Tool
Splunk
12,781 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,781ADSelfService Exploitation
Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
Show query
any where cs-uri-query like~ ("*/help/admin-guide/Reports/ReportGenerate.jsp*", "*/ServletApi/../RestApi/LogonCustomization*", "*/ServletApi/../RestAPI/Connection*")ADSelfService Exploitation
Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
Show query
from * metadata _id, _index, _version | where `cs-uri-query` like "*/help/admin-guide/Reports/ReportGenerate.jsp*" or `cs-uri-query` like "*/ServletApi/../RestApi/LogonCustomization*" or `cs-uri-query` like "*/ServletApi/../RestAPI/Connection*"
ADSelfService Exploitation
Detects suspicious access to URLs that was noticed in cases in which attackers exploitated the ADSelfService vulnerability CVE-2021-40539
Show query
cs-uri-query:(*\/help\/admin\-guide\/Reports\/ReportGenerate.jsp* OR *\/ServletApi\/..\/RestApi\/LogonCustomization* OR *\/ServletApi\/..\/RestAPI\/Connection*)
AMSI Bypass Pattern Assembly GetType
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Show query
any where ScriptBlockText:"*[Ref].Assembly.GetType*" and ScriptBlockText:"*SetValue($null,$true)*" and ScriptBlockText:"*NonPublic,Static*"
AMSI Bypass Pattern Assembly GetType
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*[Ref].Assembly.GetType*" and ScriptBlockText like "*SetValue($null,$true)*" and ScriptBlockText like "*NonPublic,Static*"
AMSI Bypass Pattern Assembly GetType
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Show query
ScriptBlockText:*\[Ref\].Assembly.GetType* AND ScriptBlockText:*SetValue\($null,$true\)* AND ScriptBlockText:*NonPublic,Static*
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
Show query
any where TargetObject:"*\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable" and Details:"DWORD (0x00000000)"
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "\\Software\\Microsoft\\Windows Script\\Settings\\AmsiEnable") and Details=="DWORD (0x00000000)"
AMSI Disabled via Registry Modification
Detects attempts to disable AMSI (Anti-Malware Scan Interface) by modifying the AmsiEnable registry value.
Anti-Malware Scan Interface (AMSI) is a security feature in Windows that allows applications and services to integrate with anti-malware products for enhanced protection against malicious content.
Adversaries may attempt to disable AMSI to evade detection by security software, allowing them to execute malicious scripts or code without being scanned.
Show query
TargetObject:*\\Software\\Microsoft\\Windows\ Script\\Settings\\AmsiEnable AND Details:DWORD\ \(0x00000000\)
APT PRIVATELOG Image Load Pattern
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
Show query
any where Image:"*\\svchost.exe" and ImageLoaded:"*\\clfsw32.dll"
APT PRIVATELOG Image Load Pattern
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\svchost.exe") and ends_with(ImageLoaded, "\\clfsw32.dll")
APT PRIVATELOG Image Load Pattern
Detects an image load pattern as seen when a tool named PRIVATELOG is used and rarely observed under legitimate circumstances
Show query
Image:*\\svchost.exe AND ImageLoaded:*\\clfsw32.dll
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
Show query
any where c-useragent like~ ("SJZJ (compatible; MSIE 6.0; Win32)", "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0", "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC", "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)", "webclient", "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200", "Mozilla/4.0 (compatible; MSI 6.0;", "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0", "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/", "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2", "Mozilla/4.0", "Netscape", "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7", "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)", "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)", "Mozilla/4.0 (compatible; MSIE 8.0; Win32)", "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1", "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)", "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko", "Mozilla