Home/Detection rules/Splunk
Tool

Splunk

12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK

Detections

50 shown of 12,786
Elastic Converted ES|QL high T1218.003 ↗
CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Show query 
from * metadata _id, _index, _version | where CallTrace like "*cmlua.dll*"
Elastic Converted Lucene high T1218.003 ↗
CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Show query 
CallTrace:*cmlua.dll*
Elastic Converted EQL high T1218.003 ↗
CMSTP Execution Process Creation
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Show query 
any where ParentImage:"*\\cmstp.exe"
Elastic Converted ES|QL high T1218.003 ↗
CMSTP Execution Process Creation
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Show query 
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\cmstp.exe")
Elastic Converted Lucene high T1218.003 ↗
CMSTP Execution Process Creation
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Show query 
ParentImage:*\\cmstp.exe
Elastic Converted EQL high T1218.003 ↗
CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Show query 
any where TargetObject:"*\\cmmgr32.exe*"
Elastic Converted ES|QL high T1218.003 ↗
CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Show query 
from * metadata _id, _index, _version | where TargetObject like "*\\cmmgr32.exe*"
Elastic Converted Lucene high T1218.003 ↗
CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Show query 
TargetObject:*\\cmmgr32.exe*
Elastic Converted EQL high T1218.003 ↗
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Show query 
any where ParentImage:"*\\DllHost.exe" and (ParentCommandLine like~ ("* /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*", "* /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}*", "* /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}*", "* /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}*", "* /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}*")) and (IntegrityLevel like~ ("High", "System", "S-1-16-16384", "S-1-16-12288"))
Elastic Converted ES|QL high T1218.003 ↗
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Show query 
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\DllHost.exe") and (ParentCommandLine like "* /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*" or ParentCommandLine like "* /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}*" or ParentCommandLine like "* /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}*" or ParentCommandLine like "* /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}*" or ParentCommandLine like "* /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}*") and (IntegrityLevel in ("High", "System", "S-1-16-16384", "S-1-16-12288"))
Elastic Converted Lucene high T1218.003 ↗
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Show query 
ParentImage:*\\DllHost.exe AND (ParentCommandLine:(*\ \/Processid\:\{3E5FC7F9\-9A51\-4367\-9063\-A120244FBEC7\}* OR *\ \/Processid\:\{3E000D72\-A845\-4CD9\-BD83\-80C07C3B881F\}* OR *\ \/Processid\:\{BD54C901\-076B\-434E\-B6C7\-17C531F4AB41\}* OR *\ \/Processid\:\{D2E7041B\-2927\-42FB\-8E9F\-7CE93B6DC937\}* OR *\ \/Processid\:\{E9495B87\-D950\-4AB5\-87A5\-FF6D70BF3E90\}*)) AND (IntegrityLevel:(High OR System OR S\-1\-16\-16384 OR S\-1\-16\-12288))
Elastic Converted EQL high
COLDSTEEL Persistence Service Creation
Detects the creation of new services potentially related to COLDSTEEL RAT
Show query 
any where Provider_Name:"Service Control Manager" and EventID:7045 and (ServiceName like~ ("Name", "msupdate", "msupdate2")) and ImagePath:"*\\Windows\\System32\\svchost.exe*"
Elastic Converted ES|QL high
COLDSTEEL Persistence Service Creation
Detects the creation of new services potentially related to COLDSTEEL RAT
Show query 
from * metadata _id, _index, _version | where Provider_Name=="Service Control Manager" and EventID==7045 and (ServiceName in ("Name", "msupdate", "msupdate2")) and ImagePath like "*\\Windows\\System32\\svchost.exe*"
Elastic Converted Lucene high
COLDSTEEL Persistence Service Creation
Detects the creation of new services potentially related to COLDSTEEL RAT
Show query 
Provider_Name:Service\ Control\ Manager AND EventID:7045 AND (ServiceName:(Name OR msupdate OR msupdate2)) AND ImagePath:*\\Windows\\System32\\svchost.exe*
Elastic Converted EQL high
COLDSTEEL RAT Anonymous User Process Execution
Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
Show query 
any where (ParentImage like~ ("*\\Windows\\System32\\*", "*\\AppData\\*")) and User:"*ANONYMOUS*"
Elastic Converted ES|QL high
COLDSTEEL RAT Anonymous User Process Execution
Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
Show query 
from * metadata _id, _index, _version | where (ParentImage like "*\\Windows\\System32\\*" or ParentImage like "*\\AppData\\*") and User like "*ANONYMOUS*"
Elastic Converted Lucene high
