Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Azure Compute Restore Point Collections Deleted
Identifies multiple Azure Restore Point Collections being deleted by a single user within a short time period. Restore
Point Collections contain recovery points for virtual machines, enabling point-in-time recovery capabilities. Mass
deletion of these collections is a common tactic used by adversaries during ransomware attacks to prevent victim
recovery or to maximize impact during destructive operations. Multiple deletions in rapid succession may indicate
malicious intent.
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Show query
any where (Operation:"UserLoggedIn" and ApplicationId:"9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" and ResultStatus:"Success" and RequestType:"Cmsi:Cmsi") and (not ObjectId:"0000000a-0000-0000-c000-000000000000")
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Show query
from * metadata _id, _index, _version | where Operation=="UserLoggedIn" and ApplicationId=="9ba1a5c7-f17a-4de9-a1f1-6178c8d51223" and ResultStatus=="Success" and RequestType=="Cmsi:Cmsi" and not ObjectId=="0000000a-0000-0000-c000-000000000000"
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Show query
(Operation:UserLoggedIn AND ApplicationId:9ba1a5c7\-f17a\-4de9\-a1f1\-6178c8d51223 AND ResultStatus:Success AND RequestType:Cmsi\:Cmsi) AND (NOT ObjectId:0000000a\-0000\-0000\-c000\-000000000000)
Azure RBAC Built-In Administrator Roles Assigned
Identifies when a user is assigned a built-in administrator role in Azure RBAC (Role-Based Access Control). These roles provide significant privileges and can be abused by attackers for lateral movement, persistence, or privilege escalation. The privileged built-in administrator roles include Owner, Contributor, User Access Administrator, Azure File Sync Administrator, Reservations Administrator, and Role Based Access Control Administrator.
Azure Storage Account Deletions by User
Identifies when a single user or service principal deletes multiple Azure Storage Accounts within a short time period.
This behavior may indicate an adversary attempting to cause widespread service disruption, destroy evidence, or execute
a destructive attack such as ransomware. Mass deletion of storage accounts can have severe business impact and is rarely
performed by legitimate administrators except during controlled decommissioning activities.
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
Show query
any where operationName:"MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION"
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
Show query
from * metadata _id, _index, _version | where operationName=="MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION"
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
Show query
operationName:MICROSOFT.AUTHORIZATION\/ELEVATEACCESS\/ACTION
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
Show query
any where Category:"Administrative" and OperationName:"Assigns the caller to user access admin"
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
Show query
from * metadata _id, _index, _version | where Category=="Administrative" and OperationName=="Assigns the caller to user access admin"
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions.
This change should be investigated immediately if it isn't planned.
This setting could allow an attacker access to Azure subscriptions in your environment.
Show query
Category:Administrative AND OperationName:Assigns\ the\ caller\ to\ user\ access\ admin
BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
Show query
any where (EventID:16403 and (RemoteName like~ ("*http://1*", "*http://2*", "*http://3*", "*http://4*", "*http://5*", "*http://6*", "*http://7*", "*http://8*", "*http://9*", "*https://1*", "*https://2*", "*https://3*", "*https://4*", "*https://5*", "*https://6*", "*https://7*", "*https://8*", "*https://9*"))) and (not ((RemoteName like~ ("*://10.*", "*://192.168.*", "*://172.16.*", "*://172.17.*", "*://172.18.*", "*://172.19.*", "*://172.20.*", "*://172.21.*", "*://172.22.*", "*://172.23.*", "*://172.24.*", "*://172.25.*", "*://172.26.*", "*://172.27.*", "*://172.28.*", "*://172.29.*", "*://172.30.*", "*://172.31.*", "*://127.*", "*://169.254.*")) or (RemoteName like~ ("*https://7-*", "*http://7-*"))))BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