v5.1 *", "MSIE 8.0", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)", "Mozilla/4.0 (compatible; RMS)", "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)", "O/9.27 (W; U; Z)", "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*", "Mozilla/5.0 (Windows NT 9; *", "hots scot", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)", "Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36", "Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;", "Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0", "Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)", "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001")APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
Show query
from * metadata _id, _index, _version | where `c-useragent`=="SJZJ (compatible; MSIE 6.0; Win32)" or `c-useragent`=="Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0" or `c-useragent`=="User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)" or `c-useragent`=="webclient" or `c-useragent`=="Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200" or `c-useragent`=="Mozilla/4.0 (compatible; MSI 6.0;" or `c-useragent`=="Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0" or `c-useragent`=="Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/" or `c-useragent`=="Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2" or `c-useragent`=="Mozilla/4.0" or `c-useragent`=="Netscape" or `c-useragent`=="Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7" or `c-useragent`=="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1" or `c-useragent`=="Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 8.0; Win32)" or `c-useragent`=="Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1" or `c-useragent`=="Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)" or `c-useragent`=="Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko" or starts_with(`c-useragent`, "Mozilla v5.1 ") or `c-useragent`=="MSIE 8.0" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)" or `c-useragent`=="Mozilla/4.0 (compatible; RMS)" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 6.0; DynGate)" or `c-useragent`=="O/9.27 (W; U; Z)" or starts_with(`c-useragent`, "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0") or starts_with(`c-useragent`, "Mozilla/5.0 (Windows NT 9; ") or `c-useragent`=="hots scot" or `c-useragent`=="Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)" or `c-useragent`=="Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36" or `c-useragent`=="Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;" or `c-useragent`=="Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0" or `c-useragent`=="Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36" or `c-useragent`=="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0" or `c-useragent`=="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)" or `c-useragent`=="Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 10.0; .NET4.0C; .NET4.0E; Tablet PC 2.0)" or `c-useragent`=="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246001"
APT User Agent
Detects suspicious user agent strings used in APT malware in proxy logs
Show query
c-useragent:(SJZJ\ \(compatible;\ MSIE\ 6.0;\ Win32\) OR Mozilla\/5.0\ \(Windows\ NT\ 6.;\ WOW64;\ rv\:20.0\)\ Gecko\/20100101\ Firefox\/20.0 OR User\-Agent\:\ Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ Trident\/4.0;\ SLCC OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.4;\ Win32;32\-bit\) OR webclient OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ zh\-EN;\ rv\:1.7.12\)\ Gecko\/200 OR Mozilla\/4.0\ \(compatible;\ MSI\ 6.0; OR Mozilla\/5.0\ \(Windows\ NT\ 6.3;\ WOW64;\ rv\:28.0\)\ Gecko\/20100101\ Firefox\/28.0 OR Mozilla\/5.0\ \(Windows\ NT\ 6.2;\ WOW64;\ rv\:20.0\)\ Gecko\/20100101\ Firefox\/ OR Mozilla\/5.0\ \(Windows\ NT\ 6.;\ WOW64;\ rv\:20.0\)\ Gecko\/20100101\ Firefox\/2 OR Mozilla\/4.0 OR Netscape OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ zh\-EN;\ rv\:1.7.12\)\ Gecko\/20100719\ Firefox\/1.0.7 OR Mozilla\/5.0\ \(Windows;\ U;\ Windows\ NT\ 5.1;\ en\-US;\ rv\:1.9.2.13\)\ Firefox\/3.6.13\ GTB7.1 OR Mozilla\/5.0\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 6.1;\ WOW64;\ Trident\/5.