Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Bitsadmin to Uncommon IP Server Address
Detects Bitsadmin connections to IP addresses instead of FQDN names
Show query
any where c-useragent:"Microsoft BITS/*" and (cs-host like~ ("*1", "*2", "*3", "*4", "*5", "*6", "*7", "*8", "*9"))Bitsadmin to Uncommon IP Server Address
Detects Bitsadmin connections to IP addresses instead of FQDN names
Show query
from * metadata _id, _index, _version | where starts_with(`c-useragent`, "Microsoft BITS/") and (ends_with(`cs-host`, "1") or ends_with(`cs-host`, "2") or ends_with(`cs-host`, "3") or ends_with(`cs-host`, "4") or ends_with(`cs-host`, "5") or ends_with(`cs-host`, "6") or ends_with(`cs-host`, "7") or ends_with(`cs-host`, "8") or ends_with(`cs-host`, "9"))
Bitsadmin to Uncommon IP Server Address
Detects Bitsadmin connections to IP addresses instead of FQDN names
Show query
c-useragent:Microsoft\ BITS\/* AND (cs-host:(*1 OR *2 OR *3 OR *4 OR *5 OR *6 OR *7 OR *8 OR *9))
Bitsadmin to Uncommon TLD
Detects Bitsadmin connections to domains with uncommon TLDs
Show query
any where c-useragent:"Microsoft BITS/*" and (not (cs-host like~ ("*.com", "*.net", "*.org", "*.scdn.co", "*.sfx.ms")))Bitsadmin to Uncommon TLD
Detects Bitsadmin connections to domains with uncommon TLDs
Show query
from * metadata _id, _index, _version | where starts_with(`c-useragent`, "Microsoft BITS/") and not (ends_with(`cs-host`, ".com") or ends_with(`cs-host`, ".net") or ends_with(`cs-host`, ".org") or ends_with(`cs-host`, ".scdn.co") or ends_with(`cs-host`, ".sfx.ms"))
Bitsadmin to Uncommon TLD
Detects Bitsadmin connections to domains with uncommon TLDs
Show query
c-useragent:Microsoft\ BITS\/* AND (NOT (cs-host:(*.com OR *.net OR *.org OR *.scdn.co OR *.sfx.ms)))
Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants.
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Show query
any where (TargetObject like~ ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled")) and Details:"DWORD (0x00000001)"Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants.
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Show query
from * metadata _id, _index, _version | where (TargetObject in ("HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy", "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections", "HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled")) and Details=="DWORD (0x00000001)"Blackbyte Ransomware Registry
Detects specific windows registry modifications made by BlackByte ransomware variants.
BlackByte set three different registry values to escalate privileges and begin setting the stage for lateral movement and encryption.
This rule triggers when any of the following registry keys are set to DWORD 1, however all three should be investigated as part of a larger BlackByte ransomware detection and response effort.
Show query
(TargetObject:(HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy OR HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLinkedConnections OR HKLM\\SYSTEM\\CurrentControlSet\\Control\\FileSystem\\LongPathsEnabled)) AND Details:DWORD\ \(0x00000001\)
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
Show query
any where (TargetFilename like~ ("*BloodHound.zip", "*_computers.json", "*_containers.json", "*_gpos.json", "*_groups.json", "*_ous.json", "*_users.json")) and (not (Image:"*\\svchost.exe" and TargetFilename:"C:\\Program Files\\WindowsApps\\Microsoft.*" and TargetFilename:"*\\pocket_containers.json"))BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
Show query
from * metadata _id, _index, _version | where (ends_with(TargetFilename, "BloodHound.zip") or ends_with(TargetFilename, "_computers.json") or ends_with(TargetFilename, "_containers.json") or ends_with(TargetFilename, "_gpos.json") or ends_with(TargetFilename, "_groups.json") or ends_with(TargetFilename, "_ous.json") or ends_with(TargetFilename, "_users.json")) and not (ends_with(Image, "\\svchost.exe") and starts_with(TargetFilename, "C:\\Program Files\\WindowsApps\\Microsoft.") and ends_with(TargetFilename, "\\pocket_containers.json"))
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
Show query
