Tool
Hunt pack: Play
991 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
Vendor-native detections covering the ATT&CK techniques attributed to Play - a ready-to-deploy hunt pack across Splunk, Elastic and Sentinel.
◈
Detections
41 shown of 991Windows Scheduled Task with Suspicious Command
The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript or from public folders such as Users, Temp, or ProgramData. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, enabled, or modified. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.
Show query
`wineventlog_security` EventCode IN (4698,4700,4702) | eval TaskContent = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent) | xmlkv TaskContent | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as Arguments latest(Author) as Author by Computer, Caller_User_Name, TaskName, Command, Enabled, Hidden, EventCode | lookup windows_suspicious_tasks task_command as Command | where tool == "shell command use" OR tool == "suspicious paths" | eval command=TaskName, process=Command+if(isnotnull(Arguments)," ".Arguments,""), src_user=Author, user = Caller_User_Name, dest = Computer, signature_id = EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_suspicious_command_filter`
Windows Scheduled Task with Suspicious Name
The following analytic detects the creation, modification, or enabling of scheduled tasks with known suspicious or malicious task names. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, modified, or enabled. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment.
Show query
`wineventlog_security` EventCode IN (4698,4700,4702) | eval TaskContent = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent) | xmlkv TaskContent | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as Arguments latest(Author) as Author by Computer, TaskName, Command, Enabled, Hidden,Caller_User_Name, EventCode | lookup windows_suspicious_tasks task_name as TaskName | where isnotnull(tool_type) | eval command=TaskName, process=Command+if(isnotnull(Arguments)," ".Arguments,""), src_user=Author, user = Caller_User_Name, dest = Computer | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_task_with_suspicious_name_filter`
Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr
The following analytic detects the creation or modification of Windows Scheduled Tasks related to CompMgmtLauncher or Eventvwr. These legitimate system utilities, used for launching the Computer Management Console and Event Viewer, can be abused by attackers to execute malicious payloads under the guise of normal system processes. By leveraging these tasks, adversaries can establish persistence or elevate privileges without raising suspicion. This detection helps security analysts identify unusual or unauthorized scheduled tasks involving these executables, allowing for timely investigation and remediation of potential threats.
Show query
`wineventlog_security` EventCode=4698 TaskContent = "*<Command>C:\\Windows\\System32\\CompMgmtLauncher.exe</Command>*" OR TaskContent = "*<Command>C:\\Windows\\System32\\zh-CN\\eventvwr.msc</Command>*" OR TaskContent = "*<Command>C:\\Windows\\System32\\eventvwr.msc</Command>*" | stats count min(_time) as firstTime max(_time) as lastTime by dest action EventData_Xml TaskContent TaskName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr_filter`
Windows Schtasks Create Run As System
The following analytic detects the creation of a new scheduled task using Schtasks.exe to run as the SYSTEM user. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process details. This activity is significant as it often indicates an attempt to gain elevated privileges or maintain persistence within the environment. If confirmed malicious, an attacker could execute code with SYSTEM-level privileges, potentially leading to data theft, ransomware deployment, or further system compromise. Immediate investigation and mitigation are crucial to prevent further damage.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=schtasks.exe OR Processes.original_file_name=schtasks.exe) Processes.process="*/create *" Processes.process="*/ru *" Processes.process="*system*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_schtasks_create_run_as_system_filter`
Windows Sensitive Registry Hive Dump Via CommandLine
The following analytic detects the use of `reg.exe` to export Windows Registry hives, which may contain sensitive credentials. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `save` or `export` actions targeting the `sam`, `system`, or `security` hives. This activity is significant as it indicates potential offline credential access attacks, often executed from untrusted processes or scripts. If confirmed malicious, attackers could gain access to credential data, enabling further compromise and lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where
(
(
(Processes.process_name=reg.exe OR Processes.original_file_name=reg.exe)
Processes.process IN ("*save*", "*export*")
)
OR
(
(Processes.process_name=regedit.exe OR Processes.original_file_name=REGEDIT.exe)
Processes.process IN ("*/E *", "*-E *")
)
)
Processes.process IN (
"*HKEY_LOCAL_MACHINE\\SAM*",
