Tool
Hunt pack: INC Ransom
1,177 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to INC Ransom - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 1,177Detect HTML Help Using InfoTech Storage Handlers
The following analytic detects the execution of hh.exe (HTML Help) using InfoTech Storage Handlers to load Windows script code from a Compiled HTML Help (CHM) file. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant because it can be used to execute malicious scripts embedded within CHM files, potentially leading to code execution. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, escalate privileges, or persist within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_hh` Processes.process IN ("*its:*", "*mk:@MSITStore:*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_html_help_using_infotech_storage_handlers_filter`Detect Large ICMP Traffic
The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes.
It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities.
If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
Show query
| tstats `security_content_summariesonly`
count earliest(_time) as firstTime
latest(_time) as lastTime
values(All_Traffic.action) as action
from datamodel=Network_Traffic where
All_Traffic.bytes > 1000
All_Traffic.action != blocked
AND
(
All_Traffic.protocol=icmp
OR
All_Traffic.transport=icmp
)
NOT ( All_Traffic.dest_ip IN `non_public_ip_blocks`
OR All_Traffic.dest IN `non_public_ip_blocks`
)
by All_Traffic.src_ip All_Traffic.src All_Traffic.dest_ip All_Traffic.dest All_Traffic.protocol
All_Traffic.bytes All_Traffic.app All_Traffic.bytes_in
All_Traffic.bytes_out All_Traffic.dest_port All_Traffic.dvc
All_Traffic.protocol_version All_Traffic.src_port
All_Traffic.user All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| eval dest_ip = dest
| eval src_ip = src
| iplocation dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_large_icmp_traffic_filter`Detect MSHTA Url in Command Line
The following analytic detects the use of Microsoft HTML Application Host (mshta.exe) to make remote HTTP or HTTPS connections. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments containing URLs. This activity is significant because adversaries often use mshta.exe to download and execute remote .hta files, bypassing security controls. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further network infiltration.
Show query
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_mshta` (Processes.process="*http://*"
OR
Processes.process="*https://*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_mshta_url_in_command_line_filter`Detect New Local Admin account
The following analytic detects the creation of new accounts elevated to local administrators. It uses Windows event logs, specifically EventCode 4720 (user account creation) and EventCode 4732 (user added to Administrators group). This activity is significant as it indicates potential unauthorized privilege escalation, which is critical for SOC monitoring. If confirmed malicious, this could allow attackers to gain administrative access, leading to unauthorized data access, system modifications, and disruption of services. Immediate investigation is required to mitigate risks and prevent further unauthorized actions.
Show query
`wineventlog_security`
(
EventCode=4720
OR
(
EventCode=4732
AND
(
Group_Name=Administrators
OR
TargetUserName=Administrators
)
)
)
| transaction user dest connected=false maxspan=180m
| stats count min(_time) as firstTime
max(_time) as lastTime
dc(EventCode) as distinct_eventcodes
by src_user user dest
| where distinct_eventcodes > 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_new_local_admin_account_filter`
Detect Outbound SMB Traffic
The following analytic detects outbound SMB (Server Message Block) connections from internal hosts to external servers. It identifies this activity by monitoring network traffic for SMB requests directed towards the Internet, which are unusual for standard operations. This detection is significant for a SOC as it can indicate an attacker's attempt to retrieve credential hashes through compromised servers, a key step in lateral movement and privilege escalation. If confirmed malicious, this activity could lead to unauthorized access to sensitive data and potential full system compromise.
Show query
| tstats `security_content_summariesonly`
earliest(_time) as start_time
latest(_time) as end_time
values(All_Traffic.action) as action
values(All_Traffic.app) as app
values(sourcetype) as sourcetype count
from datamodel=Network_Traffic where
All_Traffic.action IN ("allowed", "allow")
AND (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
AND (All_Traffic.src_ip IN `non_public_ip_blocks` OR All_Traffic.src IN `non_public_ip_blocks`)
AND NOT (All_Traffic.dest_ip IN `non_public_ip_blocks` OR All_Traffic.dest IN `non_public_ip_blocks`)
by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(start_time)`
| `security_content_ctime(end_time)`
| rename dest as dest_ip
| rename src as src_ip
| iplocation dest_ip
| `detect_outbound_smb_traffic_filter`
Detect Prohibited Applications Spawning cmd exe
The following analytic detects executions of cmd.exe spawned by processes that are commonly abused by attackers and do not typically launch cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, parent process, and command-line executions. This activity is significant because it may indicate an attempt to execute unauthorized commands or scripts, often a precursor to further malicious actions. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.
