Tool
Hunt pack: Play
810 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Play - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 810Auditd Login from Forbidden Location
Identifies that a login attempt has happened from a forbidden location.
CyberArk Privileged Access Security Error
Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code
correlates to the CyberArk Vault Audit Action Code.
Deprecated - AWS Root Login Without MFA
Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best
practices indicate that the root user should be protected by MFA.
Deprecated - Agent Spoofing - Mismatched Agent ID
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
attempts to spoof events in order to masquerade actual activity to evade detection.
First-Time FortiGate Administrator Login
This rule detects the first observed successful login of a user with the Administrator role to the FortiGate management
interface within the last 5 days. First-time administrator logins can indicate newly provisioned accounts,
misconfigurations, or unauthorized access using valid credentials and should be reviewed promptly.
FortiGate Administrator Login from Multiple IP Addresses
This rule detects successful logins to the FortiGate management interface using the same Administrator account from
multiple distinct source IP addresses within an 24-hour period. Administrator logins from multiple locations in a short
time window may indicate credential sharing, compromised credentials, or unauthorized access and should be investigated.
M365 or Entra ID Identity Sign-in from a Suspicious Source
This rule correlate Entra-ID or Microsoft 365 mail successful sign-in events with network security alerts by source address.
Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud
resources.
Potential File Download via a Headless Browser
Identifies headless browser execution from a suspicious parent process with arguments consistent with scripted retrieval. Adversaries use browsers because they are trusted, signed binaries that proxy and application-control policies allow through, bypassing restrictions on direct download tools.
Potential PrintNightmare Exploit Registry Modification
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service. For more
information refer to CVE-2021-34527 and verify that the impacted system is investigated.
Potential PrintNightmare File Modification
Detects the creation or modification of a print driver with an unusual file name. This may indicate attempts to exploit
privilege escalation vulnerabilities related to the Print Spooler service. For more information refer to CVE-2021-34527
and verify that the impacted system is investigated.
Potential Privilege Escalation via unshare Followed by Root Process
Detects a short sequence where a non-root user performs unshare-related namespace activity (often associated with user
namespace privilege escalation primitives) and then a root process is executed shortly after. This can indicate a
successful local privilege escalation attempt or suspicious namespace manipulation captured in Auditd Manager telemetry.
Potential Process Herpaderping Attempt
Identifies process execution followed by a file overwrite of an executable by the same parent process. This may indicate
an evasion attempt to execute malicious code in a stealthy way.
Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)
Identifies the network signature of CVE-2026-41940, a pre-auth root-level authentication bypass in cPanel and WebHost
Manager (WHM) caused by a CRLF injection in the session writer. The exploit-inherent shape on the wire is a `GET /`
request to a cPanel/WHM admin port (typically TCP/2087, 2086, 2083, 2082, 2095, 2096) carrying an
`Authorization: Basic` header whose base64-decoded value contains CRLF-injected session fields, which causes cpsrvd
to respond with a 3xx redirect whose `Location` header leaks a `/cpsessNNNNNNNNNN` token granting the attacker a
privileged session. This is the network-layer equivalent of the cPanel `access_log` artifact identified by Unfold and
watchTowr as the first bulletproof detection for this CVE: a `GET /` recorded with `auth_method=b` (HTTP Basic).
Legitimate access to `GET /` on a WHM admin port returns 200 with the login screen and never includes HTTP Basic
credentials, so this combination is not produced by normal use.
Suspicious Child Process of Adobe Acrobat Reader Update Service
Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader
PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and
CVE-2020-9613 and verify that the impacted system is patched.
AWS Bedrock Foundation Model Access Enabled or Entitlement Granted
Identifies when access to an Amazon Bedrock foundation model is enabled at the account level, either by granting a
foundation-model entitlement, submitting a use case for model access, or creating a foundation-model agreement
(accepting the EULA). These account-level "model access" actions unlock a foundation model so that it can subsequently
be invoked. Adversaries or a compromised principal may enable model access to abuse expensive models (LLMjacking), to
establish a durable ability to invoke models within the account, or to bypass organizational controls. This activity is
distinct from changes to a resource-based model invocation policy and is identified by the Bedrock control-plane API
calls that grant model entitlements and agreements.
AWS Bedrock Resource-Based Policy Modified or Deleted
Detects modification or deletion of resource-based access policies on AWS Bedrock resources via the PutResourcePolicy
and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including external accounts) may
access Bedrock resources such as agents, knowledge bases, and custom models. An adversary may attach a resource policy
granting an external or unexpected principal access to a Bedrock resource to establish persistence or enable
cross-account access, or may delete an existing policy to weaken access controls. These changes should be validated for
principal ownership and least-privilege intent.
Active Directory Group Modification by SYSTEM
Identifies a user being added to an active directory group by the SYSTEM (S-1-5-18) user. This behavior can indicate
that the attacker has achieved SYSTEM privileges in a domain controller, which attackers can obtain by exploiting
vulnerabilities or abusing default group privileges (e.g., Server Operators), and is attempting to pivot to a domain
account.