"*HKEY_LOCAL_MACHINE\\Security*",
"*HKEY_LOCAL_MACHINE\\System*",
"*HKLM\\SAM*",
"*HKLM\\Security*",
"*HKLM\\System*",
)
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_sensitive_registry_hive_dump_via_commandline_filter`
Windows Set Network Profile Category to Private via Registry
The following analytic detects attempts to modify the Windows Registry to change a network profile's category to "Private", which may indicate an adversary is preparing the environment for lateral movement or reducing firewall restrictions. Specifically, this activity involves changes to the Category value within the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID} registry path. A value of 1 corresponds to a private network profile, which typically enables less restrictive firewall policies. While this action can occur during legitimate network configuration, it may also be a sign of malicious behavior when combined with other indicators such as suspicious account activity, unexpected administrative privilege usage, or execution of unsigned binaries. Monitoring for this registry modification—especially outside standard IT processes or correlated with persistence mechanisms—can help identify stealthy post-exploitation activity.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles\\*" Registry.registry_value_name = "Category" Registry.registry_value_data = 0x00000001 by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_set_network_profile_category_to_private_via_registry_filter`
Windows Shell Process from CrushFTP
The following analytic identifies instances where CrushFTP's service process (crushftpservice.exe) spawns shell processes like cmd.exe or powershell.exe. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because CrushFTP should not normally spawn interactive shell processes during regular operations. If confirmed malicious, this behavior could indicate successful exploitation of vulnerabilities like CVE-2025-31161, potentially allowing attackers to execute arbitrary commands with the privileges of the CrushFTP service.
Show query
| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name=crushftpservice.exe
AND
`process_cmd`
OR
`process_powershell`
BY Processes.dest Processes.parent_process Processes.original_file_name
Processes.user Processes.action Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_path
Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_path
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_shell_process_from_crushftp_filter`Windows Short Lived DNS Record
The following analytic identifies the creation and quick deletion of a DNS object within 300 seconds in an Active Directory environment, indicative of a potential attack abusing DNS. This detection leverages Windows Security Event Codes 5136 and 5137, analyzing the duration between these events. This activity is significant as temporary DNS entries allows attackers to cause unexpecting network trafficking, leading to potential compromise.
Show query
`wineventlog_security` ((EventCode=5137 ObjectClass="dnsNode") OR (EventCode=5136 ObjectClass="dnsNode" AttributeLDAPDisplayName="dNSTombstoned" AttributeValue="TRUE"))
| stats min(_time) as firstTime max(_time) as lastTime values(EventCode) as event_codes values(ObjectDN) as dns_record values(SubjectUserName) as user values(Computer) as dest
BY ObjectGUID
| where mvcount(event_codes)=2
| eval time_diff=lastTime - firstTime
| where time_diff <= 300
| table firstTime, lastTime, dns_record, user, dest, time_diff, ObjectGUID
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_short_lived_dns_record_filter`Windows Snake Malware File Modification Crmlog
The following analytic identifies the creation of a .crmlog file within the %windows%\Registration directory, typically with a format of <RANDOM_GUID>.<RANDOM_GUID>.crmlog. This detection leverages the Endpoint.Filesystem datamodel to monitor file creation events in the specified directory. This activity is significant as it is associated with the Snake malware, which uses this file for its operations. If confirmed malicious, this could indicate the presence of Snake malware, leading to potential data exfiltration, system compromise, and further malicious activities. Immediate investigation is required to mitigate the threat.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path="*\\windows\\registration\\*" AND Filesystem.file_name="*.crmlog" by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_snake_malware_file_modification_crmlog_filter`
Windows Snake Malware Registry Modification wav OpenWithProgIds
The following analytic identifies modifications to the registry path .wav\\OpenWithProgIds, associated with the Snake Malware campaign. It leverages data from the Endpoint.Registry datamodel to detect changes in this specific registry location. This activity is significant because Snake's WerFault.exe uses this registry path to decrypt an encrypted blob containing critical components like the AES key, IV, and paths for its kernel driver and loader. If confirmed malicious, this could allow the attacker to load and execute Snake's kernel driver, leading to potential system compromise and persistent access.
