Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Show query
riskEventType:riskyIPAddress
Elastic
Converted
EQL
high
Add Debugger Entry To Hangs Key For Persistence
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
Show query
any where TargetObject:"*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger*"
Elastic
Converted
ES|QL
high
Add Debugger Entry To Hangs Key For Persistence
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\Hangs\\Debugger*"
Elastic
Converted
Lucene
high
Add Debugger Entry To Hangs Key For Persistence
Detects when an attacker adds a new "Debugger" value to the "Hangs" key in order to achieve persistence which will get invoked when an application crashes
Show query
TargetObject:*\\SOFTWARE\\Microsoft\\Windows\\Windows\ Error\ Reporting\\Hangs\\Debugger*
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source.
Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Show query
any where (Image:"*\\winget.exe" or OriginalFileName:"winget.exe") and (CommandLine:"*source *" and CommandLine:"*add *" and CommandLine:"*http://*")
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source.
Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\winget.exe") or OriginalFileName=="winget.exe") and CommandLine like "*source *" and CommandLine like "*add *" and CommandLine like "*http://*"
Add Insecure Download Source To Winget
Detects usage of winget to add a new insecure (http) download source.
Winget will not allow the addition of insecure sources, hence this could indicate potential suspicious activity (or typos)
Show query
(Image:*\\winget.exe OR OriginalFileName:winget.exe) AND (CommandLine:*source\ * AND CommandLine:*add\ * AND CommandLine:*http\:\/\/*)
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Show query
any where (Image:"*\\reg.exe" or OriginalFileName:"reg.exe") and CommandLine:"*\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot*" and (CommandLine like~ ("* copy *", "* add *"))Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\reg.exe") or OriginalFileName=="reg.exe") and CommandLine like "*\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot*" and (CommandLine like "* copy *" or CommandLine like "* add *")
Add SafeBoot Keys Via Reg Utility
Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
Show query
(Image:*\\reg.exe OR OriginalFileName:reg.exe) AND CommandLine:*\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot* AND (CommandLine:(*\ copy\ * OR *\ add\ *))
Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Show query
any where properties.message like~ ("Update application – Certificates and secrets management", "Update Service principal/Update Application")Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Show query
from * metadata _id, _index, _version | where properties.message in ("Update application – Certificates and secrets management", "Update Service principal/Update Application")Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Show query
properties.message:(Update\ application\ –\ Certificates\ and\ secrets\ management OR Update\ Service\ principal\/Update\ Application)
AdminSDHolder Backdoor
Detects modifications in the AdminSDHolder object. Attackers can abuse the SDProp process to implement a persistent
backdoor in Active Directory. SDProp compares the permissions on protected objects with those defined on the
AdminSDHolder object. If the permissions on any of the protected accounts and groups do not match, the permissions on
the protected accounts and groups are reset to match those of the domain's AdminSDHolder object, regaining their
Administrative Privileges.
AdminSDHolder SDProp Exclusion Added
Identifies a modification on the dsHeuristics attribute on the bit that holds the configuration of groups excluded from
the SDProp process. The SDProp compares the permissions on protected objects with those defined on the AdminSDHolder
object. If the permissions on any of the protected accounts and groups do not match, the permissions on the protected
accounts and groups are reset to match those of the domain's AdminSDHolder object, meaning that groups excluded will
remain unchanged. Attackers can abuse this misconfiguration to maintain long-term access to privileged accounts in these
groups.
Adwind RAT / JRAT
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Show query
any where (CommandLine:"*\\AppData\\Roaming\\Oracle*" and CommandLine:"*\\java*" and CommandLine:"*.exe *") or (CommandLine:"*cscript.exe*" and CommandLine:"*Retrive*" and CommandLine:"*.vbs *")
Adwind RAT / JRAT
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Show query
from * metadata _id, _index, _version | where CommandLine like "*\\AppData\\Roaming\\Oracle*" and CommandLine like "*\\java*" and CommandLine like "*.exe *" or CommandLine like "*cscript.exe*" and CommandLine like "*Retrive*" and CommandLine like "*.vbs *"
Adwind RAT / JRAT
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Show query
(CommandLine:*\\AppData\\Roaming\\Oracle* AND CommandLine:*\\java* AND CommandLine:*.exe\ *) OR (CommandLine:*cscript.exe* AND CommandLine:*Retrive* AND CommandLine:*.vbs\ *)
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Show query
any where (TargetFilename:"*\\AppData\\Roaming\\Oracle\\bin\\java*" and TargetFilename:"*.exe*") or (TargetFilename:"*\\Retrive*" and TargetFilename:"*.vbs*")
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Show query
from * metadata _id, _index, _version | where TargetFilename like "*\\AppData\\Roaming\\Oracle\\bin\\java*" and TargetFilename like "*.exe*" or TargetFilename like "*\\Retrive*" and TargetFilename like "*.vbs*"
Adwind RAT / JRAT File Artifact
Detects javaw.exe in AppData folder as used by Adwind / JRAT
Show query
(TargetFilename:*\\AppData\\Roaming\\Oracle\\bin\\java* AND TargetFilename:*.exe*) OR (TargetFilename:*\\Retrive* AND TargetFilename:*.vbs*)
Agent Spoofing - Multiple Hosts Using Same Agent
Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent being taken over and
used to inject illegitimate documents into an instance as an attempt to spoof events in order to masquerade actual
activity to evade detection.