Show query
| tstats `security_content_summariesonly` count values(Processes.process)
as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=cmd.exe OR Processes.original_file_name=Cmd.Exe)
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
|search [
| inputlookup prohibited_apps_launching_cmd
| rename prohibited_applications as parent_process_name
| eval parent_process_name="*" . parent_process_name
| table parent_process_name
]
| `detect_prohibited_applications_spawning_cmd_exe_filter`
Detect PsExec With accepteula Flag
The following analytic identifies the execution of `PsExec.exe` with the `accepteula` flag in the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line arguments. This activity is significant because PsExec is commonly used by threat actors to execute code on remote systems, and the `accepteula` flag indicates first-time usage, which could signify initial compromise. If confirmed malicious, this activity could allow attackers to gain remote code execution capabilities, potentially leading to further system compromise and lateral movement within the network.
Show query
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name IN ("psexec.exe", "psexec64.exe")
OR
Processes.original_file_name="psexec.c"
)
Processes.process=*accepteula*
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_psexec_with_accepteula_flag_filter`Detect RTLO In File Name
The following analytic identifies the use of the right-to-left override
(RTLO) character in file names. It leverages data from the Endpoint.Filesystem datamodel,
specifically focusing on file creation events and file names containing the RTLO
character (U+202E). This activity is significant because adversaries use RTLO to
disguise malicious files as benign by reversing the text that follows the character.
If confirmed malicious, this technique can deceive users and security tools, leading
to the execution of harmful files and potential system compromise.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
values(Filesystem.file_create_time) as file_create_time
from datamodel=Endpoint.Filesystem where Filesystem.file_name!=unknown
by Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| regex file_name = "\\x{202E}"
| rex field=file_name "(?<RTLO_file_1>.+)(?<RTLO_exist_file>\\x{202E})(?<RTLO_file_2>.+)"
| eval file_name_with_RTLO=file_name
| eval file_name=RTLO_file_1.RTLO_file_2
| fields - RTLO*
| `detect_rtlo_in_file_name_filter`
Detect RTLO In Process
The following analytic identifies the abuse of the right-to-left override (RTLO) character (U+202E) in process names. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs and command-line data. This activity is significant because adversaries use the RTLO character to disguise malicious files or commands, making them appear benign. If confirmed malicious, this technique can allow attackers to execute harmful code undetected, potentially leading to unauthorized access, data exfiltration, or further system compromise.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process!=unknown AND Processes.action=allowed by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | regex process="\\x{202E}" | rex field=process "(?<RTLO_command_1>.+)(?<RTLO_exist_process>\\x{202E})(?<RTLO_command_2>.+)" | eval process_with_RTLO=process | eval process=RTLO_command_1.RTLO_command_2 | fields - RTLO* | `detect_rtlo_in_process_filter`Detect Rare Executables
The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs.
This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack.
If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact.
The search currently identifies processes executed on fewer than 10 hosts, but this threshold can be adjusted based on the organization's environment and risk tolerance.
The search groups results by process name which can lead to blind spots if a malicious process uses a common name. To mitigate this, consider enhancing the detection logic to group by additional attributes such as process hash.
Show query
| tstats `security_content_summariesonly` dc(Processes.dest) as dc_dest values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime latest(Processes.action) as action values(Processes.original_file_name) as original_file_name values(Processes.parent_process) as parent_process values(Processes.parent_process_exec) as parent_process_exec latest(Processes.parent_process_guid) as parent_process_guid latest(Processes.parent_process_id) as parent_process_id values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_path) as parent_process_path values(Processes.process) as process values(Processes.process_exec) as process_exec latest(Processes.process_guid) as process_guid values(Processes.process_hash) as process_hash values(Processes.process_path) as process_path latest(Processes.process_id) as process_id latest(Processes.process_integrity_level) as process_integrity_level latest(Processes.user_id) as user_id latest(Processes.vendor_product) as vendor_product from datamodel=Endpoint.Processes by Processes.process_name | `drop_dm_object_name(Processes)` | search dc_dest < 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rare_executables_filter`
Detect Regasm Spawning a Process
The following analytic detects regasm.exe spawning a child process. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where regasm.exe is the parent process. This activity is significant because regasm.exe spawning a process is rare and can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated activities.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name=regasm.exe NOT (Processes.process_name IN ("conhost.exe"))
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_regasm_spawning_a_process_filter`Detect Regasm with Network Connection
The following analytic detects the execution of regasm.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to identify such behavior. This activity is significant as regasm.exe is a legitimate Microsoft-signed binary that can be exploited to bypass application control mechanisms. If confirmed malicious, this behavior could indicate an adversary's attempt to establish a remote Command and Control (C2) channel, potentially leading to privilege escalation and further malicious actions within the environment.