Show query
| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path="*\\.wav\\OpenWithProgIds\\*" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `windows_snake_malware_registry_modification_wav_openwithprogids_filter`
Windows SnappyBee Create Test Registry
The following analytic detects modifications to the Windows registry under `SOFTWARE\Microsoft\Test`, a location rarely used by legitimate applications in a production environment. Monitoring this key is crucial, as adversaries may create or alter values here for monitoring update of itself file path, updated configuration file, or system mark compromised. The detection leverages **Sysmon Event ID 13** (Registry Value Set) to identify unauthorized changes. Analysts should investigate processes associated with these modifications, particularly unsigned executables or suspicious command-line activity, as they may indicate malware or unauthorized software behavior.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE Registry.registry_path = "*\\SOFTWARE\\Microsoft\\Test\\*" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_snappybee_create_test_registry_filter`
Windows Suspect Process With Authentication Traffic
The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636") AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") by All_Traffic.action All_Traffic.app All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product | `drop_dm_object_name(All_Traffic)` | rex field=app ".*\\\(?<process_name>.*)$" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspect_process_with_authentication_traffic_filter`Windows Suspicious Burst of Password Changes
A regular user account performed rapid, repeated password changes across multiple local accounts within a 2-second window.
This pattern is consistent with automated credential manipulation tools that cycle account passwords to deny access to defenders or escalate privileges The speed and volume of changes indicates scripted or tooled activity rather than manual administration, as legitimate password resets do not occur at machine speed across multiple accounts simultaneously.
Show query
`wineventlog_security`
(
EventCode=4723
OR
EventCode=4724
)
| eval log_time = strptime(SystemTime, "%Y-%m-%dT%H:%M:%S.%6NZ")
| eval log_time = coalesce(log_time, _time)
| eval time_bucket = floor(log_time / 2) * 2
| eval SubjectRID = tonumber(replace(SubjectUserSid, ".*-(\d+)$", "\1"))
| where SubjectRID >= 1000
| stats count AS EventsForAccount
min(log_time) AS firstTime
max(log_time) AS lastTime
by Computer TargetUserName SubjectUserName time_bucket
| where EventsForAccount >= 4
| eval DurationSecs = round(lastTime - firstTime, 3), DurationSecs = if(DurationSecs = 0, 0.001, DurationSecs), ChangeRatePerSec = round(EventsForAccount / DurationSecs, 2)
| rename Computer as dest
| stats dc(TargetUserName) AS AffectedAccounts
values(TargetUserName) AS Accounts
values(SubjectUserName) AS InitiatingAccounts
sum(EventsForAccount) AS TotalEvents
max(ChangeRatePerSec) AS PeakChangeRatePerSec
min(DurationSecs) AS FastestBurstSecs
min(firstTime) AS firstTime
max(lastTime) AS lastTime
by dest time_bucket
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspicious_burst_of_password_changes_filter`Windows Suspicious Child Process of TieringEngineService.exe
Detects the RedSun privilege escalation exploit delivering a SYSTEM-level shell to the attacker's session.