Elastic
Original
ESQL
high
Alerts From Multiple Integrations by Destination Address
This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and involving
the same destination.ip are triggered. Analysts can use this to prioritize triage and response, as these IP address is more likely
to be related to a compromise.
Elastic
Original
ESQL
high
Alerts From Multiple Integrations by Source Address
This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and
involving the same source.ip are triggered. Analysts can use this to prioritize triage and response, as these IP addresses
are more likely to be related to a compromise.
Elastic
Original
ESQL
high
Alerts From Multiple Integrations by User Name
This rule uses alert data to determine when multiple alerts from different integrations with unique event categories and
involving the same user.name are triggered. Analysts can use this to prioritize triage and response, as these users are
more likely to be compromised.
Elastic
Original
ESQL
high
Alerts in Different ATT&CK Tactics by Host
This rule uses alert data to determine when multiple alerts in different phases of an attack involving the same host are
triggered and where the accumulated risk score is higher than a defined threshold. Analysts can use this to prioritize
triage and response, as these hosts are more likely to be compromised.
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
Show query
any where (Image:"*\\wbadmin.exe" or OriginalFileName:"WBADMIN.EXE") and ((CommandLine:"*delete*" and CommandLine:"*backup*") and CommandLine:"*keepVersions:0*")
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\wbadmin.exe") or OriginalFileName=="WBADMIN.EXE") and CommandLine like "*delete*" and CommandLine like "*backup*" and CommandLine like "*keepVersions:0*"
All Backups Deleted Via Wbadmin.EXE
Detects the deletion of all backups or system state backups via "wbadmin.exe".
This technique is used by numerous ransomware families and actors.
This may only be successful on server platforms that have Windows Backup enabled.
Show query
(Image:*\\wbadmin.exe OR OriginalFileName:WBADMIN.EXE) AND ((CommandLine:*delete* AND CommandLine:*backup*) AND CommandLine:*keepVersions\:0*)
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Show query
any where (EventID like~ (2033, 2059)) and (not ModifyingApplication:"*:\\Windows\\System32\\svchost.exe") and (not (ModifyingApplication:"*:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*" and ModifyingApplication:"*\\MsMpEng.exe*"))
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Show query
from * metadata _id, _index, _version | where (EventID in (2033, 2059)) and not ends_with(ModifyingApplication, ":\\Windows\\System32\\svchost.exe") and not (ModifyingApplication like "*:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\*" and ModifyingApplication like "*\\MsMpEng.exe*")
All Rules Have Been Deleted From The Windows Firewall Configuration
Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
Show query
(EventID:(2033 OR 2059)) AND (NOT ModifyingApplication:*\:\\Windows\\System32\\svchost.exe) AND (NOT (ModifyingApplication:*\:\\ProgramData\\Microsoft\\Windows\ Defender\\Platform\\* AND ModifyingApplication:*\\MsMpEng.exe*))
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Show query
any where ((Image:"*\\sc.exe" or OriginalFileName:"sc.exe") and (CommandLine:"*sdset*" and CommandLine:"*A;*") and (CommandLine like~ ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*"))) and (not ParentImage:"C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe")Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\sc.exe") or OriginalFileName=="sc.exe") and CommandLine like "*sdset*" and CommandLine like "*A;*" and (CommandLine like "*;IU*" or CommandLine like "*;SU*" or CommandLine like "*;BA*" or CommandLine like "*;SY*" or CommandLine like "*;WD*") and not ParentImage=="C:\\Hexnode\\Hexnode Agent\\Current\\HexnodeAgent.exe"
Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to allow access to a service from a suspicious trustee. This can be used to override access restrictions set by previous ACLs.