Show query
from * metadata _id, _index, _version | where EventID==16403 and (RemoteName like "*http://1*" or RemoteName like "*http://2*" or RemoteName like "*http://3*" or RemoteName like "*http://4*" or RemoteName like "*http://5*" or RemoteName like "*http://6*" or RemoteName like "*http://7*" or RemoteName like "*http://8*" or RemoteName like "*http://9*" or RemoteName like "*https://1*" or RemoteName like "*https://2*" or RemoteName like "*https://3*" or RemoteName like "*https://4*" or RemoteName like "*https://5*" or RemoteName like "*https://6*" or RemoteName like "*https://7*" or RemoteName like "*https://8*" or RemoteName like "*https://9*") and not (RemoteName like "*://10.*" or RemoteName like "*://192.168.*" or RemoteName like "*://172.16.*" or RemoteName like "*://172.17.*" or RemoteName like "*://172.18.*" or RemoteName like "*://172.19.*" or RemoteName like "*://172.20.*" or RemoteName like "*://172.21.*" or RemoteName like "*://172.22.*" or RemoteName like "*://172.23.*" or RemoteName like "*://172.24.*" or RemoteName like "*://172.25.*" or RemoteName like "*://172.26.*" or RemoteName like "*://172.27.*" or RemoteName like "*://172.28.*" or RemoteName like "*://172.29.*" or RemoteName like "*://172.30.*" or RemoteName like "*://172.31.*" or RemoteName like "*://127.*" or RemoteName like "*://169.254.*" or RemoteName like "*https://7-*" or RemoteName like "*http://7-*")
BITS Transfer Job Download From Direct IP
Detects a BITS transfer job downloading file(s) from a direct IP address.
Show query
(EventID:16403 AND (RemoteName:(*http\:\/\/1* OR *http\:\/\/2* OR *http\:\/\/3* OR *http\:\/\/4* OR *http\:\/\/5* OR *http\:\/\/6* OR *http\:\/\/7* OR *http\:\/\/8* OR *http\:\/\/9* OR *https\:\/\/1* OR *https\:\/\/2* OR *https\:\/\/3* OR *https\:\/\/4* OR *https\:\/\/5* OR *https\:\/\/6* OR *https\:\/\/7* OR *https\:\/\/8* OR *https\:\/\/9*))) AND (NOT ((RemoteName:(*\:\/\/10.* OR *\:\/\/192.168.* OR *\:\/\/172.16.* OR *\:\/\/172.17.* OR *\:\/\/172.18.* OR *\:\/\/172.19.* OR *\:\/\/172.20.* OR *\:\/\/172.21.* OR *\:\/\/172.22.* OR *\:\/\/172.23.* OR *\:\/\/172.24.* OR *\:\/\/172.25.* OR *\:\/\/172.26.* OR *\:\/\/172.27.* OR *\:\/\/172.28.* OR *\:\/\/172.29.* OR *\:\/\/172.30.* OR *\:\/\/172.31.* OR *\:\/\/127.* OR *\:\/\/169.254.*)) OR (RemoteName:(*https\:\/\/7\-* OR *http\:\/\/7\-*))))
BITS Transfer Job Download From File Sharing Domains
Detects BITS transfer job downloading files from a file sharing domain.
Show query
any where EventID:16403 and (RemoteName like~ ("*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*github.com*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*pixeldrain.com*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*"))BITS Transfer Job Download From File Sharing Domains
Detects BITS transfer job downloading files from a file sharing domain.
Show query
from * metadata _id, _index, _version | where EventID==16403 and (RemoteName like "*.githubusercontent.com*" or RemoteName like "*anonfiles.com*" or RemoteName like "*cdn.discordapp.com*" or RemoteName like "*ddns.net*" or RemoteName like "*dl.dropboxusercontent.com*" or RemoteName like "*ghostbin.co*" or RemoteName like "*github.com*" or RemoteName like "*glitch.me*" or RemoteName like "*gofile.io*" or RemoteName like "*hastebin.com*" or RemoteName like "*mediafire.com*" or RemoteName like "*mega.nz*" or RemoteName like "*onrender.com*" or RemoteName like "*pages.dev*" or RemoteName like "*paste.ee*" or RemoteName like "*pastebin.com*" or RemoteName like "*pastebin.pl*" or RemoteName like "*pastetext.net*" or RemoteName like "*pixeldrain.com*" or RemoteName like "*privatlab.com*" or RemoteName like "*privatlab.net*" or RemoteName like "*send.exploit.in*" or RemoteName like "*sendspace.com*" or RemoteName like "*storage.googleapis.com*" or RemoteName like "*storjshare.io*" or RemoteName like "*supabase.co*" or RemoteName like "*temp.sh*" or RemoteName like "*transfer.sh*" or RemoteName like "*trycloudflare.com*" or RemoteName like "*ufile.io*" or RemoteName like "*w3spaces.com*" or RemoteName like "*workers.dev*")
BITS Transfer Job Download From File Sharing Domains
Detects BITS transfer job downloading files from a file sharing domain.
