Tool
Splunk
12,781 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,781WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Show query
any where (EventID like~ (4656, 4663)) and ObjectName:"*\\wceaux.dll"
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Show query
from * metadata _id, _index, _version | where (EventID in (4656, 4663)) and ends_with(ObjectName, "\\wceaux.dll")
WCE wceaux.dll Access
Detects wceaux.dll access while WCE pass-the-hash remote command execution on source host
Show query
(EventID:(4656 OR 4663)) AND ObjectName:*\\wceaux.dll
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Show query
any where ParentImage:"*\\EdgeTransport.exe" and (not (Image:"C:\\Windows\\System32\\conhost.exe" or (Image:"C:\\Program Files\\Microsoft\\Exchange Server\\*" and Image:"*\\Bin\\OleConverter.exe")))
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\EdgeTransport.exe") and not (Image=="C:\\Windows\\System32\\conhost.exe" or starts_with(Image, "C:\\Program Files\\Microsoft\\Exchange Server\\") and ends_with(Image, "\\Bin\\OleConverter.exe"))
WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Show query
ParentImage:*\\EdgeTransport.exe AND (NOT (Image:C\:\\Windows\\System32\\conhost.exe OR (Image:C\:\\Program\ Files\\Microsoft\\Exchange\ Server\\* AND Image:*\\Bin\\OleConverter.exe)))
WannaCry Ransomware Activity
Detects WannaCry ransomware activity
Show query
any where ((Image like~ ("*\\tasksche.exe", "*\\mssecsvc.exe", "*\\taskdl.exe", "*\\taskhsvc.exe", "*\\taskse.exe", "*\\111.exe", "*\\lhdfrgui.exe", "*\\linuxnew.exe", "*\\wannacry.exe")) or Image:"*WanaDecryptor*") or CommandLine:"*@[email protected]*"WannaCry Ransomware Activity
Detects WannaCry ransomware activity
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\tasksche.exe") or ends_with(Image, "\\mssecsvc.exe") or ends_with(Image, "\\taskdl.exe") or ends_with(Image, "\\taskhsvc.exe") or ends_with(Image, "\\taskse.exe") or ends_with(Image, "\\111.exe") or ends_with(Image, "\\lhdfrgui.exe") or ends_with(Image, "\\linuxnew.exe") or ends_with(Image, "\\wannacry.exe") or Image like "*WanaDecryptor*" or CommandLine like "*@[email protected]*"
WannaCry Ransomware Activity
Detects WannaCry ransomware activity
Show query
((Image:(*\\tasksche.exe OR *\\mssecsvc.exe OR *\\taskdl.exe OR *\\taskhsvc.exe OR *\\taskse.exe OR *\\111.exe OR *\\lhdfrgui.exe OR *\\linuxnew.exe OR *\\wannacry.exe)) OR Image:*WanaDecryptor*) OR CommandLine:*@[email protected]*
Webshell Remote Command Execution
Detects possible command execution by web application/web shell
Show query
any where type:"SYSCALL" and (SYSCALL like~ ("execve", "execveat")) and euid:33Webshell Remote Command Execution
Detects possible command execution by web application/web shell
Show query
from * metadata _id, _index, _version | where type=="SYSCALL" and (SYSCALL in ("execve", "execveat")) and euid==33Webshell Remote Command Execution
Detects possible command execution by web application/web shell
Show query
type:SYSCALL AND (SYSCALL:(execve OR execveat)) AND euid:33
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Show query
any where (SamAccountName:"SAMTHEADMIN-*" and SamAccountName:"*$") or (TargetUserName:"SAMTHEADMIN-*" and TargetUserName:"*$")
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Show query
from * metadata _id, _index, _version | where starts_with(SamAccountName, "SAMTHEADMIN-") and ends_with(SamAccountName, "$") or starts_with(TargetUserName, "SAMTHEADMIN-") and ends_with(TargetUserName, "$")
Win Susp Computer Name Containing Samtheadmin
Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
Show query
(SamAccountName:SAMTHEADMIN\-* AND SamAccountName:*$) OR (TargetUserName:SAMTHEADMIN\-* AND TargetUserName:*$)
Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