Show query
((Image:*\\sc.exe OR OriginalFileName:sc.exe) AND (CommandLine:*sdset* AND CommandLine:*A;*) AND (CommandLine:(*;IU* OR *;SU* OR *;BA* OR *;SY* OR *;WD*))) AND (NOT ParentImage:C\:\\Hexnode\\Hexnode\ Agent\\Current\\HexnodeAgent.exe)
Anomalous Token
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
Show query
any where riskEventType:"anomalousToken"
Anomalous Token
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
Show query
from * metadata _id, _index, _version | where riskEventType=="anomalousToken"
Anomalous Token
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
Show query
riskEventType:anomalousToken
Anomalous User Activity
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
Show query
any where riskEventType:"anomalousUserActivity"
Anomalous User Activity
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
Show query
from * metadata _id, _index, _version | where riskEventType=="anomalousUserActivity"
Anomalous User Activity
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
Show query
riskEventType:anomalousUserActivity
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Show query
any where riskEventType:"anonymizedIPAddress"
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Show query
from * metadata _id, _index, _version | where riskEventType=="anonymizedIPAddress"
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Show query
riskEventType:anonymizedIPAddress
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
Show query
any where TargetObject:"*\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter" and Details:"DWORD (0x00000000)"
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter") and Details=="DWORD (0x00000000)"
Antivirus Filter Driver Disallowed On Dev Drive - Registry
Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
Show query
TargetObject:*\\FilterManager\\FltmgrDevDriveAllowAntivirusFilter AND Details:DWORD\ \(0x00000000\)
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Show query
any where (Signature like~ ("ATK/*", "Exploit.Script.CVE*", "HKTL*", "HTOOL*", "PWS.*", "PWSX*", "SecurityTool*")) or (Signature like~ ("*Adfind*", "*Brutel*", "*BruteR*", "*Cobalt*", "*COBEACON*", "*Cometer*", "*DumpCreds*", "*FastReverseProxy*", "*Hacktool*", "*Havoc*", "*Impacket*", "*Keylogger*", "*Koadic*", "*Mimikatz*", "*Nighthawk*", "*PentestPowerShell*", "*Potato*", "*PowerSploit*", "*PowerSSH*", "*PshlSpy*", "*PSWTool*", "*PWCrack*", "*PWDump*", "*Rozena*", "*Rusthound*", "*Sbelt*", "*Seatbelt*", "*SecurityTool*", "*SharpDump*", "*SharpHound*", "*Shellcode*", "*Sliver*", "*Snaffler*", "*SOAPHound*", "*Splinter*", "*Swrort*", "*TurtleLoader*"))Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Show query
from * metadata _id, _index, _version | where starts_with(Signature, "ATK/") or starts_with(Signature, "Exploit.Script.CVE") or starts_with(Signature, "HKTL") or starts_with(Signature, "HTOOL") or starts_with(Signature, "PWS.") or starts_with(Signature, "PWSX") or starts_with(Signature, "SecurityTool") or Signature like "*Adfind*" or Signature like "*Brutel*" or Signature like "*BruteR*" or Signature like "*Cobalt*" or Signature like "*COBEACON*" or Signature like "*Cometer*" or Signature like "*DumpCreds*" or Signature like "*FastReverseProxy*" or Signature like "*Hacktool*" or Signature like "*Havoc*" or Signature like "*Impacket*" or Signature like "*Keylogger*" or Signature like "*Koadic*" or Signature like "*Mimikatz*" or Signature like "*Nighthawk*" or Signature like "*PentestPowerShell*" or Signature like "*Potato*" or Signature like "*PowerSploit*" or Signature like "*PowerSSH*" or Signature like "*PshlSpy*" or Signature like "*PSWTool*" or Signature like "*PWCrack*" or Signature like "*PWDump*" or Signature like "*Rozena*" or Signature like "*Rusthound*" or Signature like "*Sbelt*" or Signature like "*Seatbelt*" or Signature like "*SecurityTool*" or Signature like "*SharpDump*" or Signature like "*SharpHound*" or Signature like "*Shellcode*" or Signature like "*Sliver*" or Signature like "*Snaffler*" or Signature like "*SOAPHound*" or Signature like "*Splinter*" or Signature like "*Swrort*" or Signature like "*TurtleLoader*"
Antivirus Hacktool Detection
Detects a highly relevant Antivirus alert that reports a hack tool or other attack tool.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Show query
(Signature:(ATK\/* OR Exploit.Script.CVE* OR HKTL* OR HTOOL* OR PWS.* OR PWSX* OR SecurityTool*)) OR (Signature:(*Adfind* OR *Brutel* OR *BruteR* OR *Cobalt* OR *COBEACON* OR *Cometer* OR *DumpCreds* OR *FastReverseProxy* OR *Hacktool* OR *Havoc* OR *Impacket* OR *Keylogger* OR *Koadic* OR *Mimikatz* OR *Nighthawk* OR *PentestPowerShell* OR *Potato* OR *PowerSploit* OR *PowerSSH* OR *PshlSpy* OR *PSWTool* OR *PWCrack* OR *PWDump* OR *Rozena* OR *Rusthound* OR *Sbelt* OR *Seatbelt* OR *SecurityTool* OR *SharpDump* OR *SharpHound* OR *Shellcode* OR *Sliver* OR *Snaffler* OR *SOAPHound* OR *Splinter* OR *Swrort* OR *TurtleLoader*))
Showing 651-700 of 12,786