Tool
Hunt pack: Play
991 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Play - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
50 shown of 991Windows New InProcServer32 Added
The following analytic detects the addition of new InProcServer32 registry keys on Windows endpoints. It leverages data from the Endpoint.Registry datamodel to identify changes in registry paths associated with InProcServer32. This activity is significant because malware often uses this mechanism to achieve persistence or execute malicious code by registering a new InProcServer32 key pointing to a harmful DLL. If confirmed malicious, this could allow an attacker to persist in the environment or execute arbitrary code, posing a significant threat to system integrity and security.
Show query
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user | `drop_dm_object_name(Registry)` |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_new_inprocserver32_added_filter`
Windows Njrat Fileless Storage via Registry
The following analytic detects suspicious registry modifications indicative of NjRat's fileless storage technique. It leverages the Endpoint.Registry data model to identify specific registry paths and values commonly used by NjRat for keylogging and executing DLL plugins. This activity is significant as it helps evade traditional file-based detection systems, making it crucial for SOC analysts to monitor. If confirmed malicious, this behavior could allow attackers to persist on the host, execute arbitrary code, and capture sensitive keystrokes, leading to potential data breaches and further system compromise.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\[kl]" OR Registry.registry_value_data IN ("*[ENTER]*", "*[TAP]*", "*[Back]*") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_njrat_fileless_storage_via_registry_filter`Windows Non-System Account Targeting Lsass
The following analytic identifies non-SYSTEM accounts requesting access to lsass.exe. This detection leverages Sysmon EventCode 10 logs to monitor access attempts to the Local Security Authority Subsystem Service (lsass.exe) by non-SYSTEM users. This activity is significant as it may indicate credential dumping attempts or unauthorized access to sensitive credentials. If confirmed malicious, an attacker could potentially extract credentials from memory, leading to privilege escalation or lateral movement within the network. Immediate investigation is required to determine the legitimacy of the access request and to mitigate any potential threats.
Show query
`sysmon` EventCode=10 TargetImage=*lsass.exe NOT (SourceUser="NT AUTHORITY\\*") | stats count min(_time) as firstTime max(_time) as lastTime by CallTrace EventID GrantedAccess Guid Opcode ProcessID SecurityID SourceImage SourceProcessGUID SourceProcessId TargetImage TargetProcessGUID TargetProcessId UserID dest granted_access parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_non_system_account_targeting_lsass_filter`
Windows NorthStar C2 Agent Execution
Detects the initial agent or persistent agent processes for Northstar C2 being run.
NorthStarC2 is an open-source command and control framework developed for penetration testing and red teaming purposes by Engin Demirbilek.
NorthStar C2 Framework consists of two applications, a server-side GUI web application for managing sessions and a client-side stager to communicate with C2 server.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.original_file_name="NorthstarStager.exe"
OR
Processes.process_name IN (
"NorthstarStager.exe",
"SystemHealthCheck.exe"
)
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_northstar_c2_agent_execution_filter`Windows Obfuscated Files or Information via RAR SFX
The following analytic detects the creation of RAR Self-Extracting (SFX) files by monitoring the generation of file related to rar sfx .tmp file creation during sfx installation. This method leverages a heuristic to identify RAR SFX archives based on specific markers that indicate a combination of executable code and compressed RAR data. By tracking such activity, the analytic helps pinpoint potentially unauthorized or suspicious file creation events, which are often associated with malware packaging or data exfiltration. Legitimate usage may include custom installers or compressed file delivery.
Show query
`sysmon` EventCode=11 TargetFilename IN ("*__tmp_rar_sfx_access_check*")
| stats count min(_time) as firstTime max(_time) as lastTime
BY action dest file_name
file_path process_guid process_id
user user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_obfuscated_files_or_information_via_rar_sfx_filter`Windows Outlook WebView Registry Modification
The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook's web-based components. The analytic focuses on changes to the "URL" value within Outlook's WebView and Today registry paths. This activity is significant as it may represent an attacker's effort to redirect Outlook's web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user's email client and potentially sensitive information.
Show query
| tstats `security_content_summariesonly` count values(Registry.registry_value_name) as registry_value_name values(Registry.registry_value_data) as registry_value_data min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\*" OR Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\Today") AND Registry.registry_value_name="URL" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_outlook_webview_registry_modification_filter`
Windows Possible Credential Dumping
The following analytic detects potential credential dumping by identifying specific GrantedAccess permission requests and CallTrace DLLs targeting the LSASS process. It leverages Sysmon EventCode 10 logs, focusing on access requests to lsass.exe and call traces involving debug and native API DLLs like dbgcore.dll, dbghelp.dll, and ntdll.dll. This activity is significant as credential dumping can lead to unauthorized access to sensitive credentials. If confirmed malicious, attackers could gain elevated privileges and persist within the environment, posing a severe security risk.
Show query
`sysmon` EventCode=10 TargetImage=*\\lsass.exe granted_access IN ("0x01000", "0x1010", "0x1038", "0x40", "0x1400", "0x1fffff", "0x1410", "0x143a", "0x1438", "0x1000") CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*", "*ntdll.dll*", "*kernelbase.dll*", "*kernel32.dll*") NOT SourceUser IN ("NT AUTHORITY\\SYSTEM", "NT AUTHORITY\\NETWORK SERVICE") | stats count min(_time) as firstTime max(_time) as lastTime by CallTrace EventID GrantedAccess Guid Opcode ProcessID SecurityID SourceImage SourceProcessGUID SourceProcessId TargetImage TargetProcessGUID TargetProcessId UserID dest granted_access parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_possible_credential_dumping_filter`Windows Potato Privilege Escalation Tool Execution
Detects execution of known Potato-family privilege escalation tools based on original file name, process name, or binary path.
A tool class that has been a dominant post-compromise privilege escalation method for over a decade and remains actively used by ransomware operators, red teams, and nation-state actors alike.
The Potato family exploits Windows token impersonation and privilege abuse to escalate from a service account, IIS worker process, or other restricted context to SYSTEM.