Show query
EventID:16403 AND (RemoteName:(*.githubusercontent.com* OR *anonfiles.com* OR *cdn.discordapp.com* OR *ddns.net* OR *dl.dropboxusercontent.com* OR *ghostbin.co* OR *github.com* OR *glitch.me* OR *gofile.io* OR *hastebin.com* OR *mediafire.com* OR *mega.nz* OR *onrender.com* OR *pages.dev* OR *paste.ee* OR *pastebin.com* OR *pastebin.pl* OR *pastetext.net* OR *pixeldrain.com* OR *privatlab.com* OR *privatlab.net* OR *send.exploit.in* OR *sendspace.com* OR *storage.googleapis.com* OR *storjshare.io* OR *supabase.co* OR *temp.sh* OR *transfer.sh* OR *trycloudflare.com* OR *ufile.io* OR *w3spaces.com* OR *workers.dev*))
BITS Transfer Job Download To Potential Suspicious Folder
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
Show query
any where EventID:16403 and (LocalName like~ ("*\\Desktop\\*", "*C:\\Users\\Public\\*", "*C:\\PerfLogs\\*"))BITS Transfer Job Download To Potential Suspicious Folder
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
Show query
from * metadata _id, _index, _version | where EventID==16403 and (LocalName like "*\\Desktop\\*" or LocalName like "*C:\\Users\\Public\\*" or LocalName like "*C:\\PerfLogs\\*")
BITS Transfer Job Download To Potential Suspicious Folder
Detects new BITS transfer job where the LocalName/Saved file is stored in a potentially suspicious location
Show query
EventID:16403 AND (LocalName:(*\\Desktop\\* OR *C\:\\Users\\Public\\* OR *C\:\\PerfLogs\\*))
BPF filter applied using TC
Detects when the tc (transmission control) binary is utilized to set a BPF (Berkeley Packet Filter) on a network
interface. Tc is used to configure Traffic Control in the Linux kernel. It can shape, schedule, police and drop traffic.
A threat actor can utilize tc to set a bpf filter on an interface for the purpose of manipulating the incoming traffic.
This technique is not at all common and should indicate abnormal, suspicious or malicious activity.