Show query
any where TargetObject:"*Services\\WCESERVICE\\Start*"
Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
Show query
from * metadata _id, _index, _version | where TargetObject like "*Services\\WCESERVICE\\Start*"
Windows Credential Editor Registry
Detects the use of Windows Credential Editor (WCE)
Show query
TargetObject:*Services\\WCESERVICE\\Start*
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Show query
any where ((ParentImage like~ ("*C:\\Windows\\Temp*", "*\\hpqhvind.exe*")) and Image:"C:\\ProgramData\\DRM*") or (ParentImage:"C:\\ProgramData\\DRM*" and Image:"*\\wmplayer.exe") or (ParentImage:"*\\Test.exe" and Image:"*\\wmplayer.exe") or Image:"C:\\ProgramData\\DRM\\CLR\\CLR.exe" or (ParentImage:"C:\\ProgramData\\DRM\\Windows*" and Image:"*\\SearchFilterHost.exe")Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Show query
from * metadata _id, _index, _version | where (ParentImage like "*C:\\Windows\\Temp*" or ParentImage like "*\\hpqhvind.exe*") and starts_with(Image, "C:\\ProgramData\\DRM") or starts_with(ParentImage, "C:\\ProgramData\\DRM") and ends_with(Image, "\\wmplayer.exe") or ends_with(ParentImage, "\\Test.exe") and ends_with(Image, "\\wmplayer.exe") or Image=="C:\\ProgramData\\DRM\\CLR\\CLR.exe" or starts_with(ParentImage, "C:\\ProgramData\\DRM\\Windows") and ends_with(Image, "\\SearchFilterHost.exe")
Winnti Malware HK University Campaign
Detects specific process characteristics of Winnti malware noticed in Dec/Jan 2020 in a campaign against Honk Kong universities
Show query
((ParentImage:(*C\:\\Windows\\Temp* OR *\\hpqhvind.exe*)) AND Image:C\:\\ProgramData\\DRM*) OR (ParentImage:C\:\\ProgramData\\DRM* AND Image:*\\wmplayer.exe) OR (ParentImage:*\\Test.exe AND Image:*\\wmplayer.exe) OR Image:C\:\\ProgramData\\DRM\\CLR\\CLR.exe OR (ParentImage:C\:\\ProgramData\\DRM\\Windows* AND Image:*\\SearchFilterHost.exe)
Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
Show query
any where CommandLine:"*setup0.exe -p*" or (CommandLine:"*setup.exe*" and (CommandLine like~ ("*-x:0", "*-x:1", "*-x:2")))Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
Show query
from * metadata _id, _index, _version | where CommandLine like "*setup0.exe -p*" or CommandLine like "*setup.exe*" and (ends_with(CommandLine, "-x:0") or ends_with(CommandLine, "-x:1") or ends_with(CommandLine, "-x:2"))
Winnti Pipemon Characteristics
Detects specific process characteristics of Winnti Pipemon malware reported by ESET
Show query
CommandLine:*setup0.exe\ \-p* OR (CommandLine:*setup.exe* AND (CommandLine:(*\-x\:0 OR *\-x\:1 OR *\-x\:2)))
Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
Show query
any where TargetFilename regex~ "\\Windows\\__1\d{9}\.\d{1,7}$" or TargetFilename regex~ "C:\\__1\d{9}\.\d{1,7}$" or TargetFilename regex~ "D:\\__1\d{9}\.\d{1,7}$"Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
Show query
from * metadata _id, _index, _version | where TargetFilename rlike "\\\\Windows\\\\__1\\d{9}\\.\\d{1,7}$" or TargetFilename rlike "C:\\\\__1\\d{9}\\.\\d{1,7}$" or TargetFilename rlike "D:\\\\__1\\d{9}\\.\\d{1,7}$"Wmiexec Default Output File
Detects the creation of the default output filename used by the wmiexec tool
Show query
TargetFilename:/\\Windows\\__1\d{9}\.\d{1,7}$/ OR TargetFilename:/C:\\__1\d{9}\.\d{1,7}$/ OR TargetFilename:/D:\\__1\d{9}\.\d{1,7}$/Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Show query
any where Image:"System" and TargetFilename:"*\\wbem\\wbemcomn.dll"
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Show query
from * metadata _id, _index, _version | where Image=="System" and ends_with(TargetFilename, "\\wbem\\wbemcomn.dll")
Wmiprvse Wbemcomn DLL Hijack - File
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario.