The core abuse chain across most variants involves tricking a SYSTEM-level process into authenticating to an attacker-controlled endpoint, capturing that authentication, and impersonating the resulting SYSTEM token to spawn an elevated process.
Show query
| tstats summariesonly=false allow_old_summaries=true
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.original_file_name IN (
"*CertPotato*",
"*CoercedPotato*",
"*GenericPotato*",
"*GhostPotato*",
"*GodPotato*",
"*HotPotato*",
"*JuicyPotato*",
"*LocalPotato*",
"*LonelyPotato*",
"*RoguePotato*",
"*RottenPotato*",
"*SharpPotato*",
"*SweetPotato*"
)
OR Processes.process_path IN (
"*CertPotato*",
"*CoercedPotato*",
"*GenericPotato*",
"*GhostPotato*",
"*GodPotato*",
"*HotPotato*",
"*JuicyPotato*",
"*LocalPotato*",
"*LonelyPotato*",
"*RoguePotato*",
"*RottenPotato*",
"*SharpPotato*",
"*SweetPotato*"
)
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_potato_privilege_escalation_tool_execution_filter`Windows PowGoop Beacon Decoding
Detects a DLL decoding and executing the PowGoop config.txt payload, the stage in the MuddyWater infection chain where an obfuscated PowerShell beacon is unwrapped and live C2 communication begins.
PowGoop is the primary loader used by MuddyWater (also tracked as SeedWorm, Static Kitten, and MERCURY) and has been their main initial access loader since at least 2020.
It abuses DLL side-loading against a fake GoogleUpdate.exe to execute a multi-stage decoding chain, a fully functional PowerShell backdoor disguised with a benign extension.
The config.txt contains a hardcoded C2 address and victim GUID, beacons via modified base64-encoded HTTP, and runs C2 traffic under the legitimate Google Update process to evade network detection.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.parent_process_path="*rundll32.exe"
Processes.process_name="powershell.exe"
Processes.process="*FromBase64String*"
Processes.process="*config.txt*"
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powgoop_beacon_decoding_filter`Windows PowerShell FakeCAPTCHA Clipboard Execution
This detection identifies potential FakeCAPTCHA/ClickFix clipboard hijacking campaigns by looking for PowerShell execution with hidden window parameters and distinctive strings related to fake CAPTCHA verification. These campaigns use social engineering to trick users into pasting malicious PowerShell commands from their clipboard, typically delivering information stealers or remote access trojans.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_powershell`
AND
Processes.process="*-w*h*"
AND
( (Processes.process IN ("*robot*", "*captcha*", "*verify*", "*security check*", "*complete verification*"))
OR
( (Processes.process IN ("*iwr *", "*Invoke-WebRequest*", "*wget *", "*curl *", "*Net.WebClient*", "*DownloadString*", "*[Convert]::FromBase64String*"))
AND
(Processes.process IN ("*iex*", "*Invoke-Expression*"))
AND
(Processes.process IN ("*click*", "*verify*", "*check*", "*human*", "*bot*", "*token*", "*challenge*")) )
OR
( Processes.process="*clipboard*"
AND
Processes.process="*iex*"
AND
(Processes.process="*FromBase64String*"
OR
Processes.process="*decode*") ) )
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_fakecaptcha_clipboard_execution_filter`Windows PowerShell Get CIMInstance Remote Computer
The following analytic detects the use of the Get-CimInstance cmdlet with the -ComputerName parameter, indicating an attempt to retrieve information from a remote computer. It leverages PowerShell Script Block Logging to identify this specific command execution. This activity is significant as it may indicate unauthorized remote access or information gathering by an attacker. If confirmed malicious, this could allow the attacker to collect sensitive data from remote systems, potentially leading to further exploitation or lateral movement within the network.
Show query
`powershell` EventCode=4104 ScriptBlockText="*get-ciminstance*" AND ScriptBlockText="*computername*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_get_ciminstance_remote_computer_filter`Windows PowerShell Invoke-Sqlcmd Execution
This detection identifies potentially suspicious usage of Invoke-Sqlcmd PowerShell cmdlet, which can be used for database operations and potential data exfiltration. The detection looks for suspicious parameter combinations and query patterns that may indicate unauthorized database access, data theft, or malicious database operations. Threat actors may prefer using PowerShell Invoke-Sqlcmd over sqlcmd.exe as it provides a more flexible programmatic interface and can better evade detection.