BPFDoor Abnormal Process ID or Lock File Accessed
detects BPFDoor .lock and .pid files access in temporary file storage facility
Show query
any where type:"PATH" and (name like~ ("/var/run/aepmonend.pid", "/var/run/auditd.lock", "/var/run/cma.lock", "/var/run/console-kit.pid", "/var/run/consolekit.pid", "/var/run/daemon.pid", "/var/run/hald-addon.pid", "/var/run/hald-smartd.pid", "/var/run/haldrund.pid", "/var/run/hp-health.pid", "/var/run/hpasmlit.lock", "/var/run/hpasmlited.pid", "/var/run/kdevrund.pid", "/var/run/lldpad.lock", "/var/run/mcelog.pid", "/var/run/system.pid", "/var/run/uvp-srv.pid", "/var/run/vmtoolagt.pid", "/var/run/xinetd.lock"))BPFDoor Abnormal Process ID or Lock File Accessed
detects BPFDoor .lock and .pid files access in temporary file storage facility
Show query
from * metadata _id, _index, _version | where type=="PATH" and (name in ("/var/run/aepmonend.pid", "/var/run/auditd.lock", "/var/run/cma.lock", "/var/run/console-kit.pid", "/var/run/consolekit.pid", "/var/run/daemon.pid", "/var/run/hald-addon.pid", "/var/run/hald-smartd.pid", "/var/run/haldrund.pid", "/var/run/hp-health.pid", "/var/run/hpasmlit.lock", "/var/run/hpasmlited.pid", "/var/run/kdevrund.pid", "/var/run/lldpad.lock", "/var/run/mcelog.pid", "/var/run/system.pid", "/var/run/uvp-srv.pid", "/var/run/vmtoolagt.pid", "/var/run/xinetd.lock"))BPFDoor Abnormal Process ID or Lock File Accessed
detects BPFDoor .lock and .pid files access in temporary file storage facility
Show query
type:PATH AND (name:(\/var\/run\/aepmonend.pid OR \/var\/run\/auditd.lock OR \/var\/run\/cma.lock OR \/var\/run\/console\-kit.pid OR \/var\/run\/consolekit.pid OR \/var\/run\/daemon.pid OR \/var\/run\/hald\-addon.pid OR \/var\/run\/hald\-smartd.pid OR \/var\/run\/haldrund.pid OR \/var\/run\/hp\-health.pid OR \/var\/run\/hpasmlit.lock OR \/var\/run\/hpasmlited.pid OR \/var\/run\/kdevrund.pid OR \/var\/run\/lldpad.lock OR \/var\/run\/mcelog.pid OR \/var\/run\/system.pid OR \/var\/run\/uvp\-srv.pid OR \/var\/run\/vmtoolagt.pid OR \/var\/run\/xinetd.lock))
BaaUpdate.exe Suspicious DLL Load
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
Show query
any where Image:"*\\BaaUpdate.exe" and ImageLoaded:"*.dll" and (ImageLoaded like~ ("*:\\Perflogs\\*", "*:\\Users\\Default\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Contacts\\*", "*\\Favorites\\*", "*\\Favourites\\*", "*\\Links\\*", "*\\Music\\*", "*\\Pictures\\*", "*\\ProgramData\\*", "*\\Temporary Internet*", "*\\Videos\\*"))BaaUpdate.exe Suspicious DLL Load
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\BaaUpdate.exe") and ends_with(ImageLoaded, ".dll") and (ImageLoaded like "*:\\Perflogs\\*" or ImageLoaded like "*:\\Users\\Default\\*" or ImageLoaded like "*:\\Users\\Public\\*" or ImageLoaded like "*:\\Windows\\Temp\\*" or ImageLoaded like "*\\AppData\\Local\\Temp\\*" or ImageLoaded like "*\\AppData\\Roaming\\*" or ImageLoaded like "*\\Contacts\\*" or ImageLoaded like "*\\Favorites\\*" or ImageLoaded like "*\\Favourites\\*" or ImageLoaded like "*\\Links\\*" or ImageLoaded like "*\\Music\\*" or ImageLoaded like "*\\Pictures\\*" or ImageLoaded like "*\\ProgramData\\*" or ImageLoaded like "*\\Temporary Internet*" or ImageLoaded like "*\\Videos\\*")
BaaUpdate.exe Suspicious DLL Load
Detects BitLocker Access Agent Update Utility (baaupdate.exe) loading DLLs from suspicious locations that are publicly writable which could indicate an attempt to lateral movement via BitLocker DCOM & COM Hijacking.
This technique abuses COM Classes configured as INTERACTIVE USER to spawn processes in the context of the logged-on user's session. Specifically, it targets the BDEUILauncher Class (CLSID ab93b6f1-be76-4185-a488-a9001b105b94)
which can launch BaaUpdate.exe, which is vulnerable to COM Hijacking when started with input parameters. This allows attackers to execute code in the user's context without needing to steal credentials or use additional techniques to compromise the account.