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.1;\ WOW64;\ Trident\/4.0;\ SLCC2;\ .NETCLR\ 2.0.50727\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Windows\ NT\ 6.0;\ SV1\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 11.0;\ Windows\ NT\ 6.1;\ SV1\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 8.0;\ Win32\) OR Mozilla\ v5.1\ \(Windows\ NT\ 6.1;\ rv\:6.0.1\)\ Gecko\/20100101\ Firefox\/6.0.1 OR Mozilla\/6.1\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 5.3;\ Trident\/5.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.1;\ SV1;\ .NET\ CLR\ 1.1.4322;\ .NET\ CLR\ 2.0.50727;\ .NET\ CLR\ 3.0.04506.30;\ .NET\ CLR\ 3.0.04506.648;\ InfoPath.1\) OR Mozilla\/5.0\ \(Windows\ NT\ 6.1;\ WOW64\)\ WinHttp\/1.6.3.8\ \(WinHTTP\/5.1\)\ like\ Gecko OR Mozilla\ v5.1\ * OR MSIE\ 8.0 OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.0;\ Windows\ NT\ 6.1;\ SLCC2;\ .NET\ CLR\ 2.0.50727;\ .NET\ CLR\ 3.5.30729;\ .NET\ CLR\ 3.0.30729;\ Media\ Center\ PC\ 6.0;\ .NET4.0C;\ .NET4.0E;\ InfoPath.2\) OR Mozilla\/4.0\ \(compatible;\ RMS\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ DynGate\) OR O\/9.27\ \(W;\ U;\ Z\) OR Mozilla\/5.0\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 6.0;\ Trident\/5.0;\ \ Trident\/5.0* OR Mozilla\/5.0\ \(Windows\ NT\ 9;\ * OR hots\ scot OR Mozilla\/5.0\ \(compatible;\ MSIE\ 10.0;\ Windows\ NT\) OR Mozilla\/5.0\ \(Windows\ NT\ 6.1;\ WOW64\)\ Chrome\/28.0.1500.95\ Safari\/537.36 OR Mozilla\/5.0\ \(Windows\ NT\ 6.2;\ Win32;\ rv\:47.0\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 6.0;\ Windows\ NT\ 5.1;SV1; OR Mozilla\/5.0\ \(X11;\ Linux\ i686;\ rv\:22.0\)\ Firefox\/22.0 OR Mozilla\/5.0\ Chrome\/72.0.3626.109\ Safari\/537.36 OR Mozilla\/5.0\ \(Windows\ NT\ 10.0;\ Win64;\ x64;\ rv\:FTS_06\)\ Gecko\/22.36.35.06\ Firefox\/2.0 OR Mozilla\/5.0\ \(Windows\ NT\ 10.0;\ Win64;\ x64\)\ AppleWebKit\/537.36\ \(KHTML,\ like\ Gecko\)\ Chrome\/102.0.5005.63\ Safari\/537.36\ Edg\/100.0.1185.39 OR Mozilla\/4.0\ \(compatible;\ MSIE\ 7.0;\ Windows\ NT\ 6.1;\ WOW64;\ Trident\/4.0;\ SLCC2;\ .NET\ CLR\ 2.0.50727;\ .NET\ CLR\ 3.5.30729;\ .NET\ CLR\ 3.0.30729;\ InfoPath.3;\ .NET4.0C;\ .NET4.0E\) OR Mozilla\/4.0\ \(compatible;\ MSIE\ 9.0;\ Windows\ NT\ 10.0;\ .NET4.0C;\ .NET4.0E;\ Tablet\ PC\ 2.0\) OR Mozilla\/5.0\ \(Windows\ NT\ 10.0;\ Win64;\ x64\)\ AppleWebKit\/537.36\ \(KHTML,\ like\ Gecko\)\ Chrome\/42.0.2311.135\ Safari\/537.36\ Edge\/12.246001)
APT40 Dropbox Tool User Agent
Detects suspicious user agent string of APT40 Dropbox tool
Show query
any where c-useragent:"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36" and cs-host:"api.dropbox.com"
APT40 Dropbox Tool User Agent
Detects suspicious user agent string of APT40 Dropbox tool
Show query
from * metadata _id, _index, _version | where `c-useragent`=="Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36" and `cs-host`=="api.dropbox.com"
APT40 Dropbox Tool User Agent
Detects suspicious user agent string of APT40 Dropbox tool
Show query
c-useragent:Mozilla\/5.0\ \(Windows\ NT\ 6.1;\ WOW64\)\ AppleWebKit\/537.36\ \(KHTML,\ like\ Gecko\)\ Chrome\/36.0.1985.143\ Safari\/537.36 AND cs-host:api.dropbox.com
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
Show query
any where (type:"SYSCALL" and SYSCALL:"personality" and a0:40000) or (type:"EXECVE" and a0:"sysctl" and a1:"-w" and a2:"kernel.randomize_va_space=0")
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
Show query
from * metadata _id, _index, _version | where type=="SYSCALL" and SYSCALL=="personality" and a0==40000 or type=="EXECVE" and a0=="sysctl" and a1=="-w" and a2=="kernel.randomize_va_space=0"
ASLR Disabled Via Sysctl or Direct Syscall - Linux
Detects actions that disable Address Space Layout Randomization (ASLR) in Linux, including:
- Use of the `personality` syscall with the ADDR_NO_RANDOMIZE flag (0x0040000)
- Modification of the /proc/sys/kernel/randomize_va_space file
- Execution of the `sysctl` command to set `kernel.randomize_va_space=0`
Disabling ASLR is often used by attackers during exploit development or to bypass memory protection mechanisms.