Show query
`powershell` EventCode=4104 ScriptBlockText="*invoke-sqlcmd*" | eval script_lower=lower(ScriptBlockText) | eval has_query=case( match(script_lower, "(?i)-query\\s+"), 1, match(script_lower, "(?i)-q\\s+"), 1, true(), 0 ), has_input_file=case( match(script_lower, "(?i)-inputfile\\s+"), 1, match(script_lower, "(?i)-i\\s+"), 1, true(), 0 ), has_url_input=case( match(script_lower, "(?i)-inputfile\\s+https?://"), 1, match(script_lower, "(?i)-i\\s+https?://"), 1, match(script_lower, "(?i)-inputfile\\s+ftp://"), 1, match(script_lower, "(?i)-i\\s+ftp://"), 1, true(), 0 ), has_admin_conn=case( match(script_lower, "(?i)-dedicatedadministratorconnection"), 1, true(), 0 ), has_suspicious_auth=case( match(script_lower, "(?i)-username\\s+sa\\b"), 1, match(script_lower, "(?i)-u\\s+sa\\b"), 1, match(script_lower, "(?i)-username\\s+admin\\b"), 1, match(script_lower, "(?i)-u\\s+admin\\b"), 1, true(), 0 ), has_suspicious_query=case( match(script_lower, "(?i)(xp_cmdshell|sp_oacreate|sp_execute_external|openrowset|bulk\\s+insert)"), 1, match(script_lower, "(?i)(master\\.\\.\\.sysdatabases|msdb\\.\\.\\.backuphistory|sysadmin|securityadmin)"), 1, match(script_lower, "(?i)(select.*from.*sys\\.|select.*password|dump\\s+database)"), 1, match(script_lower, "(?i)(sp_addextendedproc|sp_makewebtask|sp_addsrvrolemember)"), 1, match(script_lower, "(?i)(sp_configure.*show\\s+advanced|reconfigure|enable_xp_cmdshell)"), 1, match(script_lower, "(?i)(exec.*master\\.dbo\\.|exec.*msdb\\.dbo\\.)"), 1, match(script_lower, "(?i)(sp_password|sp_control_dbmasterkey_password|sp_dropextendedproc)"), 1, match(script_lower, "(?i)(powershell|cmd\\.exe|rundll32|regsvr32|certutil)"), 1, true(), 0 ), has_data_exfil=case( match(script_lower, "(?i)-outputas\\s+(dataset|datatables)"), 1, match(script_lower, "(?i)-as\\s+(dataset|datatables)"), 1, match(script_lower, "(?i)(for\\s+xml|for\\s+json)"), 1, match(script_lower, "(?i)(select.*into.*from|select.*into.*outfile)"), 1, true(), 0 ), has_cert_bypass=case( match(script_lower, "(?i)-trustservercertificate"), 1, true(), 0 ) | eval risk_score=0 | eval risk_score=case( has_suspicious_query=1 AND has_data_exfil=1, risk_score + 90, has_url_input=1, risk_score + 80, has_suspicious_query=1, risk_score + 60, has_data_exfil=1, risk_score + 60, has_admin_conn=1, risk_score + 50, has_suspicious_auth=1, risk_score + 40, has_cert_bypass=1, risk_score + 20, true(), risk_score ) | eval command_type=case( match(script_lower, "xp_cmdshell"), "xp_cmdshell abuse", match(script_lower, "https?://"), "Remote file execution", match(script_lower, "sys\\.server_principals"), "System enumeration", match(script_lower, "fn_my_permissions"), "Permission enumeration", match(script_lower, "username\\s+sa\\b"), "SA account usage", match(script_lower, "show\\s+advanced\\s+options"), "Configuration change attempt", match(script_lower, "select.*from\\s+customers"), "Large data export", match(script_lower, "select.*password"), "Sensitive data query", match(script_lower, "sp_configure.*xp_cmdshell"), "Enable xp_cmdshell", 1=1, "General database access" ) | eval risk_factors=mvappend( if(has_suspicious_query=1 AND has_data_exfil=1, "High-risk query with data extraction: ".command_type, null()), if(has_url_input=1, "Remote file input detected in command", null()), if(has_suspicious_query=1, "Suspicious SQL query pattern: ".command_type, null()), if(has_data_exfil=1, "Potential data exfiltration using ".command_type, null()), if(has_admin_conn=1, "Administrative database connection", null()), if(has_suspicious_auth=1, "Suspicious authentication method used", null()), if(has_cert_bypass=1, "Certificate validation bypassed", null()) ) | eval risk_message="PowerShell Invoke-Sqlcmd execution with risk factors: ".mvjoin(risk_factors, ", ") | where risk_score >= 30 | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText UserID Computer risk_message risk_score command_type | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_invoke_sqlcmd_execution_filter`
Windows PowerShell MSIX Package Installation
The following analytic detects the execution of PowerShell commands to install unsigned AppX packages using Add-AppxPackage or Add-AppPackage cmdlets with the -AllowUnsigned flag. This detection leverages PowerShell Script Block Logging (EventCode=4104) to capture the full command content. This activity is significant as adversaries may use unsigned AppX packages to install malicious applications, bypass security controls, or establish persistence. If confirmed malicious, this could allow attackers to install unauthorized applications that may contain malware, backdoors, or other malicious components.
Show query
`powershell` EventCode=4104 ScriptBlockText IN("*Add-AppPackage *", "*Add-AppxPackage *") AND ScriptBlockText IN ("* -AllowUnsigned*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_msix_package_installation_filter`
| `windows_powershell_msix_package_installation_filter`Windows PowerShell Process Implementing Manual Base64 Decoder
The following analytic identifies Windows PowerShell processes that implement a manual Base64 decoder.
Threat actors often use Base64 encoding to obfuscate malicious payloads or commands within PowerShell scripts.
By manually decoding Base64 strings, attackers can evade detection mechanisms that look for standard decoding functions like using the "-enc" flag or the "FromBase64String" function.
This detection focuses on PowerShell processes that exhibit characteristics of manual Base64 decoding, such as the presence of specific string manipulation methods and bitwise operations.
Security teams should investigate any instances of such activity, especially if found in conjunction with other suspicious behaviors or on systems that should not be using PowerShell for such tasks.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_powershell`
Processes.process = "*ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/*"
Processes.process = "*.Substring(*"
Processes.process = "*.GetString(*"
Processes.process = "*.IndexOf(*"
Processes.process IN ("*-shl*", *-shr*, "*-bxor*", "*-bor*", "*-band*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id
Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_process_implementing_manual_base64_decoder_filter`
Windows PowerShell Process With Malicious String
The following analytic detects the execution of multiple offensive toolkits and commands through the process execution datamodel. This method captures commands given directly to powershell.exe, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_powershell`
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup malicious_powershell_strings command as process
| where isnotnull(match)
| `windows_powershell_process_with_malicious_string_filter`Windows PowerShell ScheduleTask
The following analytic detects potential malicious activities involving PowerShell's task scheduling cmdlets. It leverages PowerShell Script Block Logging (EventCode 4104) to identify unusual or suspicious use of cmdlets like 'New-ScheduledTask' and 'Set-ScheduledTask'. This activity is significant as attackers often use these cmdlets for persistence and remote execution of malicious code. If confirmed malicious, this could allow attackers to maintain access, deliver additional payloads, or execute ransomware, leading to data theft or other severe impacts. Immediate investigation and mitigation are crucial to prevent further compromise.