Show query
Image:*\\BaaUpdate.exe AND ImageLoaded:*.dll AND (ImageLoaded:(*\:\\Perflogs\\* OR *\:\\Users\\Default\\* OR *\:\\Users\\Public\\* OR *\:\\Windows\\Temp\\* OR *\\AppData\\Local\\Temp\\* OR *\\AppData\\Roaming\\* OR *\\Contacts\\* OR *\\Favorites\\* OR *\\Favourites\\* OR *\\Links\\* OR *\\Music\\* OR *\\Pictures\\* OR *\\ProgramData\\* OR *\\Temporary\ Internet* OR *\\Videos\\*))
Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Show query
any where ((Image:"*\\WerFault.exe" and CommandLine:"*WerFault.exe") or (Image:"*\\rundll32.exe" and CommandLine:"*rundll32.exe") or (Image:"*\\regsvcs.exe" and CommandLine:"*regsvcs.exe") or (Image:"*\\regasm.exe" and CommandLine:"*regasm.exe") or (Image:"*\\regsvr32.exe" and CommandLine:"*regsvr32.exe")) and (not ((ParentImage:"*\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{*" and Image:"*\\rundll32.exe" and CommandLine:"*rundll32.exe") or ((ParentImage like~ ("*\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\*", "*\\AppData\\Local\\Google\\Chrome\\Application\\*")) and ParentImage:"*\\Installer\\setup.exe" and ParentCommandLine:"*--uninstall *" and Image:"*\\rundll32.exe" and CommandLine:"*rundll32.exe")))Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\WerFault.exe") and ends_with(CommandLine, "WerFault.exe") or ends_with(Image, "\\rundll32.exe") and ends_with(CommandLine, "rundll32.exe") or ends_with(Image, "\\regsvcs.exe") and ends_with(CommandLine, "regsvcs.exe") or ends_with(Image, "\\regasm.exe") and ends_with(CommandLine, "regasm.exe") or ends_with(Image, "\\regsvr32.exe") and ends_with(CommandLine, "regsvr32.exe")) and not (ParentImage like "*\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\{*" and ends_with(Image, "\\rundll32.exe") and ends_with(CommandLine, "rundll32.exe") or (ParentImage like "*\\AppData\\Local\\BraveSoftware\\Brave-Browser\\Application\\*" or ParentImage like "*\\AppData\\Local\\Google\\Chrome\\Application\\*") and ends_with(ParentImage, "\\Installer\\setup.exe") and ParentCommandLine like "*--uninstall *" and ends_with(Image, "\\rundll32.exe") and ends_with(CommandLine, "rundll32.exe"))Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Detects attackers using tooling with bad opsec defaults.
E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
One trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.
Show query
((Image:*\\WerFault.exe AND CommandLine:*WerFault.exe) OR (Image:*\\rundll32.exe AND CommandLine:*rundll32.exe) OR (Image:*\\regsvcs.exe AND CommandLine:*regsvcs.exe) OR (Image:*\\regasm.exe AND CommandLine:*regasm.exe) OR (Image:*\\regsvr32.exe AND CommandLine:*regsvr32.exe)) AND (NOT ((ParentImage:*\\AppData\\Local\\Microsoft\\EdgeUpdate\\Install\\\{* AND Image:*\\rundll32.exe AND CommandLine:*rundll32.exe) OR ((ParentImage:(*\\AppData\\Local\\BraveSoftware\\Brave\-Browser\\Application\\* OR *\\AppData\\Local\\Google\\Chrome\\Application\\*)) AND ParentImage:*\\Installer\\setup.exe AND ParentCommandLine:*\-\-uninstall\ * AND Image:*\\rundll32.exe AND CommandLine:*rundll32.exe)))Base64 Decoded Payload Piped to Interpreter
This rule detects when a base64 decoded payload is piped to an interpreter on Linux systems. Adversaries may use
base64 encoding to obfuscate data and pipe it to an interpreter to execute malicious code. This technique may
be used to evade detection by host- or network-based security controls.
