Copy
The following analytic detects the creation of a symlink to a shadow copy, which may indicate credential dumping attempts. It leverages the Endpoint.Processes data model in Splunk to identify processes executing commands containing "mklink" and "HarddiskVolumeShadowCopy". This activity is significant because attackers often use this technique to manipulate or delete shadow copies, hindering system backup and recovery efforts. If confirmed malicious, this could prevent data restoration, complicate incident response, and lead to data loss or compromise. Analysts should review the process details, user, parent process, and any related artifacts to identify the attack source.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_cmd` Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy*
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `credential_dumping_via_symlink_to_shadow_copy_filter`CrushFTP Server Side Template Injection
This analytic is designed to identify attempts to exploit a server-side template injection vulnerability in CrushFTP, designated as CVE-2024-4040. This severe vulnerability enables unauthenticated remote attackers to access and read files beyond the VFS Sandbox, circumvent authentication protocols, and execute arbitrary commands on the affected server. The issue impacts all versions of CrushFTP up to 10.7.1 and 11.1.0 on all supported platforms. It is highly recommended to apply patches immediately to prevent unauthorized access to the system and avoid potential data compromises. The search specifically looks for patterns in the raw log data that match the exploitation attempts, including READ or WRITE actions, and extracts relevant information such as the protocol, session ID, user, IP address, HTTP method, and the URI queried. It then evaluates these logs to confirm traces of exploitation based on the presence of specific keywords and the originating IP address, counting and sorting these events for further analysis.
Show query
`crushftp` | rex field=_raw "\[(?<protocol>HTTPS|HTTP):(?<session_id>[^\:]+):(?<user>[^\:]+):(?<src_ip>\d+\.\d+\.\d+\.\d+)\] (?<action>READ|WROTE): \*(?<http_method>[A-Z]+) (?<uri_query>[^\s]+) HTTP/[^\*]+\*" | eval message=if(match(_raw, "INCLUDE") and isnotnull(src_ip), "traces of exploitation by " . src_ip, "false") | search message!=false | rename host as dest | stats count by _time, dest, source, message, src_ip, http_method, uri_query, user, action | sort -_time| `crushftp_server_side_template_injection_filter`
Detect Certify With PowerShell Script Block Logging
The following analytic detects the use of the Certify tool via an in-memory PowerShell function to enumerate Active Directory Certificate Services (AD CS) environments. It leverages PowerShell Script Block Logging (EventCode 4104) to identify specific command patterns associated with Certify's enumeration and exploitation functions. This activity is significant as it indicates potential reconnaissance or exploitation attempts against AD CS, which could lead to unauthorized certificate issuance. If confirmed malicious, attackers could leverage this to escalate privileges, persist in the environment, or access sensitive information by abusing AD CS.
Show query
`powershell` EventCode=4104 (ScriptBlockText IN ("*find *") AND ScriptBlockText IN ("* /vulnerable*","* -vulnerable*","* /enrolleeSuppliesSubject *","* /json /outfile*")) OR (ScriptBlockText IN (,"*auth *","*req *",) AND ScriptBlockText IN ("* -ca *","* -username *","* -u *")) OR (ScriptBlockText IN ("*request *","*download *") AND ScriptBlockText IN ("* /ca:*"))
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval file_name = case(isnotnull(file_name),file_name,true(),"unknown")
| eval signature = substr(command,0,256)
| `detect_certify_with_powershell_script_block_logging_filter`Detect Copy of ShadowCopy with Script Block Logging
The following analytic detects the use of PowerShell commands to copy the SAM, SYSTEM, or SECURITY hives, which are critical for credential theft. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This activity is significant as it indicates an attempt to exfiltrate sensitive registry hives for offline password cracking. If confirmed malicious, this could lead to unauthorized access to credentials, enabling further compromise of the system and potential lateral movement within the network.
Show query
`powershell` EventCode=4104 ScriptBlockText IN ("*copy*","*[System.IO.File]::Copy*") AND ScriptBlockText IN ("*System32\\config\\SAM*", "*System32\\config\\SYSTEM*","*System32\\config\\SECURITY*") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_copy_of_shadowcopy_with_script_block_logging_filter`Detect Credential Dumping through LSASS access
The following analytic detects attempts to read LSASS memory, indicative of credential dumping. It leverages Sysmon EventCode 10, filtering for specific access permissions (0x1010 and 0x1410) on the lsass.exe process. This activity is significant because it suggests an attacker is trying to extract credentials from LSASS memory, potentially leading to unauthorized access, data breaches, and compromise of sensitive information. If confirmed malicious, this could enable attackers to escalate privileges, move laterally within the network, or exfiltrate data. Extensive triage is necessary to differentiate between malicious and benign activities.