Show query
`powershell` EventCode=4104 ScriptBlockText IN ("*New-ScheduledTask*", "*New-ScheduledTaskAction*", "*New-ScheduledTaskSettingsSet*", "*New-ScheduledTaskTrigger*", "*Register-ClusteredScheduledTask*", "*Register-ScheduledTask*", "*Set-ClusteredScheduledTask*", "*Set-ScheduledTask*", "*Start-ScheduledTask*", "*Enable-ScheduledTask*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_scheduletask_filter`Windows PowerShell Script Block With Malicious String
The following analytic detects the execution of multiple offensive toolkits and commands by leveraging PowerShell Script Block Logging (EventCode=4104). This method captures and logs the full command sent to PowerShell, allowing for the identification of suspicious activities including several well-known tools used for credential theft, lateral movement, and persistence. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information within the environment.
Show query
`powershell` ScriptBlockText=* EventCode=4104 | stats count min(_time) as firstTime max(_time) as lastTime list(ScriptBlockText) as command values(Guid) as Guid values(Opcode) as Opcode values(Name) as Name values(Path) as Path values(ProcessID) as ProcessID values(ScriptBlockId) as ScriptBlockId values(ScriptBlockText) as ScriptBlockText by dest signature signature_id user_id vendor_product | eval command = mvjoin(command,"\n") | lookup malicious_powershell_strings command | where isnotnull(match) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powershell_script_block_with_malicious_string_filter`
Windows PowerShell Script From WindowsApps Directory
The following analytic identifies the execution of PowerShell scripts from the WindowsApps directory, which is a common technique used in malicious MSIX package execution.
This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command lines and parent process paths.
This activity is significant as adversaries have been observed using MSIX packages with embedded PowerShell scripts (particularly StartingScriptWrapper.ps1) to execute malicious code.
If confirmed malicious, this could allow attackers to execute arbitrary code, establish persistence, or deliver malware while evading traditional detection mechanisms.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Processes where
(
`process_powershell`
OR
`process_cmd`
)
AND
(
Processes.parent_process_path="*\\WindowsApps\\*"
OR
Processes.process IN ("*WindowsApps*-file *", "*WindowsApps*.ps1*")
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_script_from_windowsapps_directory_filter`Windows PowerShell Script TabExpansion Direct Call
Detects specific indicators associated with the execution of the TabExpansion internal function in PowerShell.
Calling this function directly is not normal and can be indicative of malicious activity such as TabShell.
Due to the way PowerShell internals work it can be used in conjunction with directory transversal to load any PowerShell functions even in a sandboxed session.
False positives could include legitimate usage of the TabExpansion function but calling it directly is very rare.
Show query
`powershell`
EventID="4104"
ScriptBlockText="*$lastWord*"
ScriptBlockText="*$_val=' + $_expression*"
ScriptBlockText="*function Write-Members*"
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer EventID ScriptBlockText signature signature_id user_id vendor_product Guid
Opcode Name Path ProcessID ScriptBlockId
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_script_tabexpansion_direct_call_filter`Windows PowerShell WMI Win32 ScheduledJob
The following analytic detects the use of the Win32_ScheduledJob WMI class via PowerShell script block logging. This class, which manages scheduled tasks, is disabled by default due to security concerns and must be explicitly enabled through registry modifications. The detection leverages PowerShell event code 4104 and script block text analysis. Monitoring this activity is crucial as it may indicate malicious intent, especially if the class was enabled by an attacker. If confirmed malicious, this could allow attackers to persist in the environment by creating scheduled tasks.
Show query
`powershell` EventCode=4104 ScriptBlockText="*win32_scheduledjob*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_wmi_win32_scheduledjob_filter`Windows PowerView AD Access Control List Enumeration
The following analytic detects the execution of PowerView PowerShell cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network.
Show query
`powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl*)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powerview_ad_access_control_list_enumeration_filter`Windows PowerView Constrained Delegation Discovery
The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like `Get-DomainComputer` or `Get-NetComputer` with the `-TrustedToAuth` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.
Show query
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-TrustedToAuth*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powerview_constrained_delegation_discovery_filter`Windows PowerView Unconstrained Delegation Discovery
The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commands like `Get-DomainComputer` or `Get-NetComputer` with the `-Unconstrained` parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.
Show query
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-Unconstrained*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powerview_unconstrained_delegation_discovery_filter`Windows Powershell Cryptography Namespace
The following analytic detects suspicious PowerShell script execution involving the cryptography namespace via EventCode 4104. It leverages PowerShell Script Block Logging to identify scripts using cryptographic functions, excluding common hashes like SHA and MD5. This activity is significant as it is often associated with malware that decrypts or decodes additional malicious payloads. If confirmed malicious, this could allow an attacker to execute further code, escalate privileges, or establish persistence within the environment. Analysts should investigate the parent process, decrypted data, network connections, and the user executing the script.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*System.Security.Cryptography*" AND NOT(ScriptBlockText IN ("*SHA*", "*MD5*", "*DeriveBytes*"))
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_cryptography_namespace_filter`Windows Powershell History File Deletion
The following analytic detects the usage of PowerShell to delete its command history file, which may indicate an attempt to evade detection by removing evidence of executed commands. PowerShell stores command history in ConsoleHost_history.txt under the user’s profile directory. Adversaries or malicious scripts may delete this file using Remove-Item, del, or similar commands. This detection focuses on file deletion events targeting the history file, correlating them with recent PowerShell activity. While legitimate users may occasionally clear history, frequent or automated deletions should be investigated for potential defense evasion or post-exploitation cleanup activities.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*Remove-Item*" ScriptBlockText = "*.HistorySavePath"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product Guid
Opcode Name Path
ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_history_file_deletion_filter`Windows Powershell Import Applocker Policy
The following analytic detects the import of Windows PowerShell Applocker cmdlets, specifically identifying the use of "Import-Module Applocker" and "Set-AppLockerPolicy" with an XML policy. It leverages PowerShell Script Block Logging (EventCode 4104) to capture and analyze script block text. This activity is significant as it may indicate an attempt to enforce restrictive Applocker policies, potentially used by malware like Azorult to disable antivirus products. If confirmed malicious, this could allow an attacker to bypass security controls, leading to further system compromise and persistence.