Show query
Image:System AND TargetFilename:*\\wbem\\wbemcomn.dll
Zerologon Exploitation Using Well-known Tools
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
Show query
any where (EventID like~ (5805, 5723)) and ("kali" or "mimikatz")Zerologon Exploitation Using Well-known Tools
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
Show query
(EventID:(5805 OR 5723)) AND (*kali* OR *mimikatz*)
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
Show query
any where Image:"*\\rundll32.exe" and (CommandLine like~ ("*zxFunction*", "*RemoteDiskXXXXX*"))ZxShell Malware
Detects a ZxShell start by the called and well-known function name
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\rundll32.exe") and (CommandLine like "*zxFunction*" or CommandLine like "*RemoteDiskXXXXX*")
ZxShell Malware
Detects a ZxShell start by the called and well-known function name
Show query
Image:*\\rundll32.exe AND (CommandLine:(*zxFunction* OR *RemoteDiskXXXXX*))
Elastic
Converted
EQL
high
.RDP File Created By Uncommon Application
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
Show query
any where TargetFilename:"*.rdp" and (Image like~ ("*\\brave.exe", "*\\CCleaner Browser\\Application\\CCleanerBrowser.exe", "*\\chromium.exe", "*\\firefox.exe", "*\\Google\\Chrome\\Application\\chrome.exe", "*\\iexplore.exe", "*\\microsoftedge.exe", "*\\msedge.exe", "*\\Opera.exe", "*\\Vivaldi.exe", "*\\Whale.exe", "*\\olk.exe", "*\\Outlook.exe", "*\\RuntimeBroker.exe", "*\\Thunderbird.exe", "*\\Discord.exe", "*\\Keybase.exe", "*\\msteams.exe", "*\\Slack.exe", "*\\teams.exe"))
Elastic
Converted
ES|QL
high
.RDP File Created By Uncommon Application
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
Show query
from * metadata _id, _index, _version | where ends_with(TargetFilename, ".rdp") and (ends_with(Image, "\\brave.exe") or ends_with(Image, "\\CCleaner Browser\\Application\\CCleanerBrowser.exe") or ends_with(Image, "\\chromium.exe") or ends_with(Image, "\\firefox.exe") or ends_with(Image, "\\Google\\Chrome\\Application\\chrome.exe") or ends_with(Image, "\\iexplore.exe") or ends_with(Image, "\\microsoftedge.exe") or ends_with(Image, "\\msedge.exe") or ends_with(Image, "\\Opera.exe") or ends_with(Image, "\\Vivaldi.exe") or ends_with(Image, "\\Whale.exe") or ends_with(Image, "\\olk.exe") or ends_with(Image, "\\Outlook.exe") or ends_with(Image, "\\RuntimeBroker.exe") or ends_with(Image, "\\Thunderbird.exe") or ends_with(Image, "\\Discord.exe") or ends_with(Image, "\\Keybase.exe") or ends_with(Image, "\\msteams.exe") or ends_with(Image, "\\Slack.exe") or ends_with(Image, "\\teams.exe"))
Elastic
Converted
Lucene
high
.RDP File Created By Uncommon Application
Detects creation of a file with an ".rdp" extension by an application that doesn't commonly create such files.