Show query
`sysmon`
EventID=3
process_name=regasm.exe
NOT dest_ip IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
)
| stats count min(_time) as firstTime max(_time) as lastTime
by action app dest dest_ip dest_port direction dvc protocol protocol_version src
src_ip src_port transport user vendor_product process_name process_exec process_guid
process_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_regasm_with_network_connection_filter`
Detect Regasm with no Command Line Arguments
The following analytic detects instances of regasm.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regasm.exe. The detection leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line executions. This activity is significant as it may signal an attempt to evade detection or execute malicious code. If confirmed malicious, attackers could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information. Investigate network connections, parallel processes, and suspicious module loads for further context.
Show query
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where
(Processes.process_name=regasm.exe OR Processes.original_file_name=RegAsm.exe)
Processes.process IN ("*regasm","*regasm.exe", "*regasm.exe\"")
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_regasm_with_no_command_line_arguments_filter`
Detect Regsvcs Spawning a Process
The following analytic identifies regsvcs.exe spawning a child process. This behavior is detected using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the parent process is regsvcs.exe. This activity is significant because regsvcs.exe rarely spawns child processes, and such behavior can indicate an attempt to bypass application control mechanisms. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to privilege escalation or persistent access within the environment. Immediate investigation is recommended to determine the legitimacy of the spawned process and any associated suspicious activities.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name=regsvcs.exe
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_regsvcs_spawning_a_process_filter`Detect Regsvcs with Network Connection
The following analytic identifies instances of Regsvcs.exe establishing a network connection to a public IP address, excluding private IP ranges. This detection leverages Sysmon EventID 3 logs to monitor network connections initiated by Regsvcs.exe. This activity is significant as Regsvcs.exe, a legitimate Microsoft-signed binary, can be exploited to bypass application control mechanisms and establish remote Command and Control (C2) channels. If confirmed malicious, this behavior could allow an attacker to escalate privileges, persist in the environment, and exfiltrate sensitive data. Immediate investigation and remediation are recommended.
Show query
`sysmon`
EventID=3
NOT dest_ip IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
)
process_name=regsvcs.exe
| stats count min(_time) as firstTime max(_time) as lastTime
by action app dest dest_ip dest_port direction dvc protocol protocol_version src
src_ip src_port transport user vendor_product process_name process_exec process_guid
process_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_regsvcs_with_network_connection_filter`
Detect Regsvcs with No Command Line Arguments
The following analytic detects instances of regsvcs.exe running without command line arguments. This behavior typically indicates process injection, where another process manipulates regsvcs.exe. The detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, IDs, and command-line executions. This activity is significant as it may signal an attempt to evade detection and execute malicious code. If confirmed malicious, the attacker could achieve code execution, potentially leading to privilege escalation, persistence, or access to sensitive information.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Processes where
(Processes.process_name=regsvcs.exe OR Processes.original_file_name=RegSvcs.exe)
Processes.process IN ("*regsvcs","*regsvcs.exe", "*regsvcs.exe\"")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_regsvcs_with_no_command_line_arguments_filter`
Detect Regsvr32 Application Control Bypass
The following analytic identifies the abuse of Regsvr32.exe to proxy execution of malicious code, specifically detecting the loading of "scrobj.dll" by Regsvr32.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line executions. This activity is significant because Regsvr32.exe is a trusted, signed Microsoft binary, often used in "Squiblydoo" attacks to bypass application control mechanisms. If confirmed malicious, this technique could allow an attacker to execute arbitrary code, potentially leading to system compromise and persistent access.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_regsvr32` Processes.process=*scrobj*
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_regsvr32_application_control_bypass_filter`Detect Rundll32 Inline HTA Execution
The following analytic detects the execution of "rundll32.exe" with inline protocol handlers such as "JavaScript", "VBScript", and "About". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line arguments. This activity is significant as it is often associated with fileless malware or application whitelisting bypass techniques. If confirmed malicious, this could allow an attacker to execute arbitrary code, bypass security controls, and maintain persistence within the environment.