Show query
`powershell` EventCode=4104 ScriptBlockText="*Import-Module Applocker*" ScriptBlockText="*Set-AppLockerPolicy*" ScriptBlockText="* -XMLPolicy *"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_import_applocker_policy_filter`Windows Powershell Logoff User via Quser
The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*quser*logoff*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_logoff_user_via_quser_filter`Windows Powershell RemoteSigned File
The following analytic identifies the use of the "remotesigned" execution policy for PowerShell scripts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions containing "remotesigned" and "-File". This activity is significant because the "remotesigned" policy allows locally created scripts to run without restrictions, posing a potential security risk. If confirmed malicious, an attacker could execute unauthorized scripts, leading to code execution, privilege escalation, or persistence within the environment.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_powershell` Processes.process="* remotesigned *" Processes.process="* -File *"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powershell_remotesigned_file_filter`Windows Privilege Escalation Attempt Via MSI Rollback
Detects an attacker abusing the Windows Installer rollback mechanism to escalate privileges from a standard user to SYSTEM without triggering a UAC prompt, using a technique known as FolderContentsDeleteToFolderDelete.
Windows Installer (msiexec.exe) creates rollback scripts during software installation to undo changes if an installation fails.
These rollback scripts are generated and executed by the Windows Installer service, which runs as SYSTEM.
The FolderContentsDeleteToFolderDelete technique abuses this trusted mechanism by crafting a malicious rollback script that instructs the SYSTEM-level Installer service to delete attacker-chosen files or directories — effectively giving a low-privileged attacker the ability to make SYSTEM-level filesystem modifications without any privilege prompt.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process="*/target \"C:\\Config.msi\" *"
Processes.process="*/initial*"
by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
Processes.parent_process_name Processes.parent_process_exec Processes.action
Processes.dest Processes.process_current_directory Processes.process_path
Processes.process_integrity_level Processes.original_file_name Processes.parent_process
Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
Processes.process_guid Processes.process_id Processes.user Processes.process_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_privilege_escalation_attempt_via_msi_rollback_filter`Windows Process Commandline Discovery
The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) to retrieve information about running processes, specifically targeting the command lines used to launch those processes. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on logs containing process details and command-line executions. This activity is significant as it may indicate suspicious behavior, such as a user or process gathering detailed process information, which is uncommon for non-technical users. If confirmed malicious, this could allow an attacker to gain insights into running processes, aiding in further exploitation or lateral movement.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic` Processes.process= "* process *" Processes.process= "* get *" Processes.process= "*CommandLine*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_process_commandline_discovery_filter`Windows Process Execution From ProgramData
The following analytic identifies processes running from file paths within
the ProgramData directory, a common location abused by adversaries for executing
malicious code while evading detection. Threat actors often drop and execute payloads
from this directory to bypass security controls, as it typically has write permissions
for standard users. While this behavior can indicate malware execution or persistence
techniques, it is important to note that some legitimate software, installers, and
update mechanisms also run from ProgramData, leading to potential false positives.
Security teams should validate detections by correlating with other indicators,
such as unusual parent processes, unsigned binaries, or anomalous network activity.
Show query
| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*:\\ProgramData\\*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_process_execution_from_programdata_filter`
Windows Proxy Via Netsh
The following analytic identifies the use of netsh.exe to configure a connection proxy, which can be leveraged for persistence by executing a helper DLL. It detects this activity by analyzing process creation events from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving "portproxy" and "v4tov4" parameters. This activity is significant because it indicates potential unauthorized network configuration changes, which could be used to maintain persistence or redirect network traffic. If confirmed malicious, this could allow an attacker to maintain covert access or manipulate network communications, posing a significant security risk.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_proxy_via_netsh_filter`Windows Proxy Via Registry
The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path "*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_proxy_via_registry_filter`
Windows RDP Cache File Deletion
This detection identifies the deletion of RDP bitmap cache files—specifically .bmc and .bin files—typically stored in the user profile under the Terminal Server Client\Cache directory. These files are created by the native Windows Remote Desktop Client (mstsc.exe) and store graphical elements from remote sessions to improve performance. Deleting these files may indicate an attempt to remove forensic evidence of RDP usage. While rare in legitimate user behavior, this action is commonly associated with defense evasion techniques used by attackers or red teamers who wish to hide traces of interactive remote access. When observed in conjunction with recent logon activity, RDP session indicators, or script execution, this behavior should be treated as potentially malicious. Monitoring for deletion of these files provides valuable visibility into anti-forensic actions that often follow lateral movement or hands-on-keyboard activity.
Show query
`sysmon` EventCode IN ("23", "26") TargetFilename IN ("*\\Terminal Server Client\\Cache\\*.bmc", "*\\Terminal Server Client\\Cache\\cache*.bin") | stats count min(_time) as firstTime, max(_time) as lastTime by action dest dvc file_path file_hash file_name file_modify_time process_exec process_guid process_id process_name process_path signature signature_id user user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rdp_cache_file_deletion_filter`Windows RDP Server Registry Deletion
This detection identifies the deletion of registry keys under HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers\, which store records of previously connected remote systems via Remote Desktop Protocol (RDP). These keys are created automatically when a user connects to a remote host using the native Windows RDP client (mstsc.exe) and can be valuable forensic artifacts for tracking remote access activity. Malicious actors aware of this behavior may delete these keys after using RDP to hide evidence of their activity and avoid detection during incident response. This form of artifact cleanup is a known defense evasion technique, often performed during or after lateral movement. Legitimate users rarely delete these keys manually, making such actions highly suspicious—especially when correlated with RDP usage, unusual logon behavior, or other signs of compromise. Detecting the deletion of these registry entries can provide crucial insight into attempts to cover tracks following interactive remote access.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\Microsoft\\Terminal Server Client\\Servers\\*" Registry.action = deleted by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_rdp_server_registry_deletion_filter`
Windows RDPClient Connection Sequence Events
This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.