A successful use of these methods can reduce the effectiveness of ASLR and make memory corruption attacks more reliable.
Show query
(type:SYSCALL AND SYSCALL:personality AND a0:40000) OR (type:EXECVE AND a0:sysctl AND a1:\-w AND a2:kernel.randomize_va_space\=0)
AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN
Detects successful `AssumeRoleWithWebIdentity` where the caller identity is a Kubernetes service account and the source
autonomous system organization is present but not `Amazon.com, Inc.` EKS workloads that obtain IAM credentials via IAM Roles
for Service Accounts (IRSA) normally reach STS from AWS-managed or AWS-associated networks; the same identity from a clearly
external ASN can indicate a stolen or misused projected service-account token being exchanged for IAM credentials off-cluster.
Elastic
Original
ESQL
high
AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
Identifies multiple successive failed attempts to use denied model resources within AWS Bedrock. This could indicated
attempts to bypass limitations of other approved models, or to force an impact on the environment by incurring
exhorbitant costs.
Elastic
Original
ESQL
high
AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
Identifies multiple validation exeception errors within AWS Bedrock. Validation errors occur when you run the
InvokeModel or InvokeModelWithResponseStream APIs on a foundation model that uses an incorrect inference parameter or
corresponding value. These errors also occur when you use an inference parameter for one model with a model that doesn't
have the same API parameter. This could indicate attempts to bypass limitations of other approved models, or to force an
impact on the environment by incurring exhorbitant costs.
AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key
Detects when an AWS principal using long-term IAM user credentials (AKIA* access key) enumerates available Bedrock
foundation models and then invokes a model within the same 15-minute window. Most legitimate Bedrock workloads run under
IAM roles with short-lived credentials; the combination of model enumeration followed by direct model invocation from a
long-term IAM user key is unusual in production environments and consistent with an adversary using stolen credentials
to discover and exploit available AI model capabilities. This pattern is associated with LLMjacking attacks where threat
actors abuse compromised cloud credentials to run high-volume or high-cost model inference at the account owner's
expense.
AWS Bedrock Model Invocation Logging Disabled or Modified
Detects when an AWS Bedrock model invocation logging configuration is deleted or overwritten via the
DeleteModelInvocationLoggingConfiguration or PutModelInvocationLoggingConfiguration API calls. Model invocation logging
is the source that feeds the logs-aws_bedrock.invocation-* dataset relied upon by all data-plane Bedrock detections. An
adversary who has gained access to a Bedrock environment can blind defenders by deleting this configuration, or by using
the Put API to redirect logs to an attacker-controlled or non-monitored S3 bucket or CloudWatch log group. Because this
single control-plane action can neutralize the entire data-plane detection stack, it is a high-value evasion technique
that should be validated against expected administrative change activity.