Show query
TargetFilename:*.rdp AND (Image:(*\\brave.exe OR *\\CCleaner\ Browser\\Application\\CCleanerBrowser.exe OR *\\chromium.exe OR *\\firefox.exe OR *\\Google\\Chrome\\Application\\chrome.exe OR *\\iexplore.exe OR *\\microsoftedge.exe OR *\\msedge.exe OR *\\Opera.exe OR *\\Vivaldi.exe OR *\\Whale.exe OR *\\olk.exe OR *\\Outlook.exe OR *\\RuntimeBroker.exe OR *\\Thunderbird.exe OR *\\Discord.exe OR *\\Keybase.exe OR *\\msteams.exe OR *\\Slack.exe OR *\\teams.exe))
Elastic
Converted
EQL
high
AADInternals PowerShell Cmdlets Execution - ProccessCreation
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Show query
any where ((Image like~ ("*\\powershell.exe", "*\\powershell_ise.exe", "*\\pwsh.exe")) or (OriginalFileName like~ ("PowerShell.Exe", "pwsh.dll"))) and (CommandLine like~ ("*Add-AADInt*", "*ConvertTo-AADInt*", "*Disable-AADInt*", "*Enable-AADInt*", "*Export-AADInt*", "*Find-AADInt*", "*Get-AADInt*", "*Grant-AADInt*", "*Initialize-AADInt*", "*Install-AADInt*", "*Invoke-AADInt*", "*Join-AADInt*", "*New-AADInt*", "*Open-AADInt*", "*Read-AADInt*", "*Register-AADInt*", "*Remove-AADInt*", "*Reset-AADInt*", "*Resolve-AADInt*", "*Restore-AADInt*", "*Save-AADInt*", "*Search-AADInt*", "*Send-AADInt*", "*Set-AADInt*", "*Start-AADInt*", "*Unprotect-AADInt*", "*Update-AADInt*"))
Elastic
Converted
ES|QL
high
AADInternals PowerShell Cmdlets Execution - ProccessCreation
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\powershell_ise.exe") or ends_with(Image, "\\pwsh.exe") or OriginalFileName in ("PowerShell.Exe", "pwsh.dll")) and (CommandLine like "*Add-AADInt*" or CommandLine like "*ConvertTo-AADInt*" or CommandLine like "*Disable-AADInt*" or CommandLine like "*Enable-AADInt*" or CommandLine like "*Export-AADInt*" or CommandLine like "*Find-AADInt*" or CommandLine like "*Get-AADInt*" or CommandLine like "*Grant-AADInt*" or CommandLine like "*Initialize-AADInt*" or CommandLine like "*Install-AADInt*" or CommandLine like "*Invoke-AADInt*" or CommandLine like "*Join-AADInt*" or CommandLine like "*New-AADInt*" or CommandLine like "*Open-AADInt*" or CommandLine like "*Read-AADInt*" or CommandLine like "*Register-AADInt*" or CommandLine like "*Remove-AADInt*" or CommandLine like "*Reset-AADInt*" or CommandLine like "*Resolve-AADInt*" or CommandLine like "*Restore-AADInt*" or CommandLine like "*Save-AADInt*" or CommandLine like "*Search-AADInt*" or CommandLine like "*Send-AADInt*" or CommandLine like "*Set-AADInt*" or CommandLine like "*Start-AADInt*" or CommandLine like "*Unprotect-AADInt*" or CommandLine like "*Update-AADInt*")
Elastic
Converted
Lucene
high
AADInternals PowerShell Cmdlets Execution - ProccessCreation
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Show query