COLDSTEEL RAT Anonymous User Process Execution
Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
Show query 
(ParentImage:(*\\Windows\\System32\\* OR *\\AppData\\*)) AND User:*ANONYMOUS*
Elastic Converted EQL high T1546 ↗
COM Hijack via Sdclt
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
Show query 
any where TargetObject:"*\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute*"
Elastic Converted ES|QL high T1546 ↗
COM Hijack via Sdclt
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
Show query 
from * metadata _id, _index, _version | where TargetObject like "*\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute*"
Elastic Converted Lucene high T1546 ↗
COM Hijack via Sdclt
Detects changes to 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute'
Show query 
TargetObject:*\\Software\\Classes\\Folder\\shell\\open\\command\\DelegateExecute*
Elastic Converted EQL high T1546.015 ↗
COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
Show query 
any where ((TargetObject:"*\\CLSID\\*" and (TargetObject like~ ("*\\InprocServer32\\(Default)", "*\\LocalServer32\\(Default)"))) and (TargetObject like~ ("*\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\*", "*\\{2155fee3-2419-4373-b102-6843707eb41f}\\*", "*\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\*", "*\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\*", "*\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\*", "*\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\*", "*\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\*", "*\\{7849596a-48ea-486e-8937-a2a3009f31a9}\\*", "*\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\\*", "*\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\\*", "*\\{30D49246-D217-465F-B00B-AC9DDD652EB7}\\*", "*\\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\\*", "*\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\*", "*\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\\*", "*\\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\\*"))) and ((Details like~ ("*:\\Perflogs\\*", "*\\AppData\\Local\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "*\\System32\\spool\\drivers\\color\\*", "*\\Temporary Internet*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*", "*%appdata%*", "*%temp%*", "*%tmp%*")) or ((Details:"*:\\Users\\*" and Details:"*\\Favorites\\*") or (Details:"*:\\Users\\*" and Details:"*\\Favourites\\*") or (Details:"*:\\Users\\*" and Details:"*\\Contacts\\*") or (Details:"*:\\Users\\*" and Details:"*\\Pictures\\*")))
Elastic Converted ES|QL high T1546.015 ↗
COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
Show query 
from * metadata _id, _index, _version | where TargetObject like "*\\CLSID\\*" and (ends_with(TargetObject, "\\InprocServer32\\(Default)") or ends_with(TargetObject, "\\LocalServer32\\(Default)")) and (TargetObject like "*\\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\\*" or TargetObject like "*\\{2155fee3-2419-4373-b102-6843707eb41f}\\*" or TargetObject like "*\\{4590f811-1d3a-11d0-891f-00aa004b2e24}\\*" or TargetObject like "*\\{4de225bf-cf59-4cfc-85f7-68b90f185355}\\*" or TargetObject like "*\\{ddc05a5a-351a-4e06-8eaf-54ec1bc2dcea}\\*" or TargetObject like "*\\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A}\\*" or TargetObject like "*\\{F82B4EF1-93A9-4DDE-8015-F7950A1A6E31}\\*" or TargetObject like "*\\{7849596a-48ea-486e-8937-a2a3009f31a9}\\*" or TargetObject like "*\\{0b91a74b-ad7c-4a9d-b563-29eef9167172}\\*" or TargetObject like "*\\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\\*" or TargetObject like "*\\{30D49246-D217-465F-B00B-AC9DDD652EB7}\\*" or TargetObject like "*\\{A7A63E5C-3877-4840-8727-C1EA9D7A4D50}\\*" or TargetObject like "*\\{2227A280-3AEA-1069-A2DE-08002B30309D}\\*" or TargetObject like "*\\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\\*" or TargetObject like "*\\{AA509086-5Ca9-4C25-8F95-589D3C07B48A}\\*") and (Details like "*:\\Perflogs\\*" or Details like "*\\AppData\\Local\\*" or Details like "*\\Desktop\\*" or Details like "*\\Downloads\\*" or Details like "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" or Details like "*\\System32\\spool\\drivers\\color\\*" or Details like "*\\Temporary Internet*" or Details like "*\\Users\\Public\\*" or Details like "*\\Windows\\Temp\\*" or Details like "*%appdata%*" or Details like "*%temp%*" or Details like "*%tmp%*" or Details like "*:\\Users\\*" and Details like "*\\Favorites\\*" or Details like "*:\\Users\\*" and Details like "*\\Favourites\\*" or Details like "*:\\Users\\*" and Details like "*\\Contacts\\*" or Details like "*:\\Users\\*" and Details like "*\\Pictures\\*")
Elastic Converted Lucene high T1546.015 ↗
COM Object Hijacking Via Modification Of Default System CLSID Default Value
Detects potential COM object hijacking via modification of default system CLSID.