(TargetFilename:(*BloodHound.zip OR *_computers.json OR *_containers.json OR *_gpos.json OR *_groups.json OR *_ous.json OR *_users.json)) AND (NOT (Image:*\\svchost.exe AND TargetFilename:C\:\\Program\ Files\\WindowsApps\\Microsoft.* AND TargetFilename:*\\pocket_containers.json))
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Show query
any where (Image:"*\\cmd.exe" and (CommandLine:"*sc config*" and CommandLine:"*wercplsupporte.dll*")) or (Image:"*\\wmic.exe" and CommandLine:"*COR_PROFILER")
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\cmd.exe") and CommandLine like "*sc config*" and CommandLine like "*wercplsupporte.dll*" or ends_with(Image, "\\wmic.exe") and ends_with(CommandLine, "COR_PROFILER")
Blue Mockingbird
Attempts to detect system changes made by Blue Mockingbird
Show query
(Image:*\\cmd.exe AND (CommandLine:*sc\ config* AND CommandLine:*wercplsupporte.dll*)) OR (Image:*\\wmic.exe AND CommandLine:*COR_PROFILER)
Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
Show query
any where TargetObject:"*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll"
Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll")
Blue Mockingbird - Registry
Attempts to detect system changes made by Blue Mockingbird
Show query
TargetObject:*\\CurrentControlSet\\Services\\wercplsupport\\Parameters\\ServiceDll
BlueSky Ransomware Artefacts
Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
Show query
any where ((EventID like~ (4663, 4656)) and (ObjectName like~ ("*.bluesky", "*DECRYPT FILES BLUESKY*"))) or (EventID:5145 and (RelativeTargetName like~ ("*.bluesky", "*DECRYPT FILES BLUESKY*")))BlueSky Ransomware Artefacts
Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
Show query
from * metadata _id, _index, _version | where (EventID in (4663, 4656)) and (ends_with(ObjectName, ".bluesky") or ObjectName like "*DECRYPT FILES BLUESKY*") or EventID==5145 and (ends_with(RelativeTargetName, ".bluesky") or RelativeTargetName like "*DECRYPT FILES BLUESKY*")
BlueSky Ransomware Artefacts
Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
Show query
((EventID:(4663 OR 4656)) AND (ObjectName:(*.bluesky OR *DECRYPT\ FILES\ BLUESKY*))) OR (EventID:5145 AND (RelativeTargetName:(*.bluesky OR *DECRYPT\ FILES\ BLUESKY*)))
Boot Configuration Tampering Via Bcdedit.EXE
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Show query
any where (Image:"*\\bcdedit.exe" or OriginalFileName:"bcdedit.exe") and CommandLine:"*set*" and ((CommandLine:"*bootstatuspolicy*" and CommandLine:"*ignoreallfailures*") or (CommandLine:"*recoveryenabled*" and CommandLine:"*no*"))
Boot Configuration Tampering Via Bcdedit.EXE
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\bcdedit.exe") or OriginalFileName=="bcdedit.exe") and CommandLine like "*set*" and (CommandLine like "*bootstatuspolicy*" and CommandLine like "*ignoreallfailures*" or CommandLine like "*recoveryenabled*" and CommandLine like "*no*")
Boot Configuration Tampering Via Bcdedit.EXE
Detects the use of the bcdedit command to tamper with the boot configuration data. This technique is often times used by malware or attackers as a destructive way before launching ransomware.
Show query
(Image:*\\bcdedit.exe OR OriginalFileName:bcdedit.exe) AND CommandLine:*set* AND ((CommandLine:*bootstatuspolicy* AND CommandLine:*ignoreallfailures*) OR (CommandLine:*recoveryenabled* AND CommandLine:*no*))
Browser Process Spawned from an Unusual Parent
Identifies instances where a browser is launched with remote debugging, headless automation, or minimal arguments from
an unusual parent process. This may indicate an attempt to broker or tamper with a browser session for credential theft.
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
Show query
any where "attempt to execute code on stack by" or "0bin0sh1" or "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" or "stack smashing detected"
Buffer Overflow Attempts
Detects buffer overflow attempts in Unix system log files
Show query
*attempt\ to\ execute\ code\ on\ stack\ by* OR *0bin0sh1* OR *AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA* OR *stack\ smashing\ detected*
Bulk Deletion Changes To Privileged Account Permissions
Detects when a user is removed from a privileged role. Bulk changes should be investigated.