Show query
`wineventlog_rdp` EventCode=1024
| rename host as dest
| stats count as "Event Count", min(_time) as firstTime, max(_time) as lastTime, values(Message) as messages
BY dest, source, LogName,
EventCode, category
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_rdpclient_connection_sequence_events_filter`Windows Rapid Authentication On Multiple Hosts
The following analytic detects a source computer authenticating to 30 or more remote endpoints within a 5-minute timespan using Event ID 4624. This behavior is identified by analyzing Windows Event Logs for LogonType 3 events and counting unique target computers. Such activity is significant as it may indicate lateral movement or network share enumeration by an adversary. If confirmed malicious, this could lead to unauthorized access to multiple systems, potentially compromising sensitive data and escalating privileges within the network.
Show query
`wineventlog_security` EventCode=4624 LogonType=3 TargetUserName!="ANONYMOUS LOGON" TargetUserName!="*$"
| bucket span=5m _time
| stats dc(Computer) AS unique_targets values(Computer) as host_targets values(dest) as dest values(src) as src values(user) as user
BY _time, IpAddress, TargetUserName,
action, app, authentication_method,
signature, signature_id
| where unique_targets > 30
| `windows_rapid_authentication_on_multiple_hosts_filter`Windows Rdp AutomaticDestinations Deletion
This detection identifies the deletion of files within the AutomaticDestinations folder, located under a user’s AppData\Roaming\Microsoft\Windows\Recent directory. These files are part of the Windows Jump List feature, which records recently accessed files and folders tied to specific applications. Each .automaticDestinations-ms file corresponds to a program (e.g., Explorer, Word, Notepad) and can be valuable for forensic analysis of user activity. Adversaries may target this folder to erase evidence of their actions, such as which documents or directories were accessed during a session. This type of deletion is rarely seen during normal user activity and may indicate deliberate anti-forensic behavior. When correlated with suspicious logon events, RDP usage, or script execution, this activity may represent an attempt to cover tracks after data access, lateral movement, or staging for exfiltration. Detecting removal of these artifacts can highlight post-compromise cleanup efforts and help analysts reconstruct attacker behavior.
Show query
`sysmon` EventCode=23 TargetFilename IN ("*\\Recent\\AutomaticDestinations*") | stats count min(_time) as firstTime, max(_time) as lastTime by action dest dvc file_path file_hash file_name file_modify_time process_exec process_guid process_id process_name process_path signature signature_id user user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_rdp_automaticdestinations_deletion_filter`Windows Registry Delete Task SD
The following analytic detects a process attempting to delete a scheduled task's Security Descriptor (SD) from the registry path of that task.
It leverages the Endpoint.Registry data model to identify registry actions performed by the SYSTEM user, specifically targeting deletions of the SD value.
This activity is significant as it may indicate an attempt to remove evidence of a scheduled task for defense evasion.
If confirmed malicious, it suggests an attacker with privileged access trying to hide their tracks, potentially compromising system integrity and security.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Registry where
Registry.registry_path IN ("*\\Schedule\\TaskCache\\Tree\\*")
Registry.user="SYSTEM"
(
Registry.registry_value_name="SD"
OR
Registry.registry_key_name="SD"
)
Registry.action=deleted
by Registry.action Registry.dest Registry.process_guid
Registry.process_id Registry.registry_hive
Registry.registry_path Registry.registry_key_name
Registry.registry_value_data Registry.registry_value_name
Registry.registry_value_type Registry.status Registry.user
Registry.vendor_product
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_registry_delete_task_sd_filter`
Windows Registry Payload Injection
The following analytic detects suspiciously long data written to the Windows registry, a behavior often linked to fileless malware or persistence techniques. It leverages Endpoint Detection and Response (EDR) telemetry, focusing on registry events with data lengths exceeding 512 characters. This activity is significant as it can indicate an attempt to evade traditional file-based defenses, making it crucial for SOC monitoring. If confirmed malicious, this technique could allow attackers to maintain persistence, execute code, or manipulate system configurations without leaving a conventional file footprint.
Show query
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
WHERE Registry.registry_value_data=*
BY _time span=1h Registry.dest
Registry.registry_path Registry.registry_value_name Registry.process_guid
Registry.registry_value_data Registry.registry_key_name Registry.registry_hive
Registry.status Registry.action Registry.process_id
Registry.user Registry.vendor_product
| `drop_dm_object_name(Registry)`
| eval reg_data_len = len(registry_value_data)
| where reg_data_len > 512
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_registry_payload_injection_filter`Windows Renamed Powershell Execution
The following analytic identifies instances where the PowerShell executable has been renamed and executed under an alternate filename. This behavior is commonly associated with attempts to evade security controls or bypass logging mechanisms that monitor standard PowerShell usage. While rare in legitimate environments, renamed PowerShell binaries are frequently observed in malicious campaigns leveraging Living-off-the-Land Binaries (LOLBins) and fileless malware techniques. This detection flags executions of PowerShell where the process name does not match the default powershell.exe or pwsh.exe, especially when invoked from unusual paths or accompanied by suspicious command-line arguments.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.original_file_name = PowerShell.EXE
Processes.process_name != powershell.exe
)
OR
(
Processes.original_file_name = pwsh.dll
Processes.process_name != pwsh.exe
)
OR
(
Processes.original_file_name = powershell_ise.EXE
Processes.process_name != powershell_ise.exe
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_renamed_powershell_execution_filter`
Windows Root Domain linked policies Discovery
The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for root domain linked policies. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory Discovery. If confirmed malicious, this activity could allow attackers to map out domain policies, potentially aiding in further exploitation or lateral movement within the network.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText = "*.SearchRooT*" ScriptBlockText = "*.gplink*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_root_domain_linked_policies_discovery_filter`Windows Routing and Remote Access Service Registry Key Change
This analytic identifies the modification of the Windows RemoteAccess Registry Entry.
This technique can be used by malware, adversaries, threat actors and red teamers to gain persistence on a system by tampering with the key to add a custom DLL to be loaded.
This technique was also observed to be used by Gh0st RAT malware.