RedSun replaces the legitimate TieringEngineService.exe with a malicious binary, which launches a process as SYSTEM, usually some sort of shell or shell spawner (conhost.exe, cmd.exe, PowerShell, etc.) in the attacker's active session.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE
Processes.parent_process_name="TieringEngineService.exe"
(
Processes.process IN (
"*bitsadmin.exe*",
"*cmd.exe*",
"*conhost.exe*",
"*cscript.exe*",
"*curl.exe*",
"*powershell.exe*",
"*pwsh.exe*",
"*rundll32.exe*",
"*wmic.exe*"
)
OR
Processes.process_name IN (
"bitsadmin.exe",
"cmd.exe",
"conhost.exe",
"cscript.exe",
"curl.exe",
"powershell.exe",
"pwsh.exe",
"rundll32.exe",
"wmic.exe"
)
)
Processes.user IN (
"*AUTHORITY*",
"*System*"
)
BY Processes.dest Processes.user Processes.original_file_name
Processes.parent_process Processes.process_name Processes.process
Processes.process_id Processes.parent_process_id
Processes.parent_process_name action
parent_process_exec parent_process_guid
parent_process_path process_exec process_guid
process_hash process_integrity_level
process_path user_id vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspicious_child_process_of_tieringengineservice_exe_filter`
Windows Suspicious Defender Engine or Signature Files Created
Detects Windows Defender engine (mpengine.dll) or signature database files (*.vdm) being created by any process that is not a Windows Defender component.
BlueHammer extracts these files from the downloaded mpam-fe update package into a UUID-named subdirectory of %TEMP% as part of staging the TOCTOU privilege escalation.
Show query
`sysmon` EventID="11"
TargetFilename IN (
"*\\mpasbase.vdm*",
"*\\mpasdlta.vdm*",
"*\\mpavbase.vdm*",
"*\\mpavdlta.vdm*",
"*\\mpengine.dll*"
)
NOT Image IN (
"*:\\ProgramData\\Microsoft\\Windows Defender\\*",
"*:\\Program Files\\Windows Defender\\*"
)
| fillnull
| rename Computer as dest
| stats count by dest TargetFilename Image EventID
action file_name file_path process_guid
process_id user vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspicious_defender_engine_or_signature_files_created_filter`Windows Suspicious QEMU Execution
Detects execution of the QEMU binary and an image file with the -nographic flag.
This causes it to run in the background without any display.
This has been observed as a persistence and initial access technique by some threat actors to install a rogue linux virtual machine
Show query
`sysmon`
EventID=1
CommandLine="*-nographic*"
CommandLine="*.img*"
(
Description="*QEMU machine*"
OR
Product="QEMU"
OR
Company="*qemu*"
)
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by Computer EventID CommandLine Description Product Company action dest
original_file_name parent_process parent_process_exec parent_process_guid
parent_process_id parent_process_name parent_process_path process_hash
process_integrity_level user user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspicious_qemu_execution_filter`Windows Suspicious VMWare Tools Child Process
The following analytic identifies child processes spawned by vmtoolsd.exe, the VMWare Tools service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as CVE-2023-20867. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name=vmtoolsd.exe
AND
Processes.process_name IN ("powershell.exe","cmd.exe", "msbuild.exe", "microsoft.workflow.compiler.exe", "searchprotocolhost.exe", "scrcons.exe", "cscript.exe", "wscript.exe","bitsadmin.exe", "rundll32.exe", "wmic.exe", "mshta.exe", "certutil.exe", "schtasks.exe")
AND NOT
(Processes.process_name="cmd.exe" AND Processes.process IN ("*\\VMware Tools\\poweroff-vm-default.bat*","*\\VMware Tools\\poweron-vm-default.bat*"))
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspicious_vmware_tools_child_process_filter`Windows Svchost.exe Parent Process Anomaly
The following analytic detects an anomaly where an svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows service DLLs, and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name != "services.exe" AND Processes.process_name = "svchost.exe" AND Processes.process != unknown AND Processes.parent_process_path != "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*\\MsMpEng.exe" AND Processes.parent_process_path != "C:\\Program Files\\Windows Defender\\MsMpEng.exe" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_svchost_exe_parent_process_anomaly_filter`
Windows System Discovery Using Qwinsta
The following analytic detects the execution of "qwinsta.exe" on a Windows operating system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. The "qwinsta.exe" tool is significant because it can display detailed session information on a remote desktop session host server. This behavior is noteworthy as it is commonly abused by Qakbot malware to gather system information and send it back to its Command and Control (C2) server. If confirmed malicious, this activity could lead to unauthorized data exfiltration and further compromise of the host.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = "qwinsta.exe"
OR