Show query 
((TargetObject:*\\CLSID\\* AND (TargetObject:(*\\InprocServer32\\\(Default\) OR *\\LocalServer32\\\(Default\)))) AND (TargetObject:(*\\\{1f486a52\-3cb1\-48fd\-8f50\-b8dc300d9f9d\}\\* OR *\\\{2155fee3\-2419\-4373\-b102\-6843707eb41f\}\\* OR *\\\{4590f811\-1d3a\-11d0\-891f\-00aa004b2e24\}\\* OR *\\\{4de225bf\-cf59\-4cfc\-85f7\-68b90f185355\}\\* OR *\\\{ddc05a5a\-351a\-4e06\-8eaf\-54ec1bc2dcea\}\\* OR *\\\{F56F6FDD\-AA9D\-4618\-A949\-C1B91AF43B1A\}\\* OR *\\\{F82B4EF1\-93A9\-4DDE\-8015\-F7950A1A6E31\}\\* OR *\\\{7849596a\-48ea\-486e\-8937\-a2a3009f31a9\}\\* OR *\\\{0b91a74b\-ad7c\-4a9d\-b563\-29eef9167172\}\\* OR *\\\{603D3801\-BD81\-11d0\-A3A5\-00C04FD706EC\}\\* OR *\\\{30D49246\-D217\-465F\-B00B\-AC9DDD652EB7\}\\* OR *\\\{A7A63E5C\-3877\-4840\-8727\-C1EA9D7A4D50\}\\* OR *\\\{2227A280\-3AEA\-1069\-A2DE\-08002B30309D\}\\* OR *\\\{2DEA658F\-54C1\-4227\-AF9B\-260AB5FC3543\}\\* OR *\\\{AA509086\-5Ca9\-4C25\-8F95\-589D3C07B48A\}\\*))) AND ((Details:(*\:\\Perflogs\\* OR *\\AppData\\Local\\* OR *\\Desktop\\* OR *\\Downloads\\* OR *\\Microsoft\\Windows\\Start\ Menu\\Programs\\Startup\\* OR *\\System32\\spool\\drivers\\color\\* OR *\\Temporary\ Internet* OR *\\Users\\Public\\* OR *\\Windows\\Temp\\* OR *%appdata%* OR *%temp%* OR *%tmp%*)) OR ((Details:*\:\\Users\\* AND Details:*\\Favorites\\*) OR (Details:*\:\\Users\\* AND Details:*\\Favourites\\*) OR (Details:*\:\\Users\\* AND Details:*\\Contacts\\*) OR (Details:*\:\\Users\\* AND Details:*\\Pictures\\*)))
Elastic Converted EQL high T1190 ↗
CVE-2020-0688 Exploitation Attempt
Detects CVE-2020-0688 Exploitation attempts
Show query 
any where cs-uri-query:"*/ecp/default.aspx*" and cs-uri-query:"*__VIEWSTATEGENERATOR=*" and cs-uri-query:"*__VIEWSTATE=*"
Elastic Converted ES|QL high T1190 ↗
CVE-2020-0688 Exploitation Attempt
Detects CVE-2020-0688 Exploitation attempts
Show query 
from * metadata _id, _index, _version | where `cs-uri-query` like "*/ecp/default.aspx*" and `cs-uri-query` like "*__VIEWSTATEGENERATOR=*" and `cs-uri-query` like "*__VIEWSTATE=*"
Elastic Converted Lucene high T1190 ↗
CVE-2020-0688 Exploitation Attempt
Detects CVE-2020-0688 Exploitation attempts
Show query 
cs-uri-query:*\/ecp\/default.aspx* AND cs-uri-query:*__VIEWSTATEGENERATOR\=* AND cs-uri-query:*__VIEWSTATE\=*
Elastic Converted EQL high T1190 ↗
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Show query 
any where (EventID:4 and Provider_Name:"MSExchange Control Panel" and Level:"Error") and "&__VIEWSTATE="
Elastic Converted Lucene high T1190 ↗
CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Show query 
(EventID:4 AND Provider_Name:MSExchange\ Control\ Panel AND Level:Error) AND *\&__VIEWSTATE\=*
Elastic Converted EQL high T1112 ↗
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Show query 
any where TargetObject:"*\\Microsoft\\Windows NT\\CurrentVersion\\Ports*" and (Details like~ ("*.bat*", "*.com*", "*.dll*", "*.exe*", "*.ps1*", "*.vbe*", "*.vbs*", "*C:*"))
Elastic Converted ES|QL high T1112 ↗
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Show query 