Show query
`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410)
| stats count min(_time) as firstTime max(_time) as lastTime
BY CallTrace EventID GrantedAccess
Guid Opcode ProcessID
SecurityID SourceImage SourceProcessGUID
SourceProcessId TargetImage TargetProcessGUID
TargetProcessId UserID dest
granted_access parent_process_exec parent_process_guid
parent_process_id parent_process_name parent_process_path
process_exec process_guid process_id
process_name process_path signature
signature_id user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_credential_dumping_through_lsass_access_filter`Detect Empire with PowerShell Script Block Logging
The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.
Show query
`powershell` EventCode=4104 (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_empire_with_powershell_script_block_logging_filter`Detect Excessive Account Lockouts From Endpoint
The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the `Change` datamodel, specifically under the `Account_Management` node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user FROM datamodel=Change.All_Changes
WHERE All_Changes.result="*lock*"
BY All_Changes.dest All_Changes.result
| `drop_dm_object_name("All_Changes")`
| `drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search count > 5
| `detect_excessive_account_lockouts_from_endpoint_filter`Detect Excessive User Account Lockouts
The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change.All_Changes
WHERE All_Changes.result="*lock*"
BY All_Changes.user All_Changes.result
| `drop_dm_object_name("All_Changes")`
| `drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search count > 5
| `detect_excessive_user_account_lockouts_filter`Detect F5 TMUI RCE CVE-2020-5902
The following analytic identifies remote code execution (RCE) attempts targeting F5 BIG-IP, BIG-IQ, and Traffix SDC devices, specifically exploiting CVE-2020-5902. It uses regex to detect patterns in syslog data that match known exploit strings such as "hsqldb;" and directory traversal sequences. This activity is significant because successful exploitation can allow attackers to execute arbitrary commands on the affected devices, leading to full system compromise. If confirmed malicious, this could result in unauthorized access, data exfiltration, or further lateral movement within the network.
Show query
`f5_bigip_rogue` | regex _raw="(hsqldb;|.*\\.\\.;.*)" | search `detect_f5_tmui_rce_cve_2020_5902_filter`
Detect Large ICMP Traffic
The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes.
It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities.
If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
Show query
| tstats `security_content_summariesonly`
count earliest(_time) as firstTime
latest(_time) as lastTime
values(All_Traffic.action) as action
from datamodel=Network_Traffic where
All_Traffic.bytes > 1000
All_Traffic.action != blocked
AND
(
All_Traffic.protocol=icmp
OR
All_Traffic.transport=icmp
)
NOT ( All_Traffic.dest_ip IN `non_public_ip_blocks`
OR All_Traffic.dest IN `non_public_ip_blocks`
)
by All_Traffic.src_ip All_Traffic.src All_Traffic.dest_ip All_Traffic.dest All_Traffic.protocol
All_Traffic.bytes All_Traffic.app All_Traffic.bytes_in
All_Traffic.bytes_out All_Traffic.dest_port All_Traffic.dvc
All_Traffic.protocol_version All_Traffic.src_port
All_Traffic.user All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| eval dest_ip = dest
| eval src_ip = src
| iplocation dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_large_icmp_traffic_filter`Detect Outbound SMB Traffic
The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.
Show query
| tstats `security_content_summariesonly`
earliest(_time) as start_time
latest(_time) as end_time
values(All_Traffic.action) as action
values(All_Traffic.app) as app
values(sourcetype) as sourcetype count
from datamodel=Network_Traffic where
All_Traffic.action IN ("allowed", "allow")
AND (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
AND (All_Traffic.src_ip IN `non_public_ip_blocks` OR All_Traffic.src IN `non_public_ip_blocks`)
AND NOT (All_Traffic.dest_ip IN `non_public_ip_blocks` OR All_Traffic.dest IN `non_public_ip_blocks`)
by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(start_time)`
| `security_content_ctime(end_time)`
| rename dest as dest_ip
| rename src as src_ip
| iplocation dest_ip
| `detect_outbound_smb_traffic_filter`
Detect Prohibited Applications Spawning cmd exe
The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.
Show query
| tstats `security_content_summariesonly` count values(Processes.process)
as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|search [
| inputlookup prohibited_apps_launching_cmd
| rename prohibited_applications as parent_process_name
| eval parent_process_name="*" . parent_process_name
| table parent_process_name
]
| `detect_prohibited_applications_spawning_cmd_exe_filter`
Detect RTLO In File Name
The following analytic identifies the use of the right-to-left override
(RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel,
specifically focusing on file creation events and file names containing the RTLO
character (U+202E). This activity is significant because adversaries use RTLO to
disguise malicious files as benign by reversing the text that follows the character.