Show query
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_rundll32` (Processes.process=*vbscript*
OR
Processes.process=*javascript*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_rundll32_inline_hta_execution_filter`Detect SNICat SNI Exfiltration
The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity.
Show query
`zeek_ssl`
| rex field=server_name "(?<snicat>(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)"
| stats count BY src_ip dest_ip server_name snicat
| where count>0
| table src_ip dest_ip server_name snicat
| `detect_snicat_sni_exfiltration_filter`Detect SharpHound Command-Line Arguments
The following analytic detects the execution of SharpHound command-line arguments, specifically `-collectionMethod` and `invoke-bloodhound`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as SharpHound is commonly used for Active Directory enumeration, which can be a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially compromising sensitive information and critical systems.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_sharphound_command_line_arguments_filter`Detect SharpHound File Modifications
The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model, focusing on default file naming patterns like `*_BloodHound.zip` and various JSON files. This activity is significant as it indicates potential domain enumeration, which is a precursor to more targeted attacks. If confirmed malicious, an attacker could gain detailed insights into the domain structure, facilitating lateral movement and privilege escalation.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.file_name IN ("*bloodhound.zip", "*_computers.json", "*_gpos.json", "*_domains.json", "*_users.json", "*_groups.json", "*_ous.json", "*_containers.json")
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_sharphound_file_modifications_filter`Detect SharpHound Usage
The following analytic detects the usage of the SharpHound binary by identifying its original filename, `SharpHound.exe`, and the process name. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process metadata and command-line executions. SharpHound is a tool used for Active Directory enumeration, often by attackers during the reconnaissance phase. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially leading to privilege escalation and lateral movement within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=sharphound.exe
OR
Processes.original_file_name=SharpHound.exe
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_sharphound_usage_filter`Detect Use of cmd exe to Launch Script Interpreters
The following detects the execution of cscript.exe or wscript.exe processes spawned by cmd.exe, leveraging Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, with additional contextual filtering to improve fidelity and reduce false positives.
It focuses on executions originating from user-writable directories such as Users, AppData, Temp, and Downloads, which are commonly abused by attackers to stage and execute malicious scripts, while excluding trusted system paths like C:\Windows\System32\ and C:\Program Files\ that are typically associated with legitimate activity.
The detection also filters out service accounts (e.g., accounts ending with $ or known naming conventions) to minimize noise from automated processes and incorporates command-line context to better assess script execution patterns and identify potentially suspicious behavior.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE
Processes.parent_process_name="cmd.exe"
(
Processes.process_name IN ("cscript.exe", "wscript.exe")
OR
Processes.original_file_name IN ("cscript.exe", "wscript.exe")
)
NOT Processes.process IN (
"* \"C:\\Program Files (x86)\\*",
"* \"C:\\Program Files\\*",
"* \"C:\\Windows\\System32\\*",
"* \"C:\\Windows\\SysWOW64\\*",
"* C:\\Program Files (x86)\\*",
"* C:\\Program Files\\*",
"* C:\\Windows\\System32\\*",
"* C:\\Windows\\SysWOW64\\*"
)
NOT Processes.user="*$"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`Detect Web Access to Decommissioned S3 Bucket
This detection identifies web requests to domains that match previously decommissioned S3 buckets through web proxy logs. This activity is significant because attackers may attempt to access or recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_method) as http_method values(Web.http_user_agent) as http_user_agent values(Web.url) as url values(Web.user) as user FROM datamodel=Web
WHERE Web.url_domain!=""
BY Web.src Web.url_domain
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval bucket_domain = lower(url_domain)
| lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match
| where isnotnull(match)
| `detect_web_access_to_decommissioned_s3_bucket_filter`Detect Windows DNS SIGRed via Splunk Stream
The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.
Show query
`stream_dns`
| spath "query_type{}"
| search "query_type{}" IN (SIG,KEY)
| spath protocol_stack
| search protocol_stack="ip:tcp:dns"
| append [search `stream_tcp` bytes_out>65000]
| stats count by flow_id
| where count>1
| fields - count
| `detect_windows_dns_sigred_via_splunk_stream_filter`
Detect Windows DNS SIGRed via Zeek
The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.
Show query
| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [ | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id ] | stats count by flow_id | where count>1 | fields - count' | `detect_windows_dns_sigred_via_zeek_filter`
Detect Zerologon via Zeek
The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.