Processes.original_file_name = "qwinsta.exe"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_discovery_using_qwinsta_filter`Windows System Discovery Using ldap Nslookup
The following analytic detects the execution of nslookup.exe to query domain information using LDAP. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant as nslookup.exe can be abused by malware like Qakbot to gather critical domain details, such as SRV records and server names. If confirmed malicious, this behavior could allow attackers to map the network, identify key servers, and plan further attacks, potentially leading to data exfiltration or lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name = "nslookup.exe"
OR
Processes.original_file_name = "nslookup.exe"
)
AND Processes.process = "*_ldap._tcp.dc._msdcs*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_discovery_using_ldap_nslookup_filter`Windows System File on Disk
The following analytic detects the creation of new .sys files on disk. It leverages the Endpoint.Filesystem data model to identify and log instances where .sys files are written to the filesystem. This activity is significant because .sys files are often used as kernel mode drivers, and their unauthorized creation can indicate malicious activity such as rootkit installation. If confirmed malicious, this could allow an attacker to gain kernel-level access, leading to full system compromise, persistent control, and the ability to bypass security mechanisms.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.file_name="*.sys*"
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_file_on_disk_filter`Windows System Network Config Discovery Display DNS
The following analytic identifies the execution of the "ipconfig /displaydns" command, which retrieves DNS reply information using the built-in Windows tool IPConfig. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process command-line executions. Monitoring this activity is significant as threat actors and post-exploitation tools like WINPEAS often abuse this command to gather network information. If confirmed malicious, this activity could allow attackers to map the network, identify DNS servers, and potentially facilitate further network-based attacks or lateral movement.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name="ipconfig.exe"
OR
Processes.original_file_name = "ipconfig.exe"
AND
Processes.process = "*/displaydns*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_network_config_discovery_display_dns_filter`Windows System Remote Discovery With Query
The following analytic detects the execution of `query.exe` with command-line arguments aimed at discovering data on remote devices. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as adversaries may use `query.exe` to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this behavior could allow attackers to identify various details about a system, aiding in further lateral movement and privilege escalation within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name="query.exe"
OR
Processes.original_file_name="query.exe"
)
AND (Processes.process="*/server*") AND NOT Processes.process IN ("*/server:localhost*", "*/server:127.0.0.1*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_remote_discovery_with_query_filter`Windows System User Discovery Via Quser
The following analytic detects the execution of the Windows OS tool quser.exe, commonly used to gather information about user sessions on a Remote Desktop Session Host server. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. Monitoring this activity is crucial as quser.exe is often abused by post-exploitation tools like winpeas, used in ransomware attacks to enumerate user sessions. If confirmed malicious, attackers could leverage this information to further compromise the system, maintain persistence, or escalate privileges.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name="quser.exe"
OR
Processes.original_file_name = "quser.exe"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_user_discovery_via_quser_filter`Windows System User Privilege Discovery
The following analytic detects the execution of `whoami.exe` with the `/priv` parameter, which displays the privileges assigned to the current user account. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it may indicate an adversary attempting to enumerate user privileges, a common step in the reconnaissance phase of an attack. If confirmed malicious, this could lead to privilege escalation or further exploitation within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name="whoami.exe" Processes.process= "*/priv*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_user_privilege_discovery_filter`Windows TOR Client Execution
The following analytic detects the execution of the TOR Browser and related TOR components on Windows endpoints by monitoring process creation activity.
Adversaries and insider threats leverage TOR to anonymize command-and-control traffic, facilitate data exfiltration, and evade network monitoring and policy enforcement.