from * metadata _id, _index, _version | where TargetObject like "*\\Microsoft\\Windows NT\\CurrentVersion\\Ports*" and (Details like "*.bat*" or Details like "*.com*" or Details like "*.dll*" or Details like "*.exe*" or Details like "*.ps1*" or Details like "*.vbe*" or Details like "*.vbs*" or Details like "*C:*")
Elastic Converted Lucene high T1112 ↗
CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
Detects changes to the "Ports" registry key with data that includes a Windows path or a file with a suspicious extension. This could be an attempt to exploit CVE-2020-1048 - a Windows Print Spooler elevation of privilege vulnerability.
Show query 
TargetObject:*\\Microsoft\\Windows\ NT\\CurrentVersion\\Ports* AND (Details:(*.bat* OR *.com* OR *.dll* OR *.exe* OR *.ps1* OR *.vbe* OR *.vbs* OR *C\:*))
Elastic Converted EQL high T1190 ↗
CVE-2021-21972 VSphere Exploitation
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
Show query 
any where cs-method:"POST" and cs-uri-query:"/ui/vropspluginui/rest/services/uploadova"
Elastic Converted ES|QL high T1190 ↗
CVE-2021-21972 VSphere Exploitation
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
Show query 
from * metadata _id, _index, _version | where `cs-method`=="POST" and `cs-uri-query`=="/ui/vropspluginui/rest/services/uploadova"
Elastic Converted Lucene high T1190 ↗
CVE-2021-21972 VSphere Exploitation
Detects the exploitation of VSphere Remote Code Execution vulnerability as described in CVE-2021-21972
Show query 
cs-method:POST AND cs-uri-query:\/ui\/vropspluginui\/rest\/services\/uploadova
Elastic Converted EQL high T1190 ↗
CVE-2021-21978 Exploitation Attempt
Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
Show query 
any where cs-method:"POST" and (cs-uri-query:"*logupload*" and cs-uri-query:"*logMetaData*" and cs-uri-query:"*wsgi_log_upload.py*")
Elastic Converted ES|QL high T1190 ↗
CVE-2021-21978 Exploitation Attempt
Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
Show query 
from * metadata _id, _index, _version | where `cs-method`=="POST" and `cs-uri-query` like "*logupload*" and `cs-uri-query` like "*logMetaData*" and `cs-uri-query` like "*wsgi_log_upload.py*"
Elastic Converted Lucene high T1190 ↗
CVE-2021-21978 Exploitation Attempt
Detects the exploitation of the VMware View Planner vulnerability described in CVE-2021-21978
Show query 
cs-method:POST AND (cs-uri-query:*logupload* AND cs-uri-query:*logMetaData* AND cs-uri-query:*wsgi_log_upload.py*)
Elastic Converted EQL high T1203 ↗
CVE-2021-26858 Exchange Exploitation
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
Show query 
any where Image:"*UMWorkerProcess.exe" and (not (TargetFilename like~ ("*CacheCleanup.bin", "*.txt", "*.LOG", "*.cfg", "*cleanup.bin")))
Elastic Converted ES|QL high T1203 ↗
CVE-2021-26858 Exchange Exploitation
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
Show query 
from * metadata _id, _index, _version | where ends_with(Image, "UMWorkerProcess.exe") and not (ends_with(TargetFilename, "CacheCleanup.bin") or ends_with(TargetFilename, ".txt") or ends_with(TargetFilename, ".LOG") or ends_with(TargetFilename, ".cfg") or ends_with(TargetFilename, "cleanup.bin"))
Elastic Converted Lucene high T1203 ↗
CVE-2021-26858 Exchange Exploitation