Show query
`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3)
| bin span=5m _time
| stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) as passcount count as totalcount
BY _time,src_ip,dest_ip
| search opscount=3 authcount>4 passcount>0
| search `detect_zerologon_via_zeek_filter`Detect mshta inline hta execution
The following analytic detects the execution of "mshta.exe" with inline protocol handlers such as "JavaScript", "VBScript", and "About". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments and process details. This activity is significant because mshta.exe can be exploited to execute malicious scripts, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or establish persistence within the environment, posing a severe security risk.
Show query
| tstats `security_content_summariesonly` count values(Processes.process)
as process values(Processes.parent_process) as parent_process min(_time) as firstTime
max(_time) as lastTime from datamodel=Endpoint.Processes where
`process_mshta`
Processes.process IN ("*vbscript*", "*javascript*", "*about*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_mshta_inline_hta_execution_filter`
Detect mshta renamed
The following analytic identifies instances where mshta.exe has been renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original file name field to detect discrepancies. This activity is significant because renaming mshta.exe is a common tactic used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name!=mshta.exe
AND
Processes.original_file_name=MSHTA.EXE
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_mshta_renamed_filter`Disable Security Logs Using MiniNt Registry
The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the "Control\\MiniNt" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`
Domain Account Discovery with Dsquery
The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to discover domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to map out domain users, which is a common precursor to further attacks. If confirmed malicious, this behavior could allow attackers to gain insights into user accounts, facilitating subsequent actions like privilege escalation or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name="dsquery.exe"
AND
Processes.process = "*user*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `domain_account_discovery_with_dsquery_filter`Domain Account Discovery with Wmic
The following analytic detects the execution of `wmic.exe` with command-line arguments used to query for domain users. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns indicative of domain account discovery. This activity is significant as it often precedes lateral movement or privilege escalation attempts by adversaries. If confirmed malicious, this behavior could allow attackers to map out user accounts within the domain, facilitating further attacks and potentially compromising sensitive information.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="wmic.exe" AND Processes.process = "*/NAMESPACE:\\\\root\\directory\\ldap*" AND Processes.process = "*ds_user*" AND Processes.process = "*GET*" AND Processes.process = "*ds_samaccountname*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_account_discovery_with_wmic_filter`
Domain Controller Discovery with Nltest
The following analytic detects the execution of `nltest.exe` with command-line arguments `/dclist:` or `/dsgetdc:` to discover domain controllers. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `nltest.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out domain controllers, facilitating further attacks such as privilege escalation or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=nltest.exe
OR
Processes.original_file_name=nltestrk.exe
)
(Processes.process="*/dclist:*" OR Processes.process="*/dsgetdc:*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `domain_controller_discovery_with_nltest_filter`Domain Controller Discovery with Wmic
The following analytic identifies the execution of `wmic.exe` with command-line arguments used to discover domain controllers in a Windows domain. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because it is commonly used by adversaries and Red Teams for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the network, identify key systems, and plan further attacks, potentially leading to unauthorized access and data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name="wmic.exe"
)
(Processes.process="" OR Processes.process="*DomainControllerAddress*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `domain_controller_discovery_with_wmic_filter`Domain Group Discovery With Dsquery
The following analytic identifies the execution of `dsquery.exe` with command-line arguments used to query for domain groups. It leverages Endpoint Detection and Response (EDR) data, focusing on process names and command-line arguments. This activity is significant because both Red Teams and adversaries use `dsquery.exe` to enumerate domain groups, gaining situational awareness and facilitating further Active Directory discovery. If confirmed malicious, this behavior could allow attackers to map out the domain structure, identify high-value targets, and plan subsequent attacks, potentially leading to privilege escalation or data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name="dsquery.exe"
)
(Processes.process="*group*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `domain_group_discovery_with_dsquery_filter`Domain Group Discovery With Wmic
The following analytic identifies the execution of `wmic.exe` with command-line arguments used to query for domain groups. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to gain situational awareness and map out Active Directory structures. If confirmed malicious, this behavior could allow attackers to identify and target specific domain groups, potentially leading to privilege escalation or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` (Processes.process=*/NAMESPACE:\\\\root\\directory\\ldap* AND Processes.process=*ds_group* AND Processes.process="*GET ds_samaccountname*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `domain_group_discovery_with_wmic_filter`
Domain Group Discovery with Adsisearcher
The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.