While TOR can be used for legitimate research and privacy purposes, its presence on enterprise endpoints is often unusual and should be investigated to determine intent, scope, and any associated malicious behavior.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.process_name = "tor.exe"
OR
(
Processes.process_path = "*\\BraveSoftware\\Brave-Browser*"
Processes.process_path = "*\\tor-*"
)
)
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_tor_client_execution_filter`
Windows TinyCC Shellcode Execution
Detects abuse of Tiny-C-Compiler (TinyCC) for shellcode execution, where tcc.exe is renamed to masquerade as svchost.exe and used to compile and execute C source files containing shellcode. This technique was observed in the Lotus Blossom Chrysalis backdoor campaign, where attackers renamed tcc.exe to svchost.exe and executed conf.c containing Metasploit block_api shellcode with the flags -nostdlib -run.
TinyCC is a legitimate C compiler, but its ability to compile and execute code on-the-fly makes it attractive to attackers seeking to evade detection. The combination of a renamed compiler binary executing from non-standard locations with suspicious flags is a strong indicator of malicious activity.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process_name IN ("svchost.exe", "tcc.exe")
Processes.process="* -nostdlib*"
Processes.process="* -run*"
Processes.process IN ("*.c", "*conf.c*")
NOT Processes.process_path IN (
"*:\\Windows\\System32\\*",
"*:\\Windows\\SysWOW64\\*"
)
by Processes.action Processes.dest Processes.user Processes.process Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name
Processes.parent_process_path Processes.process_name Processes.process_id
Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_integrity_level Processes.process_path
Processes.original_file_name Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_tinycc_shellcode_execution_filter`Windows Universal Data Link File Creation
Detects the creation of Universal Data Link (UDL) files.
This could indicate a phishing technique that exploits UDL files, which are typically used in Windows for database connections.
Attackers might leverage UDL files to bypass email filters and capture user credentials by tricking victims into testing a connection to a malicious server.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Filesystem where
Filesystem.file_name="*.udl"
Filesystem.action="created"
by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
Filesystem.process_guid Filesystem.process_id Filesystem.file_path
Filesystem.action Filesystem.file_name Filesystem.user
Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_universal_data_link_file_creation_filter`Windows Unusual SysWOW64 Process Run System32 Executable
The following analytic detects an unusual process execution pattern where a process running from C:\Windows\SysWOW64\ attempts to execute a binary from C:\Windows\System32\. In a typical Windows environment, 32-bit processes under SysWOW64 should primarily interact with 32-bit binaries within the same directory. However, an execution flow where a 32-bit process spawns a 64-bit binary from System32 can indicate potential process injection, privilege escalation, evasion techniques, or unauthorized execution hijacking.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_path = "*\\Windows\\SysWOW64\\*" AND Processes.process = "*windows\\system32\\*" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_unusual_syswow64_process_run_system32_executable_filter`
Windows User Discovery Via Net
The following analytic detects the execution of `net.exe` or `net1.exe` with command-line arguments `user` or `users` to query local user accounts. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it indicates potential reconnaissance efforts by adversaries to enumerate local users, which is a common step in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further attacks, including privilege escalation and lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_net` (Processes.process="*user"
OR
Processes.process="*users"
OR
Processes.process="*users *"
OR
Processes.process="*user *")
AND
NOT (Processes.process="*/add"
OR
Processes.process="*/delete")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_user_discovery_via_net_filter`Windows User Execution Malicious URL Shortcut File
The following analytic detects the creation URL shortcut files, often used by malware like CHAOS ransomware. It leverages the Endpoint.Filesystem datamodel to identify ".url" files created outside common directories, such as "Program Files". This activity can be significant as ".URL" files can be used as mean to trick the user into visiting certain websites unknowingly, or when placed in certain locations such as "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\", it may allow the execution of malicious code upon system reboot. If confirmed malicious, this could allow an attacker to achieve persistence and execute harmful payloads, potentially leading to further system compromise and data loss.