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Show query
any where CommandLine:"*::FromBase64String(*"
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Show query
from * metadata _id, _index, _version | where CommandLine like "*::FromBase64String(*"
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Show query
CommandLine:*\:\:FromBase64String\(*
Elastic
Converted
EQL
high
Base64 MZ Header In CommandLine
Detects encoded base64 MZ header in the commandline
Show query
any where CommandLine like~ ("*TVqQAAMAAAAEAAAA*", "*TVpQAAIAAAAEAA8A*", "*TVqAAAEAAAAEABAA*", "*TVoAAAAAAAAAAAAA*", "*TVpTAQEAAAAEAAAA*")
Elastic
Converted
ES|QL
high
Base64 MZ Header In CommandLine
Detects encoded base64 MZ header in the commandline
Show query
from * metadata _id, _index, _version | where CommandLine like "*TVqQAAMAAAAEAAAA*" or CommandLine like "*TVpQAAIAAAAEAA8A*" or CommandLine like "*TVqAAAEAAAAEABAA*" or CommandLine like "*TVoAAAAAAAAAAAAA*" or CommandLine like "*TVpTAQEAAAAEAAAA*"
Elastic
Converted
Lucene
high
Base64 MZ Header In CommandLine
Detects encoded base64 MZ header in the commandline
Show query
CommandLine:(*TVqQAAMAAAAEAAAA* OR *TVpQAAIAAAAEAA8A* OR *TVqAAAEAAAAEABAA* OR *TVoAAAAAAAAAAAAA* OR *TVpTAQEAAAAEAAAA*)
Binary Executed from Shared Memory Directory
Identifies the execution of a binary by root in Linux shared memory directories: (/dev/shm/, /run/shm/, /var/run/,
/var/lock/). This activity is to be considered highly abnormal and should be investigated. Threat actors have placed
executables used for persistence on high-uptime servers in these directories as system backdoors.
Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
This rule detect using dd and truncate to add a junk data to file.
Show query
any where type:"EXECVE" and (("truncate" and "-s") or (("dd" and "if=") and (not "of=")))Binary Padding - Linux
Adversaries may use binary padding to add junk data and change the on-disk representation of malware.
This rule detect using dd and truncate to add a junk data to file.
Show query
type:EXECVE AND ((*truncate* AND *\-s*) OR ((*dd* AND *if\=*) AND (NOT *of\=*)))
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Show query
any where (Image:"*/truncate" and CommandLine:"*-s +*") or (Image:"*/dd" and (CommandLine like~ ("*if=/dev/zero*", "*if=/dev/random*", "*if=/dev/urandom*")))Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/truncate") and CommandLine like "*-s +*" or ends_with(Image, "/dd") and (CommandLine like "*if=/dev/zero*" or CommandLine like "*if=/dev/random*" or CommandLine like "*if=/dev/urandom*")
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
Show query
(Image:*\/truncate AND CommandLine:*\-s\ \+*) OR (Image:*\/dd AND (CommandLine:(*if\=\/dev\/zero* OR *if\=\/dev\/random* OR *if\=\/dev\/urandom*)))
Bitbucket Full Data Export Triggered
Detects when full data export is attempted.
Show query
any where auditType.category:"Data pipeline" and auditType.action:"Full data export triggered"
Bitbucket Full Data Export Triggered
Detects when full data export is attempted.
Show query
from * metadata _id, _index, _version | where auditType.category=="Data pipeline" and auditType.action=="Full data export triggered"
Bitbucket Full Data Export Triggered
Detects when full data export is attempted.
Show query
auditType.category:Data\ pipeline AND auditType.action:Full\ data\ export\ triggered
Bitbucket Secret Scanning Exempt Repository Added
Detects when a repository is exempted from secret scanning feature.
Show query
any where auditType.category:"Repositories" and auditType.action:"Secret scanning exempt repository added"
Bitbucket Secret Scanning Exempt Repository Added
Detects when a repository is exempted from secret scanning feature.
Show query
from * metadata _id, _index, _version | where auditType.category=="Repositories" and auditType.action=="Secret scanning exempt repository added"
Bitbucket Secret Scanning Exempt Repository Added
Detects when a repository is exempted from secret scanning feature.
Show query
auditType.category:Repositories AND auditType.action:Secret\ scanning\ exempt\ repository\ added
Showing 801-850 of 12,786