((Image:(*\\powershell.exe OR *\\powershell_ise.exe OR *\\pwsh.exe)) OR (OriginalFileName:(PowerShell.Exe OR pwsh.dll))) AND (CommandLine:(*Add\-AADInt* OR *ConvertTo\-AADInt* OR *Disable\-AADInt* OR *Enable\-AADInt* OR *Export\-AADInt* OR *Find\-AADInt* OR *Get\-AADInt* OR *Grant\-AADInt* OR *Initialize\-AADInt* OR *Install\-AADInt* OR *Invoke\-AADInt* OR *Join\-AADInt* OR *New\-AADInt* OR *Open\-AADInt* OR *Read\-AADInt* OR *Register\-AADInt* OR *Remove\-AADInt* OR *Reset\-AADInt* OR *Resolve\-AADInt* OR *Restore\-AADInt* OR *Save\-AADInt* OR *Search\-AADInt* OR *Send\-AADInt* OR *Set\-AADInt* OR *Start\-AADInt* OR *Unprotect\-AADInt* OR *Update\-AADInt*))
Elastic
Converted
EQL
high
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Show query
any where ScriptBlockText like~ ("*Add-AADInt*", "*ConvertTo-AADInt*", "*Disable-AADInt*", "*Enable-AADInt*", "*Export-AADInt*", "*Find-AADInt*", "*Get-AADInt*", "*Grant-AADInt*", "*Initialize-AADInt*", "*Install-AADInt*", "*Invoke-AADInt*", "*Join-AADInt*", "*New-AADInt*", "*Open-AADInt*", "*Read-AADInt*", "*Register-AADInt*", "*Remove-AADInt*", "*Reset-AADInt*", "*Resolve-AADInt*", "*Restore-AADInt*", "*Save-AADInt*", "*Search-AADInt*", "*Send-AADInt*", "*Set-AADInt*", "*Start-AADInt*", "*Unprotect-AADInt*", "*Update-AADInt*")
Elastic
Converted
ES|QL
high
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*Add-AADInt*" or ScriptBlockText like "*ConvertTo-AADInt*" or ScriptBlockText like "*Disable-AADInt*" or ScriptBlockText like "*Enable-AADInt*" or ScriptBlockText like "*Export-AADInt*" or ScriptBlockText like "*Find-AADInt*" or ScriptBlockText like "*Get-AADInt*" or ScriptBlockText like "*Grant-AADInt*" or ScriptBlockText like "*Initialize-AADInt*" or ScriptBlockText like "*Install-AADInt*" or ScriptBlockText like "*Invoke-AADInt*" or ScriptBlockText like "*Join-AADInt*" or ScriptBlockText like "*New-AADInt*" or ScriptBlockText like "*Open-AADInt*" or ScriptBlockText like "*Read-AADInt*" or ScriptBlockText like "*Register-AADInt*" or ScriptBlockText like "*Remove-AADInt*" or ScriptBlockText like "*Reset-AADInt*" or ScriptBlockText like "*Resolve-AADInt*" or ScriptBlockText like "*Restore-AADInt*" or ScriptBlockText like "*Save-AADInt*" or ScriptBlockText like "*Search-AADInt*" or ScriptBlockText like "*Send-AADInt*" or ScriptBlockText like "*Set-AADInt*" or ScriptBlockText like "*Start-AADInt*" or ScriptBlockText like "*Unprotect-AADInt*" or ScriptBlockText like "*Update-AADInt*"
Elastic
Converted
Lucene
high
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Show query
ScriptBlockText:(*Add\-AADInt* OR *ConvertTo\-AADInt* OR *Disable\-AADInt* OR *Enable\-AADInt* OR *Export\-AADInt* OR *Find\-AADInt* OR *Get\-AADInt* OR *Grant\-AADInt* OR *Initialize\-AADInt* OR *Install\-AADInt* OR *Invoke\-AADInt* OR *Join\-AADInt* OR *New\-AADInt* OR *Open\-AADInt* OR *Read\-AADInt* OR *Register\-AADInt* OR *Remove\-AADInt* OR *Reset\-AADInt* OR *Resolve\-AADInt* OR *Restore\-AADInt* OR *Save\-AADInt* OR *Search\-AADInt* OR *Send\-AADInt* OR *Set\-AADInt* OR *Start\-AADInt* OR *Unprotect\-AADInt* OR *Update\-AADInt*)
AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Show query