AWS Config Disabling Channel/Recorder
Detects AWS Config Service disabling
Show query
any where eventSource:"config.amazonaws.com" and (eventName like~ ("DeleteDeliveryChannel", "StopConfigurationRecorder"))AWS Config Disabling Channel/Recorder
Detects AWS Config Service disabling
Show query
from * metadata _id, _index, _version | where eventSource=="config.amazonaws.com" and (eventName in ("DeleteDeliveryChannel", "StopConfigurationRecorder"))AWS Config Disabling Channel/Recorder
Detects AWS Config Service disabling
Show query
eventSource:config.amazonaws.com AND (eventName:(DeleteDeliveryChannel OR StopConfigurationRecorder))
AWS Configuration Recorder Stopped
Identifies when an AWS Config configuration recorder is stopped. AWS Config recorders continuously track and record
configuration changes across supported AWS resources. Stopping the recorder immediately reduces visibility into
infrastructure changes and can be abused by adversaries to evade detection, obscure follow-on activity, or weaken
compliance and security monitoring controls.
AWS Credentials Searched For Inside A Container
This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a
container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or
facilitate a container breakout to the underlying cloud environment.
AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
Detects AWS access keys that are used from both GitHub Actions CI/CD infrastructure and non-CI/CD infrastructure.
This pattern indicates potential credential theft where an attacker who has stolen AWS credentials configured as GitHub
Actions secrets and is using them from their own infrastructure.
AWS EC2 Instance Console Login via Assumed Role
Detects successful AWS Management Console or federation login activity performed using an EC2 instance’s assumed role
credentials. EC2 instances typically use temporary credentials to make API calls, not to authenticate interactively via
the console. A successful "ConsoleLogin" or "GetSigninToken" event using a session pattern that includes "i-" (the EC2
instance ID) is highly anomalous and may indicate that an adversary obtained the instance’s temporary credentials from
the instance metadata service (IMDS) and used them to access the console. Such activity can enable lateral movement,
privilege escalation, or persistence within the AWS account.
AWS EC2 Instance Profile Associated with Running Instance
Identifies when an IAM instance profile is associated with a running EC2 instance or replaces the existing association.
These APIs change which role credentials the instance obtains via the instance metadata service without terminating the
instance. Attackers who can call `AssociateIamInstanceProfile` or `ReplaceIamInstanceProfile` may attach a more
privileged role to a workload they control, enabling privilege escalation or lateral movement from the instance.
AWS EC2 Startup Shell Script Change
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
Show query
any where eventSource:"ec2.amazonaws.com" and requestParameters.attribute:"userData" and eventName:"ModifyInstanceAttribute"
AWS EC2 Startup Shell Script Change
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
Show query
from * metadata _id, _index, _version | where eventSource=="ec2.amazonaws.com" and requestParameters.attribute=="userData" and eventName=="ModifyInstanceAttribute"
AWS EC2 Startup Shell Script Change
Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.
Show query
eventSource:ec2.amazonaws.com AND requestParameters.attribute:userData AND eventName:ModifyInstanceAttribute
AWS EC2 Stop, Start, and User Data Modification Correlation
Identifies a short sequence of EC2 management APIs against the same instance that is consistent with modifying instance
user data and forcing it to run on the next boot: `ModifyInstanceAttribute` with user data, followed by stop and start.
Adversaries may update `userData` and cycle instance state so malicious scripts execute as root on Linux or as the
system context on Windows. This rule correlates successful `StopInstances`, `StartInstances`, and
`ModifyInstanceAttribute` events that reference `userData` within a five-minute window, grouped by instance,
`user.name`, account, source IP, and user agent. A hit requires exactly three distinct API names in that bucket.
AWS EKS Access Entry Granted Cluster Admin Policy
Detects when the AmazonEKSClusterAdminPolicy or AmazonEKSAdminPolicy is associated with a principal via the EKS
Access Entries API. This grants full cluster-admin equivalent access to the specified IAM user or role. Unlike the
legacy aws-auth ConfigMap which is only visible in Kubernetes audit logs, Access Entries modifications appear in
CloudTrail, providing an additional detection surface. Attackers who have obtained IAM permissions to manage EKS
access entries can use this API to backdoor cluster access for persistence, mapping attacker-controlled IAM
identities to cluster-admin privileges without modifying any Kubernetes resources.