If confirmed malicious, this technique can deceive users and security tools, leading
to the execution of harmful files and potential system compromise.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
values(Filesystem.file_create_time) as file_create_time
from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown
by Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| regex file_name = "\\x{202E}"
| rex field=file_name "(?<RTLO_file_1>.+)(?<RTLO_exist_file>\\x{202E})(?<RTLO_file_2>.+)"
| eval file_name_with_RTLO=file_name
| eval file_name=RTLO_file_1.RTLO_file_2
| fields - RTLO*
| `detect_rtlo_in_file_name_filter`
Detect RTLO In Process
The following analytic identifies the abuse of the right-to-left override (RTLO) character (U+202E) in process names. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line data. This activity is significant because adversaries use the RTLO character to disguise malicious files or commands, making them appear benign. If confirmed malicious, this technique can allow attackers to execute harmful code undetected, potentially leading to unauthorized access, data exfiltration, or further system compromise.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process="\\x{202E}" | rex field=process "(?<RTLO_command_1>.+)(?<RTLO_exist_process>\\x{202E})(?<RTLO_command_2>.+)" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter`Detect Rare Executables
The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs.
This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack.
If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact.
The search currently identifies processes executed on fewer than 10 hosts, but this threshold can be adjusted based on the organization's environment and risk tolerance.
The search groups results by process name which can lead to blind spots if a malicious process uses a common name. To mitigate this, consider enhancing the detection logic to group by additional attributes such as process hash.
Show query
| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime latest(Processes.action) as action values(Processes.original_file_name) as original_file_name values(Processes.parent_process) as parent_process values(Processes.parent_process_exec) as parent_process_exec latest(Processes.parent_process_guid) as parent_process_guid latest(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_path) as parent_process_path values(Processes.process) as process values(Processes.process_exec) as process_exec latest(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_path) as process_path latest(Processes.process_id) as process_id latest(Processes.process_integrity_level) as process_integrity_level latest(Processes.user_id) as user_id latest(Processes.vendor_product) as vendor_product from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter`
Detect SNICat SNI Exfiltration
The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity.
Show query
`zeek_ssl`
| rex field=server_name "(?<snicat>(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)"
| stats count BY src_ip dest_ip server_name snicat
| where count>0
| table src_ip dest_ip server_name snicat
| `detect_snicat_sni_exfiltration_filter`Detect Use of cmd exe to Launch Script Interpreters
The following detects the execution of cscript.exe or wscript.exe processes spawned by cmd.exe, leveraging Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, with additional contextual filtering to improve fidelity and reduce false positives.
It focuses on executions originating from user-writable directories such as Users, AppData, Temp, and Downloads, which are commonly abused by attackers to stage and execute malicious scripts, while excluding trusted system paths like C:\Windows\System32\ and C:\Program Files\ that are typically associated with legitimate activity.
The detection also filters out service accounts (e.g., accounts ending with $ or known naming conventions) to minimize noise from automated processes and incorporates command-line context to better assess script execution patterns and identify potentially suspicious behavior.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE
Processes.parent_process_name="cmd.exe"
(
Processes.process_name IN ("cscript.exe", "wscript.exe")
OR
Processes.original_file_name IN ("cscript.exe", "wscript.exe")
)
NOT Processes.process IN (
"* \"C:\\Program Files (x86)\\*",
"* \"C:\\Program Files\\*",
"* \"C:\\Windows\\System32\\*",
"* \"C:\\Windows\\SysWOW64\\*",
"* C:\\Program Files (x86)\\*",
"* C:\\Program Files\\*",
"* C:\\Windows\\System32\\*",
"* C:\\Windows\\SysWOW64\\*"
)
NOT Processes.user="*$"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`Detect Windows DNS SIGRed via Splunk Stream
The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.
Show query
`stream_dns`
| spath "query_type{}"
| search "query_type{}" IN (SIG,KEY)
| spath protocol_stack
| search protocol_stack="ip:tcp:dns"
| append [search `stream_tcp` bytes_out>65000]
| stats count by flow_id
| where count>1
| fields - count
| `detect_windows_dns_sigred_via_splunk_stream_filter`
Detect Windows DNS SIGRed via Zeek
The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.
Show query
| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [ | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id ] | stats count by flow_id | where count>1 | fields - count' | `detect_windows_dns_sigred_via_zeek_filter`
Detect Zerologon via Zeek
The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.