Upon seeing this behavior, it is recommended to review the system services events especially the remote access services.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Registry WHERE
Registry.registry_path="*\\Services\\RemoteAccess\\RouterManagers\\Ip*"
Registry.action=modified
by Registry.action Registry.dest Registry.process_guid
Registry.process_id Registry.registry_hive
Registry.registry_path Registry.registry_key_name
Registry.registry_value_data Registry.registry_value_name
Registry.registry_value_type Registry.status
Registry.user Registry.vendor_product
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_routing_and_remote_access_service_registry_key_change_filter`Windows RunMRU Registry Key or Value Deleted
The following analytic detects the deletion or modification of Most Recently Used (MRU) command entries stored within the Windows Registry. Adversaries often clear these registry keys, such as HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, to remove forensic evidence of commands executed via the Windows Run dialog or other system utilities. This activity aims to obscure their actions, hinder incident response efforts, and evade detection. Detection focuses on monitoring for changes (deletion of values or modification of the MRUList value) to these specific registry paths, particularly when performed by unusual processes or outside of typical user behavior. Anomalous deletion events can indicate an attempt at defense evasion or post-exploitation cleanup by a malicious actor.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path = "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU*" Registry.action = deleted by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_runmru_registry_key_or_value_deleted_filter`
Windows SQL Spawning CertUtil
The following analytic detects the use of certutil to download software, specifically when spawned by SQL-related processes. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving certutil with parameters like *urlcache* and *split*. This activity is significant as it may indicate a compromise by threat actors, such as Flax Typhoon, who use certutil to establish persistent VPN connections. If confirmed malicious, this behavior could allow attackers to maintain access, monitor system availability, and potentially escalate to data theft or ransomware deployment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name IN ("sqlservr.exe", "sqlagent.exe", "sqlps.exe", "launchpad.exe", "sqldumper.exe") `process_certutil` (Processes.process="*urlcache*"
OR
Processes.process="*verifyctl*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_sql_spawning_certutil_filter`Windows SQLCMD Execution
This detection identifies potentially suspicious usage of sqlcmd.exe, focusing on command patterns that may indicate data exfiltration, reconnaissance, or malicious database operations. The detection looks for both short-form (-X) and long-form (--flag) suspicious parameter combinations, which have been observed in APT campaigns targeting high-value organizations. For example, threat actors like CL-STA-0048 have been known to abuse sqlcmd.exe for data theft and exfiltration from compromised MSSQL servers. The detection monitors for suspicious authentication attempts, output redirection, and potentially malicious query patterns that could indicate unauthorized database access or data theft.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=sqlcmd.exe OR Processes.original_file_name=sqlcmd.exe) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | eval process_lower=lower(process) | eval is_help_check=case( match(process, "(?i)-[?]"), 1, match(process_lower, "(?i)--help"), 1, match(process_lower, "(?i)--version"), 1, true(), 0 ), has_parameters=if(match(process, "-[A-Za-z]"), 1, 0), has_query=case( match(process, "-[Qq]\\s+"), 1, match(process_lower, "--query\\s+"), 1, match(process_lower, "--initial-query\\s+"), 1, true(), 0 ), has_output=case( match(process, "-[oO]\\s+"), 1, match(process_lower, "--output-file\\s+"), 1, true(), 0 ), has_input=case( match(process, "-[iI]\\s+"), 1, match(process_lower, "--input-file\\s+"), 1, true(), 0 ), has_url_input=case( match(process, "-[iI]\\s+https?://"), 1, match(process_lower, "--input-file\\s+https?://"), 1, match(process, "-[iI]\\s+ftp://"), 1, match(process_lower, "--input-file\\s+ftp://"), 1, true(), 0 ), has_admin_conn=case( match(process, "-A"), 1, match(process_lower, "--dedicated-admin-connection"), 1, true(), 0 ), has_suspicious_auth=case( match(process, "-U\\s+sa\\b"), 1, match(process_lower, "--user-name\\s+sa\\b"), 1, match(process, "-U\\s+admin\\b"), 1, match(process_lower, "--user-name\\s+admin\\b"), 1, match(process, "-E\\b"), 1, match(process_lower, "--use-trusted-connection"), 1, true(), 0 ), has_local_server=case( match(process, "-S\\s+127\\.0\\.0\\.1"), 1, match(process_lower, "--server\\s+127\\.0\\.0\\.1"), 1, match(process, "-S\\s+localhost"), 1, match(process_lower, "--server\\s+localhost"), 1, true(), 0 ), has_suspicious_output=case( match(process_lower, "-o\\s+.*\\.(txt|csv|dat)"), 1, match(process_lower, "--output-file\\s+.*\\.(txt|csv|dat)"), 1, true(), 0 ), has_cert_bypass=case( match(process, "-C"), 1, match(process_lower, "--trust-server-certificate"), 1, true(), 0 ), has_suspicious_query=case( match(process_lower, "(xp_cmdshell|sp_oacreate|sp_execute_external|openrowset|bulk\\s+insert)"), 1, match(process_lower, "(master\\.\\.\\.sysdatabases|msdb\\.\\.\\.backuphistory|sysadmin|securityadmin)"), 1, match(process_lower, "(select.*from.*sys\\.|select.*password|dump\\s+database)"), 1, match(process_lower, "(sp_addextendedproc|sp_makewebtask|sp_addsrvrolemember)"), 1, match(process_lower, "(sp_configure.*show\\s+advanced|reconfigure|enable_xp_cmdshell)"), 1, match(process_lower, "(exec.*master\\.dbo\\.|exec.*msdb\\.dbo\\.)"), 1, match(process_lower, "(sp_password|sp_control_dbmasterkey_password|sp_dropextendedproc)"), 1, match(process_lower, "(powershell|cmd\\.exe|rundll32|regsvr32|certutil)"), 1, true(), 0 ), has_suspicious_path=case( match(process_lower, "(\\\\temp\\\\|\\\\windows\\\\|\\\\public\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\)"), 1, match(process_lower, "(\\\\desktop\\\\.*\\.(zip|rar|7z|tar|gz))"), 1, match(process_lower, "(\\\\downloads\\\\.*\\.