Auditd Login Attempt at Forbidden Time
Identifies that a login attempt occurred at a forbidden time.
Auditd Max Failed Login Attempts
Identifies that the maximum number of failed login attempts has been reached for a user.
Auditd Max Login Sessions
Identifies that the maximum number login sessions has been reached for a user.
Curl or Wget Execution from Container Context
Detects execution of curl or wget from processes whose title aligns with **`runc init`**, a common fingerprint
for workloads running inside **OCI/runc-backed containers** on Linux hosts instrumented with Auditd Manager.
After breaking out of an application container or abusing a privileged workload, attackers often pull ingress tooling
(stagers, scripts, implants) or stage exfiltration with minimal HTTP clients. Those utilities are also used
benignly in images, so context matters; the `runc init` anchor narrows the signal to the container runtime boundary
where unexpected download clients are more worthy of review than the same binaries on a bare-metal admin shell.
Deprecated - Potential Privilege Escalation via UID INT_MAX Bug Detected
This rule monitors for the execution of the systemd-run command by a user with a UID that is larger than the maximum
allowed UID size (INT_MAX). Some older Linux versions were affected by a bug which allows user accounts with a UID
greater than INT_MAX to escalate privileges by spawning a shell through systemd-run.
Deprecated - Potential curl CVE-2023-38545 Exploitation
Detects potential exploitation of curl CVE-2023-38545 by monitoring for vulnerable command line arguments in conjunction
with an unusual command line length. A flaw in curl version <= 8.3 makes curl vulnerable to a heap based buffer overflow
during the SOCKS5 proxy handshake. Upgrade to curl version >= 8.4 to patch this vulnerability. This exploit can be
executed with and without the use of environment variables. For increased visibility, enable the collection of
http_proxy, HTTPS_PROXY and ALL_PROXY environment variables based on the instructions provided in the setup guide of
this rule.
FortiGate SOCKS Traffic from an Unusual Process
This detection correlates FortiGate's application control SOCKS events with Elastic Defend network event to identify the
source process performing SOCKS traffic. Adversaries may use a connection proxy to direct network traffic between systems
or act as an intermediary for network communications to a command and control server to avoid direct connections to their
infrastructure.
FortiGate SSL VPN Login Followed by SIEM Alert by User
Detects when a FortiGate SSL VPN login event is followed by any SIEM detection alert for the same user name within a
short time window. This correlation can indicate abuse of VPN access for malicious activity, credential compromise
used from a VPN session, or initial access via VPN followed by post-compromise behavior.
Google Workspace API Access Granted via Domain-Wide Delegation
Detects when a domain-wide delegation of authority is granted to a service account. Domain-wide delegation can be
configured to grant third-party and internal applications to access the data of Google Workspace users. An adversary may
configure domain-wide delegation to maintain access to their target’s data.
Google Workspace Role Modified
Detects when a custom admin role or its permissions are modified. An adversary may modify a custom admin role in order
to elevate the permissions of other user accounts and persist in their target’s environment.
Kubernetes Exposed Service Created With Type NodePort
This rule detects an attempt to create or modify a service as type NodePort. The NodePort service allows a user to
externally expose a set of labeled pods to the internet. This creates an open port on every worker node in the cluster
that has a pod for that service. When external traffic is received on that open port, it directs it to the specific pod
through the service representing it. A malicious user can configure a service as type Nodeport in order to intercept
traffic from other pods or nodes, bypassing firewalls and other network security measures configured for load balancers
within a cluster. This creates a direct method of communication between the cluster and the outside world, which could
be used for more malicious behavior and certainly widens the attack surface of your cluster.
Linux User Account Credential Modification
This rule detects Linux user account credential modification events where the echo command is
used to directly echo a password into the passwd or shadow utilities. This technique is used by
malware to automate the process of user account credential modification on Linux systems post-infection.
PANW and Elastic Defend - Command and Control Correlation
This detection correlates Palo Alto Networks (PANW) command and control events with Elastic Defend network events to identify
the source process performing the network activity.
Potential Account Takeover - Logon from New Source IP
Identifies a user account that normally logs in with high volume from one source IP suddenly logging in from a different
source IP. This pattern (one IP with many successful logons, another IP with very few) may indicate account takeover
or use of stolen credentials from a new location.
Potential Account Takeover - Mixed Logon Types
Identifies a user account (often a service account) that normally logs in with high volume using one logon type
suddenly showing successful logons using a different logon type with low count. This pattern may indicate account
takeover or use of stolen credentials from a new context (e.g. interactive or network logon where only batch/service
was expected).
Remote File Download via Desktopimgdownldr Utility
Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to
download arbitrary files as an alternative to certutil.
Remote File Download via MpCmdRun
Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining
initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for
adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be
atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.
Suspicious Activity Reported by Okta User
Detects when a user reports suspicious activity for their Okta account. These events should be investigated, as they can
help security teams identify when an adversary is attempting to gain access to their network.