Show query
`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3)
| bin span=5m _time
| stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) as passcount count as totalcount
BY _time,src_ip,dest_ip
| search opscount=3 authcount>4 passcount>0
| search `detect_zerologon_via_zeek_filter`Detect hosts connecting to dynamic domain providers
The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime
from datamodel=Network_Resolution where
DNS.query=*
NOT DNS.query IN ("-", "unknown")
by DNS.answer DNS.answer_count DNS.query DNS.query_count
DNS.reply_code_id DNS.src DNS.vendor_product
| `drop_dm_object_name("DNS")`
| `security_content_ctime(firstTime)`
| lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default
| lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local
| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default)
|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True
| `detect_hosts_connecting_to_dynamic_domain_providers_filter`
Disable Security Logs Using MiniNt Registry
The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the "Control\\MiniNt" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`
Domain Account Discovery with Dsquery
The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to discover domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out domain users, which is a common precursor to further attacks. If confirmed malicious, this behavior could allow attackers to gain insights into user accounts, facilitating subsequent actions like privilege escalation or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name="dsquery.exe"
AND
Processes.process = "*user*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `domain_account_discovery_with_dsquery_filter`Domain Account Discovery with Wmic
The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="wmic.exe" AND Processes.process = "*/NAMESPACE:\\\\root\\directory\\ldap*" AND Processes.process = "*ds_user*" AND Processes.process = "*GET*" AND Processes.process = "*ds_samaccountname*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`
Domain Controller Discovery with Nltest
The following analytic detects the execution of `nltest.exe` with command-line arguments `/dclist:` or `/dsgetdc:` to discover domain controllers. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `nltest.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out domain controllers, facilitating further attacks such as privilege escalation or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=nltest.exe
OR
Processes.original_file_name=nltestrk.exe
)
(Processes.process="*/dclist:*" OR Processes.process="*/dsgetdc:*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `domain_controller_discovery_with_nltest_filter`Domain Controller Discovery with Wmic
The following analytic identifies the execution of `wmic.exe` with command-line arguments used to discover domain controllers in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by adversaries and Red Teams for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the network, identify key systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name="wmic.exe"
)
(Processes.process="" OR Processes.process="*DomainControllerAddress*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `domain_controller_discovery_with_wmic_filter`Download Files Using Telegram
The following analytic detects suspicious file downloads by the Telegram application on a Windows system. It leverages Sysmon EventCode 15 to identify instances where Telegram.exe creates files with a Zone.Identifier, indicating a download. This activity is significant as it may indicate an adversary using Telegram to download malicious tools, such as network scanners, for further exploitation. If confirmed malicious, this behavior could lead to network mapping, lateral movement, and potential compromise of additional systems within the network.
Show query
`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier"
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest dvc file_hash
file_name file_path process_exec
process_guid process_id process_name
process_path signature signature_id
user_id vendor_product Contents
Image
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `download_files_using_telegram_filter`Drop IcedID License dat
The following analytic detects the dropping of a suspicious file named "license.dat" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches.
Show query
`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`
Dump LSASS via comsvcs DLL
The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_rundll32` Processes.process=*comsvcs.dll* Processes.process IN ("*MiniDump*", "*#24*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_comsvcs_dll_filter`Dump LSASS via procdump
The following analytic detects the use of procdump.exe to dump the LSASS
process, specifically looking for the -mm and -ma command-line arguments. It leverages
data from Endpoint Detection and Response (EDR) agents, focusing on process names,
command-line executions, and parent processes. This activity is significant because
dumping LSASS can expose sensitive credentials, posing a severe security risk. If
confirmed malicious, an attacker could obtain credentials, escalate privileges,
and move laterally within the network, leading to potential data breaches and further
compromise of the environment.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.process_name IN (
"procdump.exe",
"procdump64.exe",
"procdump64a.exe"
)
OR
Processes.original_file_name=procdump
)
Processes.process IN (
"*-ma*",
"*-mm*",
"*-mp*",
"*/ma*",
"*/mm*",
"*/mp*"
)
Processes.process IN (
"* keyiso*",
"* ls*",
"* samss*"
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_procdump_filter`
ESXi External Root Login Activity
This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user. Direct root access to the UI bypasses role-based access controls and auditing practices, and may indicate risky behavior, misconfiguration, or unauthorized activity by a malicious actor using compromised credentials.
Show query
`esxi_syslog` Message="*root*" AND Message="*logged in*" | rex field=_raw "root@(?<SrcIpAddr>\d{1,3}(?:\.\d{1,3}){3})" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | search SrcIpAddr != "127.0.0.1" AND SrcIpAddr != 192.168.0.0/16 AND SrcIpAddr != 172.16.0.0/12 AND SrcIpAddr != 10.0.0.0/8 | stats min(_time) as firstTime max(_time) as lastTime count by dest SrcIpAddr | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_external_root_login_activity_filter`ESXi Reverse Shell Patterns
This detection looks for reverse shell string patterns on an ESXi host, which may indicate that a threat actor is attempting to establish remote control over the system.