Show query
|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where NOT Filesystem.file_path IN ("*:\\Program Files\\*", "*:\\Program Files (x86)\\*", "*\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", "*:\\Windows\\WinSxS\\*") Filesystem.file_name=*.url by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_user_execution_malicious_url_shortcut_file_filter`Windows VSSVC Process Accessing Defender Engine
Detects vssvc.exe opening a handle to MsMpEng.exe.
In the RedSun exploit, VSS participates in the cloud-file restore race that directs WD to write through the NTFS junction.
This handle acquisition is observed at the exact moment of exploitation.
vssvc querying MsMpEng is not expected in normal operation.
Show query
`sysmon`
EventCode=10
TargetImage="*\\MsMpEng.exe"
SourceImage="*\\vssvc.exe"
| stats count min(_time) as firstTime
max(_time) as lastTime
by EventID GrantedAccess Guid Opcode ProcessID
SourceImage SourceProcessGUID SourceProcessId
TargetImage TargetProcessGUID TargetProcessId
UserID dest CallTrace user_id parent_process_name
parent_process_guid process_name
process_guid process_id signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_vssvc_process_accessing_defender_engine_filter`Windows Visual Basic Commandline Compiler DNSQuery
The following analytic detects instances where vbc.exe, the Visual Basic Command Line Compiler, initiates DNS queries. Normally, vbc.exe operates locally to compile Visual Basic code and does not require internet access or to perform DNS lookups. Therefore, any observed DNS activity originating from vbc.exe is highly suspicious and indicative of potential malicious activity. This behavior often suggests that a malicious payload is masquerading as the legitimate vbc.exe process to establish command-and-control (C2) communication, resolve domains for data exfiltration, or download additional stages of malware. Security teams should investigate the process's parent, command-line arguments, and the resolved domains for further indicators of compromise.
Show query
`sysmon` EventCode=22 process_name="vbc.exe"
| rename dvc as dest
| stats count min(_time) as firstTime max(_time) as lastTime
BY answer answer_count dest
process_exec process_guid process_name
query query_count reply_code_id
signature signature_id src
user_id vendor_product QueryName
QueryResults QueryStatus
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_visual_basic_commandline_compiler_dnsquery_filter`Windows WinDBG Spawning AutoIt3
The following analytic identifies instances of the WinDBG process spawning AutoIt3. This behavior is detected by monitoring endpoint telemetry for processes where 'windbg.exe' is the parent process and 'autoit3.exe' or similar is the child process. This activity is significant because AutoIt3 is frequently used by threat actors for scripting malicious automation, potentially indicating an ongoing attack. If confirmed malicious, this could allow attackers to automate tasks, execute arbitrary code, and further compromise the system, leading to data exfiltration or additional malware deployment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=windbg.exe AND (Processes.process_name IN ("autoit3.exe", "autoit*.exe") OR Processes.original_file_name IN ("autoit3.exe", "autoit*.exe")) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval matches_extension=if(match(process, "\\.(au3|a3x|exe|aut|aup)$"), "Yes", "No") | search matches_extension="Yes" | `windows_windbg_spawning_autoit3_filter`Windows Wmic CPU Discovery
The following analytic detects the use of WMIC (Windows Management Instrumentation Command-line) for CPU discovery, often executed with commands such as “wmic cpu get name” This behavior is commonly associated with reconnaissance, where adversaries seek to gather details about system hardware, assess processing power, or determine if the environment is virtualized. While WMIC is a legitimate administrative tool, its use for CPU queries outside of normal inventory or management scripts can indicate malicious intent. Monitoring command-line executions of WMIC with CPU-related arguments and correlating with other discovery activity can help identify attacker reconnaissance.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic` (Processes.process="* cpu*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wmic_cpu_discovery_filter`Windows Wmic DiskDrive Discovery
The following analytic detects the use of Windows Management Instrumentation Command-line (WMIC) for disk drive discovery activities on a Windows system. This process involves monitoring commands such as “wmic diskdrive” which are often used by administrators for inventory and diagnostics but can also be leveraged by attackers to enumerate hardware details for malicious purposes. Detecting these commands is essential for identifying potentially unauthorized asset reconnaissance or pre-attack mapping behaviors. By capturing and analyzing WMIC disk drive queries, security teams can gain visibility into suspicious activities, enabling them to respond promptly and strengthen the organization’s security posture against insider threats or lateral movement attempts.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic` (Processes.process="* diskdrive*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wmic_diskdrive_discovery_filter`Windows Wmic Memory Chip Discovery