Show query
any where properties.message like~ ("Remove eligible member (permanent)", "Remove eligible member (eligible)")Bulk Deletion Changes To Privileged Account Permissions
Detects when a user is removed from a privileged role. Bulk changes should be investigated.
Show query
from * metadata _id, _index, _version | where properties.message in ("Remove eligible member (permanent)", "Remove eligible member (eligible)")Bulk Deletion Changes To Privileged Account Permissions
Detects when a user is removed from a privileged role. Bulk changes should be investigated.
Show query
properties.message:(Remove\ eligible\ member\ \(permanent\) OR Remove\ eligible\ member\ \(eligible\))
Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
Show query
any where TargetObject:"*\\open\\command\\DelegateExecute" and Details:"(Empty)"
Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "\\open\\command\\DelegateExecute") and Details=="(Empty)"
Bypass UAC Using DelegateExecute
Bypasses User Account Control using a fileless method
Show query
TargetObject:*\\open\\command\\DelegateExecute AND Details:\(Empty\)
Bypass UAC Using Event Viewer
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
Show query
any where TargetObject:"*_Classes\\mscfile\\shell\\open\\command\\(Default)" and (not Details:"%SystemRoot%\\system32\\mmc.exe \"%1\" %*")
Bypass UAC Using Event Viewer
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "_Classes\\mscfile\\shell\\open\\command\\(Default)") and not starts_with(Details, "%SystemRoot%\\system32\\mmc.exe \"%1\" %")
Bypass UAC Using Event Viewer
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification
Show query
TargetObject:*_Classes\\mscfile\\shell\\open\\command\\\(Default\) AND (NOT Details:%SystemRoot%\\system32\\mmc.exe\ \"%1\"\ %*)
Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value.
Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Show query
any where TargetObject:"*\\Environment\\windir" and (not Details:"%SystemRoot%")
Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value.
Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "\\Environment\\windir") and not Details=="%SystemRoot%"
Bypass UAC Using SilentCleanup Task
Detects the setting of the environement variable "windir" to a non default value.
Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task.
The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC.
Show query
TargetObject:*\\Environment\\windir AND (NOT Details:%SystemRoot%)
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
Show query
any where (Image:"*\\cmstp.exe" or OriginalFileName:"CMSTP.EXE") and (CommandLine like~ ("*/s*", "*-s*", "*/au*", "*-au*", "*/ni*", "*-ni*"))Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\cmstp.exe") or OriginalFileName=="CMSTP.EXE") and (CommandLine like "*/s*" or CommandLine like "*-s*" or CommandLine like "*/au*" or CommandLine like "*-au*" or CommandLine like "*/ni*" or CommandLine like "*-ni*")
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
Show query
(Image:*\\cmstp.exe OR OriginalFileName:CMSTP.EXE) AND (CommandLine:(*\/s* OR *\-s* OR *\/au* OR *\-au* OR *\/ni* OR *\-ni*))
Bypass UAC via Event Viewer
Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with
elevated permissions.
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
Show query
any where ParentImage:"*\\fodhelper.exe"
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\fodhelper.exe")
Bypass UAC via Fodhelper.exe
Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
Show query
ParentImage:*\\fodhelper.exe
Bypass UAC via WSReset.exe
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
Show query
any where ParentImage:"*\\wsreset.exe" and (not (Image:"*\\conhost.exe" or OriginalFileName:"CONHOST.EXE"))
Bypass UAC via WSReset.exe
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\wsreset.exe") and not (ends_with(Image, "\\conhost.exe") or OriginalFileName=="CONHOST.EXE")
Bypass UAC via WSReset.exe
Detects use of WSReset.exe to bypass User Account Control (UAC). Adversaries use this technique to execute privileged processes.
Show query
ParentImage:*\\wsreset.exe AND (NOT (Image:*\\conhost.exe OR OriginalFileName:CONHOST.EXE))
CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Show query
any where CallTrace:"*cmlua.dll*"
Showing 851-900 of 12,786