(dat|bin|tmp))"), 1, match(process_lower, "(\\\\appdata\\\\local\\\\temp\\\\|\\\\windows\\\\tasks\\\\)"), 1, match(process_lower, "(\\\\recycler\\\\|\\\\system32\\\\|\\\\system volume information\\\\)"), 1, match(process_lower, "(\\.vbs|\\.ps1|\\.bat|\\.cmd|\\.exe)$"), 1, true(), 0 ), has_suspicious_combo=case( match(process, "-E") AND match(process_lower, "(?i)xp_cmdshell"), 1, match(process, "-Q") AND match(process_lower, "(?i)exec\\s+master"), 1, has_local_server=1 AND has_suspicious_query=1, 1, true(), 0 ), has_obfuscation=case( match(process_lower, "(char\\(|convert\\(|cast\\(|declare\\s+@)"), 1, match(process_lower, "(exec\\s+\\(|exec\\s+@|;\\s*exec)"), 1, match(process, "\\^|\\%|\\+\\+|\\-\\-"), 1, len(process) > 500, 1, true(), 0 ), has_data_exfil=case( match(process_lower, "(for\\s+xml|for\\s+json)"), 1, match(process_lower, "(bulk\\s+insert.*from)"), 1, match(process_lower, "(bcp.*queryout|bcp.*out)"), 1, match(process_lower, "(select.*into.*from|select.*into.*outfile)"), 1, true(), 0 ) | eval risk_score=0 | eval risk_score=case( is_help_check=1, 0, has_parameters=0, 0, has_suspicious_combo=1, risk_score + 90, has_suspicious_query=1, risk_score + 60, has_suspicious_path=1, risk_score + 40, has_url_input=1 AND has_output=1, risk_score + 80, has_query=1 AND has_output=1, risk_score + 30, has_query=1 AND has_suspicious_output=1, risk_score + 40, has_admin_conn=1, risk_score + 50, has_suspicious_auth=1, risk_score + 40, has_local_server=1 AND has_query=1, risk_score + 30, has_cert_bypass=1, risk_score + 20, has_obfuscation=1, risk_score + 70, has_data_exfil=1, risk_score + 60, true(), risk_score ) | eval risk_factors=mvappend( if((is_help_check=0 AND has_parameters=0), null(), if(has_suspicious_combo=1, "High-risk command combination detected", null())), if((is_help_check=0 AND has_parameters=0), null(), if(has_suspicious_query=1, "Suspicious SQL query pattern", null())), if(has_suspicious_path=1, "Suspicious output path", null()), if(has_url_input=1 AND has_output=1, "File download attempt", null()), if(has_query=1 AND has_output=1, "Query output to file", null()), if(has_admin_conn=1, "Admin connection", null()), if(has_suspicious_auth=1, "Suspicious authentication", null()), if(has_local_server=1, "Local server connection", null()), if(has_cert_bypass=1, "Certificate validation bypass", null()), if(has_obfuscation=1, "Command obfuscation detected", null()), if(has_data_exfil=1, "Potential data exfiltration", null()) ) | eval risk_message="SQLCMD execution with risk factors: ".mvjoin(risk_factors, ", ") | where is_help_check=0 AND (risk_score >= 30 OR (has_parameters=1 AND has_suspicious_query=1)) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_sqlcmd_execution_filter`
Windows Scheduled Task Created Via XML
The following analytic detects the creation of scheduled tasks in Windows using schtasks.exe with the "XML" parameter.
This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details.
This activity is significant as it is a common technique for establishing persistence or achieving privilege escalation, often used by malware like Trickbot and Winter-Vivern. While creating a scheduled task via XML may be legitimate, it can also be abused by attackers. If confirmed malicious, this could allow attackers to maintain access, execute additional payloads, and potentially lead to data theft or ransomware deployment.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe)
Processes.process IN ("* /create *", "* -create *")
Processes.process IN ("* /xml *", "* -xml *")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_scheduled_task_created_via_xml_filter`
Windows Scheduled Task DLL Module Loaded
The following analytic detects instances where the taskschd.dll is loaded by processes running in suspicious or writable directories. This activity is unusual, as legitimate processes that load taskschd.dll typically reside in protected system locations. Malware or threat actors may attempt to load this DLL from writable or non-standard directories to manipulate the Task Scheduler and execute malicious tasks. By identifying processes that load taskschd.dll in these unsafe locations, this detection helps security analysts flag potentially malicious activity and investigate further to prevent unauthorized system modifications.
Show query
`sysmon` EventCode=7 Image IN ("*\\windows\\fonts\\*", "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*", "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*", "*\\temp\\*", "*\\PerfLogs\\*") ImageLoaded = "*\\taskschd.dll" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_dll_module_loaded_filter`Windows Scheduled Task Service Spawned Shell
The following analytic detects when the Task Scheduler service ("svchost.exe -k netsvcs -p -s Schedule") spawns common command line, scripting, or shell execution binaries such as "powershell.exe" or "cmd.exe".
This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships.
This activity is significant as attackers often abuse the Task Scheduler for execution and persistence, blending in with legitimate Windows operations.
If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, or escalate privileges within the environment.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.parent_process_name="svchost.exe"
Processes.parent_process="*-k*"
Processes.parent_process= "*netsvcs*"
Processes.parent_process="*-p*"
Processes.parent_process="*-s*"
Processes.parent_process="*Schedule*"
Processes.process_name IN(
"bash.exe",
"cmd.exe",
"cscript.exe",
"ksh.exe",
"powershell.exe",
"pwsh.exe",
"scrcons.exe",
"sh.exe",
"wscript.exe",
"zsh.exe"
)
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_scheduled_task_service_spawned_shell_filter`Windows Scheduled Task with Highest Privileges
The following analytic detects the creation of a new scheduled task with the highest execution privileges via Schtasks.exe. It leverages Endpoint Detection and Response (EDR) logs to monitor for specific command-line parameters ('/rl' and 'highest') in schtasks.exe executions. This activity is significant as it is commonly used in AsyncRAT attacks for persistence and privilege escalation. If confirmed malicious, this could allow an attacker to maintain persistent access and execute tasks with elevated privileges, potentially leading to unauthorized system access and data breaches.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "schtasks.exe" Processes.process = "*/rl *" Processes.process = "* highest *" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_highest_privileges_filter`
Showing 901-950 of 991