The following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC) commands related to memory chip discovery on a Windows system. Specifically, it monitors instances where commands such as “wmic memorychip” are used to retrieve detailed information about installed RAM modules. While these commands can serve legitimate administrative and troubleshooting purposes, they may also be employed by adversaries to gather system hardware specifications as part of their reconnaissance activities. By identifying and alerting on WMIC memory chip queries, security teams can enhance their ability to spot unauthorized information gathering and take proactive measures to mitigate potential threats.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic` (Processes.process="* memorychip*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wmic_memory_chip_discovery_filter`Windows Wmic Network Discovery
The following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC) commands used for network interface discovery on a Windows system. Specifically, it identifies commands such as “wmic nic” that retrieve detailed information about the network adapters installed on the device. While these commands are commonly used by IT administrators for legitimate network inventory and diagnostics, they can also be leveraged by malicious actors for reconnaissance, enabling them to map network configurations and identify potential targets. Monitoring WMIC network interface queries allows security teams to detect suspicious or unauthorized enumeration activities, supporting early threat identification and response.ß
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic` (Processes.process="* nic*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wmic_network_discovery_filter`Windows Wmic Systeminfo Discovery
The following analytic detects the execution of Windows Management Instrumentation Command-line (WMIC) commands used for computer system discovery on a Windows system. Specifically, it monitors for commands such as “wmic computersystem” that retrieve detailed information about the computer’s model, manufacturer, name, domain, and other system attributes. While these commands are commonly used by administrators for inventory and troubleshooting, they may also be exploited by adversaries to gain insight into the target environment during the reconnaissance phase of an attack. Identifying and alerting on WMIC computer system queries helps security teams recognize unauthorized information gathering and take steps to mitigate potential threats.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_wmic` (Processes.process="* computersystem*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wmic_systeminfo_discovery_filter`WordPress Bricks Builder plugin RCE
The following analytic identifies potential exploitation of the WordPress Bricks Builder plugin RCE vulnerability. It detects HTTP POST requests to the URL path "/wp-json/bricks/v1/render_element" with a status code of 200, leveraging the Web datamodel. This activity is significant as it indicates an attempt to exploit CVE-2024-25600, a known vulnerability that allows remote code execution. If confirmed malicious, an attacker could execute arbitrary commands on the target server, leading to potential full system compromise and unauthorized access to sensitive data.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN ("*/wp-json/bricks/v1/render_element") Web.status=200 Web.http_method=POST
BY Web.src, Web.dest, Web.http_user_agent,
Web.url, Web.uri_path, Web.status,
Web.http_method, sourcetype, source
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `wordpress_bricks_builder_plugin_rce_filter`Zoom High Video Latency
Detects particularly high latency from Zoom logs. Latency observed from threat actors performing Remote Employment Fraud (REF) is typically well above what’s normal for the majority of employees.
Show query
`zoom_index` | spath "payload.object.participant.qos{}.type" | search "payload.object.participant.qos{}.type"=video_input | rename payload.object.participant.qos{}.details.avg_latency as avg_latency "payload.object.participant.qos{}.details.latency" as latency payload.object.participant.email as email | rex field=avg_latency "(?<average_latency>\d+) ms" | rex field=latency "(?<overall_latency>\d+) ms" | search email="*" | table email overall_latency latency avg_latency average_latency _raw | stats latest(overall_latency) as overall_latency by email _raw | where overall_latency>300 | `zoom_high_video_latency_filter`Showing 951-991 of 991