any where (EventID:4661 and (ObjectType like~ ("SAM_USER", "SAM_GROUP"))) and ((ObjectName like~ ("*-512", "*-502", "*-500", "*-505", "*-519", "*-520", "*-544", "*-551", "*-555")) or ObjectName:"*admin*") and (not SubjectUserName:"*$")AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Show query
from * metadata _id, _index, _version | where EventID==4661 and (ObjectType in ("SAM_USER", "SAM_GROUP")) and (ends_with(ObjectName, "-512") or ends_with(ObjectName, "-502") or ends_with(ObjectName, "-500") or ends_with(ObjectName, "-505") or ends_with(ObjectName, "-519") or ends_with(ObjectName, "-520") or ends_with(ObjectName, "-544") or ends_with(ObjectName, "-551") or ends_with(ObjectName, "-555") or ObjectName like "*admin*") and not ends_with(SubjectUserName, "$")AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Show query
(EventID:4661 AND (ObjectType:(SAM_USER OR SAM_GROUP))) AND ((ObjectName:(*\-512 OR *\-502 OR *\-500 OR *\-505 OR *\-519 OR *\-520 OR *\-544 OR *\-551 OR *\-555)) OR ObjectName:*admin*) AND (NOT SubjectUserName:*$)
Elastic
Converted
EQL
high
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
Show query
any where ((EventID:4898 and (TemplateContent like~ ("*1.3.6.1.5.5.7.3.2*", "*1.3.6.1.5.2.3.4*", "*1.3.6.1.4.1.311.20.2.2*", "*2.5.29.37.0*"))) and TemplateContent:"*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*") or ((EventID:4899 and (NewTemplateContent like~ ("*1.3.6.1.5.5.7.3.2*", "*1.3.6.1.5.2.3.4*", "*1.3.6.1.4.1.311.20.2.2*", "*2.5.29.37.0*"))) and NewTemplateContent:"*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*")
Elastic
Converted
ES|QL
high
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
Show query
from * metadata _id, _index, _version | where EventID==4898 and (TemplateContent like "*1.3.6.1.5.5.7.3.2*" or TemplateContent like "*1.3.6.1.5.2.3.4*" or TemplateContent like "*1.3.6.1.4.1.311.20.2.2*" or TemplateContent like "*2.5.29.37.0*") and TemplateContent like "*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*" or EventID==4899 and (NewTemplateContent like "*1.3.6.1.5.5.7.3.2*" or NewTemplateContent like "*1.3.6.1.5.2.3.4*" or NewTemplateContent like "*1.3.6.1.4.1.311.20.2.2*" or NewTemplateContent like "*2.5.29.37.0*") and NewTemplateContent like "*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*"
Elastic
Converted
Lucene
high
ADCS Certificate Template Configuration Vulnerability with Risky EKU
Detects certificate creation with template allowing risk permission subject and risky EKU
Show query
((EventID:4898 AND (TemplateContent:(*1.3.6.1.5.5.7.3.2* OR *1.3.6.1.5.2.3.4* OR *1.3.6.1.4.1.311.20.2.2* OR *2.5.29.37.0*))) AND TemplateContent:*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*) OR ((EventID:4899 AND (NewTemplateContent:(*1.3.6.1.5.5.7.3.2* OR *1.3.6.1.5.2.3.4* OR *1.3.6.1.4.1.311.20.2.2* OR *2.5.29.37.0*))) AND NewTemplateContent:*CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT*)
Showing 501-550 of 12,781