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
Show query
any where eventSource:"guardduty.amazonaws.com" and (eventName:"DeleteDetector" or (eventName:"UpdateDetector" and requestParameters.enable:"false")) and (errorCode:"Success" or (?errorCode == null))
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
Show query
from * metadata _id, _index, _version | where eventSource=="guardduty.amazonaws.com" and (eventName=="DeleteDetector" or eventName=="UpdateDetector" and requestParameters.enable=="false") and (errorCode=="Success" or errorCode is null)
AWS GuardDuty Detector Deleted Or Updated
Detects successful deletion or disabling of an AWS GuardDuty detector, possibly by an attacker trying to avoid detection of its malicious activities.
Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost.
Verify with the user identity that this activity is legitimate.
Show query
eventSource:guardduty.amazonaws.com AND (eventName:DeleteDetector OR (eventName:UpdateDetector AND requestParameters.enable:false)) AND (errorCode:Success OR (NOT _exists_:errorCode))
AWS GuardDuty Detector Deletion
Detects the deletion of an Amazon GuardDuty detector. GuardDuty provides continuous monitoring for malicious or
unauthorized activity across AWS accounts. Deleting the detector disables this visibility, stopping all threat detection
and removing existing findings. Adversaries may delete GuardDuty detectors to impair security monitoring and evade
detection during or after an intrusion. This rule identifies successful "DeleteDetector" API calls and can indicate a
deliberate defense evasion attempt.
AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
Show query
any where eventSource:"guardduty.amazonaws.com" and eventName:"CreateIPSet"
AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
Show query
from * metadata _id, _index, _version | where eventSource=="guardduty.amazonaws.com" and eventName=="CreateIPSet"
AWS GuardDuty Important Change
Detects updates of the GuardDuty list of trusted IPs, perhaps to disable security alerts against malicious IPs.
Show query
eventSource:guardduty.amazonaws.com AND eventName:CreateIPSet
AWS IAM CompromisedKeyQuarantine Policy Attached to User
This rule looks for use of the IAM `AttachUserPolicy` API operation to attach the `CompromisedKeyQuarantine` or `CompromisedKeyQuarantineV2` AWS managed policies to an existing IAM user.
This policy denies access to certain actions and is applied by the AWS team in the event that an IAM user's credentials have been compromised or exposed publicly.
AWS IAM Login Profile Added for Root
Identifies creation of a console login profile for the AWS account root user. While CreateLoginProfile normally applies to IAM users, when performed from a temporary root session (e.g., via AssumeRoot) and the userName parameter is omitted, the profile is created for the root principal (self-assigned). Adversaries with temporary root access may add or reset the root login profile to establish persistent console access even if original access keys are rotated or disabled. Correlate with recent AssumeRoot/STS activity and validate intent with the account owner.
AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
Correlates open detection alerts that share the same long-term IAM access key ID ( prefix AKIA). It fires when the rule
AWS Long-Term Access Key First Seen from Source IP (rule_id: 9f8e3c5e-f72e-4e91-93f6-e98a4fae3e4f) has triggered for
that key and at least one other open alert for the same key is medium, high, or critical severity. This higher-order
rule helps prioritize long-term key novelty when it co-occurs with elevated detections that may indicate post-compromise
activity.
AWS IAM S3Browser LoginProfile Creation
Detects S3 Browser utility performing reconnaissance looking for existing IAM Users without a LoginProfile defined then (when found) creating a LoginProfile.
Show query
any where eventSource:"iam.amazonaws.com" and (eventName like~ ("GetLoginProfile", "CreateLoginProfile")) and userAgent:"*S3 Browser*"Showing 551-600 of 12,781