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
Show query 
Image:*UMWorkerProcess.exe AND (NOT (TargetFilename:(*CacheCleanup.bin OR *.txt OR *.LOG OR *.cfg OR *cleanup.bin)))
Elastic Converted EQL high T1190 ↗
CVE-2021-41773 Exploitation Attempt
Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
Show query 
any where (cs-uri-query like~ ("*/cgi-bin/.%2e/*", "*/icons/.%2e/*", "*/cgi-bin/.%%32%65/*", "*/icons/.%%32%65/*", "*/cgi-bin/.%%%25%33*", "*/icons/.%%%25%33*")) and (sc-status like~ (200, 301))
Elastic Converted ES|QL high T1190 ↗
CVE-2021-41773 Exploitation Attempt
Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
Show query 
from * metadata _id, _index, _version | where (`cs-uri-query` like "*/cgi-bin/.%2e/*" or `cs-uri-query` like "*/icons/.%2e/*" or `cs-uri-query` like "*/cgi-bin/.%%32%65/*" or `cs-uri-query` like "*/icons/.%%32%65/*" or `cs-uri-query` like "*/cgi-bin/.%%%25%33*" or `cs-uri-query` like "*/icons/.%%%25%33*") and (`sc-status` in (200, 301))
Elastic Converted Lucene high T1190 ↗
CVE-2021-41773 Exploitation Attempt
Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.
Show query 
(cs-uri-query:(*\/cgi\-bin\/.%2e\/* OR *\/icons\/.%2e\/* OR *\/cgi\-bin\/.%%32%65\/* OR *\/icons\/.%%32%65\/* OR *\/cgi\-bin\/.%%%25%33* OR *\/icons\/.%%%25%33*)) AND (sc-status:(200 OR 301))
Elastic Converted EQL high
CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Show query 
any where TargetFilename:"*\\ManageEngine\\SupportCenterPlus\\bin\\msiexec.exe"
Elastic Converted ES|QL high
CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Show query 
from * metadata _id, _index, _version | where ends_with(TargetFilename, "\\ManageEngine\\SupportCenterPlus\\bin\\msiexec.exe")
Elastic Converted Lucene high
CVE-2021-44077 POC Default Dropped File
Detects the creation of "msiexec.exe" in the "bin" directory of the ManageEngine SupportCenter Plus (Related to CVE-2021-44077) and public POC available (See references section)
Show query 
TargetFilename:*\\ManageEngine\\SupportCenterPlus\\bin\\msiexec.exe
Elastic Converted EQL high T1059.001 ↗
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Show query 
any where TargetFilename:"*WindowsPowerShell\\Modules\\webAdministration\\webAdministration.psm1" and (not (User like~ ("*AUTHORI*", "*AUTORI*")))
Elastic Converted ES|QL high T1059.001 ↗
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Show query 
from * metadata _id, _index, _version | where ends_with(TargetFilename, "WindowsPowerShell\\Modules\\webAdministration\\webAdministration.psm1") and not (User like "*AUTHORI*" or User like "*AUTORI*")
Elastic Converted Lucene high T1059.001 ↗
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Show query 
TargetFilename:*WindowsPowerShell\\Modules\\webAdministration\\webAdministration.psm1 AND (NOT (User:(*AUTHORI* OR *AUTORI*)))
Elastic Converted EQL high T1190 ↗
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Show query 
any where cs-uri-query:"*/SAAS/t/_/;/*"
Showing 901-950 of 12,786
Prev 19 Next
SOC and Response
Detection Engineering
Threat Hunting
Red Team and Pentest
Compliance and GRC
About
threatengine.sh