Show query
`powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = "*(objectcategory=group)*" AND ScriptBlockText = "*findAll()*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `domain_group_discovery_with_adsisearcher_filter`Drop IcedID License dat
The following analytic detects the dropping of a suspicious file named "license.dat" in %appdata% or %programdata%. This behavior is associated with the IcedID malware, which uses this file to inject its core bot into other processes for banking credential theft. The detection leverages Sysmon EventCode 11 to monitor file creation events in these directories. This activity is significant as it indicates a potential malware infection aiming to steal sensitive banking information. If confirmed malicious, the attacker could gain unauthorized access to financial data, leading to significant financial loss and data breaches.
Show query
`sysmon` EventCode= 11 TargetFilename = "*\\license.dat" AND (TargetFilename="*\\appdata\\*" OR TargetFilename="*\\programdata\\*") |stats count min(_time) as firstTime max(_time) as lastTime by TargetFilename EventCode process_id process_name dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_icedid_license_dat_filter`
Dump LSASS via comsvcs DLL
The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_rundll32` Processes.process=*comsvcs.dll* Processes.process IN ("*MiniDump*", "*#24*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_comsvcs_dll_filter`Dump LSASS via procdump
The following analytic detects the use of procdump.exe to dump the LSASS
process, specifically looking for the -mm and -ma command-line arguments. It leverages
data from Endpoint Detection and Response (EDR) agents, focusing on process names,
command-line executions, and parent processes. This activity is significant because
dumping LSASS can expose sensitive credentials, posing a severe security risk. If
confirmed malicious, an attacker could obtain credentials, escalate privileges,
and move laterally within the network, leading to potential data breaches and further
compromise of the environment.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.process_name IN (
"procdump.exe",
"procdump64.exe",
"procdump64a.exe"
)
OR
Processes.original_file_name=procdump
)
Processes.process IN (
"*-ma*",
"*-mm*",
"*-mp*",
"*/ma*",
"*/mm*",
"*/mp*"
)
Processes.process IN (
"* keyiso*",
"* ls*",
"* samss*"
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_procdump_filter`
ESXi Account Modified
This detection identifies the creation, deletion, or modification of a local user account on an ESXi host. This activity may indicate unauthorized access, indicator removal, or persistence attempts by an attacker seeking to establish or maintain control of the host.
Show query
`esxi_syslog` Message="*esxcli system account*" Message IN ("*-i *","*--id*") NOT Message="*[shell*" | rex field=_raw "Z (?<dest>[\w\.]+)\s.*: \[(?<initial_user>\w+)]:\s.+-i[d]*\s(?<modified_user>[\w_\-0-9]+)" | stats min(_time) as firstTime max(_time) as lastTime count by dest initial_user modified_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_account_modified_filter`ESXi External Root Login Activity
This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user. Direct root access to the UI bypasses role-based access controls and auditing practices, and may indicate risky behavior, misconfiguration, or unauthorized activity by a malicious actor using compromised credentials.
Show query
`esxi_syslog` Message="*root*" AND Message="*logged in*" | rex field=_raw "root@(?<SrcIpAddr>\d{1,3}(?:\.\d{1,3}){3})" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | search SrcIpAddr != "127.0.0.1" AND SrcIpAddr != 192.168.0.0/16 AND SrcIpAddr != 172.16.0.0/12 AND SrcIpAddr != 10.0.0.0/8 | stats min(_time) as firstTime max(_time) as lastTime count by dest SrcIpAddr | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_external_root_login_activity_filter`ESXi Reverse Shell Patterns
This detection looks for reverse shell string patterns on an ESXi host, which may indicate that a threat actor is attempting to establish remote control over the system.
Show query
`esxi_syslog` Message IN ("*bash -i >&*","*/dev/tcp/*","*/dev/udp/*", "*/socat exec:*","*socket(S,PF_INET*") OR (Message="*python -c*" AND Message="*import socket*") | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_reverse_shell_patterns_filter`ESXi SSH Enabled
This detection identifies SSH being enabled on ESXi hosts, which can be an early indicator of malicious activity. Threat actors often use SSH to gain persistent remote access after compromising credentials or exploiting vulnerabilities.
Show query
`esxi_syslog` Message="*SSH access has been enabled" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_ssh_enabled_filter`
ESXi Sensitive Files Accessed
This detection identifies access to sensitive system and configuration files on an ESXi host, including authentication data, service configurations, and VMware-specific management settings. Interaction with these files may indicate adversary reconnaissance, credential harvesting, or preparation for privilege escalation, lateral movement, or persistence.