Unusual Parent Process for cmd.exe
Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process.
Unusual Print Spooler Child Process
Detects unusual Print Spooler service (spoolsv.exe) child processes. This may indicate an attempt to exploit privilege
escalation vulnerabilities related to the Printing Service on Windows.
AWS Bedrock Unauthorized Foundation Model Access Attempt
Identifies failed, access-denied attempts to enable account-level access to an Amazon Bedrock foundation model, either
by granting a foundation-model entitlement, submitting a use case for model access, or creating a foundation-model
agreement (accepting the EULA). These account-level "model access" actions unlock a foundation model so that it can
subsequently be invoked. A principal that is repeatedly denied when attempting these actions may be a compromised or
under-privileged identity probing for the ability to unlock expensive models (LLMjacking) or to establish a durable
ability to invoke models. Unlike the companion rule that detects successful model-access grants, this rule surfaces the
attempt itself, which is a high-signal indicator of credential boundary-testing even though access was not granted.
AWS Bedrock Unauthorized Resource-Based Policy Modification Attempt
Detects failed, access-denied attempts to modify or delete resource-based access policies on AWS Bedrock resources via
the PutResourcePolicy and DeleteResourcePolicy API calls. Resource-based policies govern which principals (including
external accounts) may access Bedrock resources such as agents, knowledge bases, and custom models. A principal that is
repeatedly denied when attempting to attach or remove these policies may be a compromised or under-privileged identity
probing for the ability to grant external or cross-account access, or to weaken existing access controls. Unlike the
companion rule that detects successful changes, this rule surfaces the attempt itself, which is a high-signal indicator
of credential boundary-testing even though no change occurred.
Azure Automation Account Created
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
persistence in their target's environment.
File and Directory Discovery
Enumeration of files and directories using built-in tools. Adversaries may use the information discovered to plan
follow-on activity.
Kubernetes Unusual Decision by User Agent
This rule detects unusual request responses in Kubernetes audit logs through the use of the
"new_terms" rule type. In production environments, default API requests are typically made by
system components or trusted users, who are expected to have a consistent user agent and
allowed response annotations. By monitoring for anomalies in the username and response
annotations, this rule helps identify potential unauthorized access or misconfigurations
in the Kubernetes environment.
Potential Cross Site Scripting (XSS)
Cross-Site Scripting (XSS) is a type of attack in which malicious scripts are injected into trusted websites. In XSS
attacks, an attacker uses a benign web application to send malicious code, generally in the form of a browser-side
script. This detection rule identifies the potential malicious executions of such browser-side scripts.
Process Discovery via Tasklist
Adversaries may attempt to get information about running processes on a system.
Strace Process Activity
Strace is a useful diagnostic, instructional, and debugging tool. This rule identifies a privileged context execution of
strace which can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or
move laterally.
Suspicious Print Spooler SPL File Created
Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including
CVE-2020-1048 and CVE-2020-1337.
System Information Discovery via dmidecode from Parent Shell
This rule detects the use of dmidecode to gather system information from a Linux host when executed from a parent
shell process. Adversaries may use dmidecode to collect detailed hardware and system information, which can aid in
further exploitation or lateral movement within a network, or be used as a fingerprint for a compromised system.
User Discovery via Whoami
The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for
privileged access.
A client made a web request to a potentially harmful file (ASIM Web Session schema)
'This rule identifies a web request to a URL that holds a file type, including .ps1, .bat, .vbs, and .scr that can be harmful if downloaded. This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM WebSession schema (ASIM WebSession Schema)'
Show query
let default_file_ext_blocklist = dynamic(['.ps1', '.vbs', '.bat', '.scr']); // Update this list as per your requirement
let custom_file_ext_blocklist=toscalar(_GetWatchlist('RiskyFileTypes')
| extend Extension=column_ifexists("Extension", "")
| where isnotempty(Extension)
| summarize make_set(Extension)); // If you have an extensive list, you can also create a Watchlist that includes the file extensions you want to detect
let file_ext_blocklist = array_concat(default_file_ext_blocklist, custom_file_ext_blocklist);
_Im_WebSession(starttime=ago(10min), url_has_any=file_ext_blocklist, eventresult='Success')
| extend requestedFileName=tostring(split(tostring(parse_url(Url)["Path"]), '/')[-1])
| extend requestedFileExtension=extract(@'(\.\w+)$', 1, requestedFileName, typeof(string))
| where requestedFileExtension in (file_ext_blocklist)
| summarize
EventStartTime=min(TimeGenerated),
EventEndTime=max(TimeGenerated),
EventCount=count()
by SrcIpAddr, SrcUsername, SrcHostname, requestedFileName, Url
| extend
Name = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 0)[0]), SrcUsername),
UPNSuffix = iif(SrcUsername contains "@", tostring(split(SrcUsername, '@', 1)[0]), "")
Showing 1-50 of 810