Show query
`esxi_syslog` Message IN ("*bash -i >&*","*/dev/tcp/*","*/dev/udp/*", "*/socat exec:*","*socket(S,PF_INET*") OR (Message="*python -c*" AND Message="*import socket*") | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_reverse_shell_patterns_filter`ESXi Sensitive Files Accessed
This detection identifies access to sensitive system and configuration files on an ESXi host, including authentication data, service configurations, and VMware-specific management settings. Interaction with these files may indicate adversary reconnaissance, credential harvesting, or preparation for privilege escalation, lateral movement, or persistence.
Show query
`esxi_syslog` Message="*shell[*" Message IN ("*/etc/shadow*","*/etc/vmware/hostd/hostd.xml*", "*/etc/vmware/vpxa/vpxa.cfg*","*/etc/sfcb/sfcb.cfg*","*/etc/security/*", "*/etc/likewise/krb5-affinity.conf*","*/etc/vmware-vpx/vcdb.properties*") | rex field=_raw "\]: \[(?<user>\w+)\]:(?<command>.+)" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest user command | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_sensitive_files_accessed_filter`ESXi Shared or Stolen Root Account
This detection monitors for signs of a shared or potentially compromised root account on ESXi hosts by tracking the number of unique IP addresses logging in as root within a short time window. Multiple logins from different IPs in a brief period may indicate credential misuse, lateral movement, or account compromise.
Show query
`esxi_syslog` Message="*root*" Message="*logged in*" NOT Message="*[email protected]*" | rex field=_raw "root@(?<SrcIpAddr>\d{1,3}(?:\.\d{1,3}){3})" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | bin _time span=15m | stats min(_time) as firstTime max(_time) as lastTime dc(SrcIpAddr) AS distinct_ip_count values(SrcIpAddr) AS SrcIps by dest | where distinct_ip_count > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_shared_or_stolen_root_account_filter`
ESXi System Clock Manipulation
This detection identifies a significant change to the system clock on an ESXi host, which may indicate an attempt to manipulate timestamps and evade detection or forensic analysis
Show query
`esxi_syslog` Message="*NTPClock*" AND Message="*system clock stepped*" | rex field=_raw "stepped to (?<epoch_time>\d+\.\d+),.+delta\s(?<delta>\d+)\s" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | eval epoch_time=tonumber(epoch_time) | eval delta=tonumber(delta) | eval event_time=round(_time, 0) | eval direction=if(epoch_time < event_time, "backward", "forward") | eval original_time=if(direction=="backward", epoch_time + delta, epoch_time - delta) | eval stepped_to_str=strftime(epoch_time, "%Y-%m-%d %H:%M:%S") | eval original_time_str=strftime(original_time, "%Y-%m-%d %H:%M:%S") | stats min(_time) as firstTime max(_time) as lastTime count by dest direction original_time_str stepped_to_str epoch_time delta | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_system_clock_manipulation_filter`
ESXi System Information Discovery
This detection identifies the use of ESXCLI system-level commands that retrieve configuration details. While used for legitimate administration, this behavior may also indicate adversary reconnaissance aimed at profiling the ESXi host's capabilities, build information, or system role in preparation for further compromise.
Show query
`esxi_syslog` Message="*system*" AND Message="*esxcli*" AND Message IN ("*get*","*list*") AND Message="*user=*" NOT Message="*filesystem*" | rex field=_raw "user=(?<user>\w+)\]\s+Dispatch\s+(?<command>[^\s]+)" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest user command | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_system_information_discovery_filter`ESXi VM Exported via Remote Tool
This detection identifies the use of a remote tool to download virtual machine disk files from a datastore. The NFC protocol is used by management tools to transfer files to and from ESXi hosts, but it can also be abused by attackers or insiders to exfiltrate full virtual disk images
Show query
`esxi_syslog` Message="*File download from path*" Message="*was initiated from*" | rex field=_raw "from path '\[(?<Datastore>[^\]]+)\](?<VMPath>[^']+)'" | rex field=_raw "initiated from '(?<InitiatorTool>[^/]+)/(?<ToolVersion>[^@]+)@(?<InitiatorIP>\d{1,3}(?:\.\d{1,3}){3})'" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by Datastore VMPath InitiatorTool ToolVersion InitiatorIP dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_vm_exported_via_remote_tool_filter`Showing 401-450 of 957