Show query
`esxi_syslog` Message="*shell[*" Message IN ("*/etc/shadow*","*/etc/vmware/hostd/hostd.xml*", "*/etc/vmware/vpxa/vpxa.cfg*","*/etc/sfcb/sfcb.cfg*","*/etc/security/*", "*/etc/likewise/krb5-affinity.conf*","*/etc/vmware-vpx/vcdb.properties*") | rex field=_raw "\]: \[(?<user>\w+)\]:(?<command>.+)" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest user command | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_sensitive_files_accessed_filter`ESXi Shared or Stolen Root Account
This detection monitors for signs of a shared or potentially compromised root account on ESXi hosts by tracking the number of unique IP addresses logging in as root within a short time window. Multiple logins from different IPs in a brief period may indicate credential misuse, lateral movement, or account compromise.
Show query
`esxi_syslog` Message="*root*" Message="*logged in*" NOT Message="*[email protected]*" | rex field=_raw "root@(?<SrcIpAddr>\d{1,3}(?:\.\d{1,3}){3})" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | bin _time span=15m | stats min(_time) as firstTime max(_time) as lastTime dc(SrcIpAddr) AS distinct_ip_count values(SrcIpAddr) AS SrcIps by dest | where distinct_ip_count > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_shared_or_stolen_root_account_filter`
ESXi Shell Access Enabled
This detection identifies when the ESXi Shell is enabled on a host, which may indicate that a malicious actor is preparing to execute commands locally or establish persistent access. Enabling the shell outside of approved maintenance windows can be a sign of compromise or unauthorized administrative activity.
Show query
`esxi_syslog` Message="*ESXi Shell*" Message="*has been enabled*" | rex field=_raw "'(?<user>\w+)@" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest user Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_shell_access_enabled_filter`
ESXi System Clock Manipulation
This detection identifies a significant change to the system clock on an ESXi host, which may indicate an attempt to manipulate timestamps and evade detection or forensic analysis
Show query
`esxi_syslog` Message="*NTPClock*" AND Message="*system clock stepped*" | rex field=_raw "stepped to (?<epoch_time>\d+\.\d+),.+delta\s(?<delta>\d+)\s" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | eval epoch_time=tonumber(epoch_time) | eval delta=tonumber(delta) | eval event_time=round(_time, 0) | eval direction=if(epoch_time < event_time, "backward", "forward") | eval original_time=if(direction=="backward", epoch_time + delta, epoch_time - delta) | eval stepped_to_str=strftime(epoch_time, "%Y-%m-%d %H:%M:%S") | eval original_time_str=strftime(original_time, "%Y-%m-%d %H:%M:%S") | stats min(_time) as firstTime max(_time) as lastTime count by dest direction original_time_str stepped_to_str epoch_time delta | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_system_clock_manipulation_filter`
ESXi System Information Discovery
This detection identifies the use of ESXCLI system-level commands that retrieve configuration details. While used for legitimate administration, this behavior may also indicate adversary reconnaissance aimed at profiling the ESXi host's capabilities, build information, or system role in preparation for further compromise.
Show query
`esxi_syslog` Message="*system*" AND Message="*esxcli*" AND Message IN ("*get*","*list*") AND Message="*user=*" NOT Message="*filesystem*" | rex field=_raw "user=(?<user>\w+)\]\s+Dispatch\s+(?<command>[^\s]+)" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest user command | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_system_information_discovery_filter`ESXi VM Exported via Remote Tool
This detection identifies the use of a remote tool to download virtual machine disk files from a datastore. The NFC protocol is used by management tools to transfer files to and from ESXi hosts, but it can also be abused by attackers or insiders to exfiltrate full virtual disk images
Show query
`esxi_syslog` Message="*File download from path*" Message="*was initiated from*" | rex field=_raw "from path '\[(?<Datastore>[^\]]+)\](?<VMPath>[^']+)'" | rex field=_raw "initiated from '(?<InitiatorTool>[^/]+)/(?<ToolVersion>[^@]+)@(?<InitiatorIP>\d{1,3}(?:\.\d{1,3}){3})'" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by Datastore VMPath InitiatorTool ToolVersion InitiatorIP dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_vm_exported_via_remote_tool_filter`Showing 451-500 of 1,177