Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.
A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Show query
from * metadata _id, _index, _version | where `cs-uri-query` like "*/SAAS/t/_/;/*"
CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.
A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
Show query
cs-uri-query:*\/SAAS\/t\/_\/;\/*
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
Show query
any where ((ParentImage:"*/java" and ParentCommandLine:"*confluence*") and (Image like~ ("*/bash", "*/curl", "*/echo", "*/wget"))) and (not CommandLine:"*ulimit -u*")CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "/java") and ParentCommandLine like "*confluence*" and (ends_with(Image, "/bash") or ends_with(Image, "/curl") or ends_with(Image, "/echo") or ends_with(Image, "/wget")) and not CommandLine like "*ulimit -u*"
CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
Show query
((ParentImage:*\/java AND ParentCommandLine:*confluence*) AND (Image:(*\/bash OR *\/curl OR *\/echo OR *\/wget))) AND (NOT CommandLine:*ulimit\ \-u*)
Elastic
Converted
EQL
high
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
Show query
any where Image:"*\\WinRAR.exe" and TargetFilename:"*\\AppData\\Local\\Temp\\Rar$*" and TargetFilename regex~ "\.[a-zA-Z0-9]{1,4} \."
Elastic
Converted
ES|QL
high
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\WinRAR.exe") and TargetFilename like "*\\AppData\\Local\\Temp\\Rar$*" and TargetFilename rlike "\\.[a-zA-Z0-9]{1,4} \\."
Elastic
Converted
Lucene
high
CVE-2023-38331 Exploitation Attempt - Suspicious Double Extension File
Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
Show query
Image:*\\WinRAR.exe AND TargetFilename:*\\AppData\\Local\\Temp\\Rar$* AND TargetFilename:/\.[a-zA-Z0-9]{1,4} \./CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
Show query
any where ParentImage:"*\\WinRAR.exe" and CommandLine:"*\\AppData\\Local\\Temp\\Rar$*" and CommandLine regex~ "\.[a-zA-Z0-9]{1,4} \." and ((Image like~ ("*\\cmd.exe", "*\\cscript.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe")) or (OriginalFileName like~ ("Cmd.Exe", "cscript.exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe")))CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\WinRAR.exe") and CommandLine like "*\\AppData\\Local\\Temp\\Rar$*" and CommandLine rlike "\\.[a-zA-Z0-9]{1,4} \\." and (ends_with(Image, "\\cmd.exe") or ends_with(Image, "\\cscript.exe") or ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\pwsh.exe") or ends_with(Image, "\\wscript.exe") or OriginalFileName in ("Cmd.Exe", "cscript.exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe"))CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
Show query
ParentImage:*\\WinRAR.exe AND CommandLine:*\\AppData\\Local\\Temp\\Rar$* AND CommandLine:/\.[a-zA-Z0-9]{1,4} \./ AND ((Image:(*\\cmd.exe OR *\\cscript.exe OR *\\powershell.exe OR *\\pwsh.exe OR *\\wscript.exe)) OR (OriginalFileName:(Cmd.Exe OR cscript.exe OR PowerShell.EXE OR pwsh.dll OR wscript.exe)))CVE-2023-46747 Exploitation Activity - Proxy
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
Show query
any where (cs-method:"POST" and c-uri:"*/mgmt/tm/util/bash*") and (("2f746d75692f436f6e74726f6c2f666f726d" and "666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370") or ("/tmui/Control/form" and "form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp"))CVE-2023-46747 Exploitation Activity - Proxy
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
Show query
(cs-method:POST AND c-uri:*\/mgmt\/tm\/util\/bash*) AND ((*2f746d75692f436f6e74726f6c2f666f726d* AND *666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370*) OR (*\/tmui\/Control\/form* AND *form_page\=%2ftmui%2fsystem%2fuser%2fcreate.jsp*))
CVE-2023-46747 Exploitation Activity - Webserver
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
Show query
any where (cs-method:"POST" and cs-uri-stem:"*/mgmt/tm/util/bash*") and (("2f746d75692f436f6e74726f6c2f666f726d" and "666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370") or ("/tmui/Control/form" and "form_page=%2ftmui%2fsystem%2fuser%2fcreate.jsp"))CVE-2023-46747 Exploitation Activity - Webserver
Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
Show query
(cs-method:POST AND cs-uri-stem:*\/mgmt\/tm\/util\/bash*) AND ((*2f746d75692f436f6e74726f6c2f666f726d* AND *666f726d5f706167653d253266746d756925326673797374656d253266757365722532666372656174652e6a7370*) OR (*\/tmui\/Control\/form* AND *form_page\=%2ftmui%2fsystem%2fuser%2fcreate.jsp*))
CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
Show query
any where cs-method:"GET" and cs-uri:"*/oauth/idp/.well-known/openid-configuration*" and cs-host regex~ ".{150}"CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
Show query
from * metadata _id, _index, _version | where `cs-method`=="GET" and `cs-uri` like "*/oauth/idp/.well-known/openid-configuration*" and `cs-host` rlike ".{150}"CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Proxy
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
Show query
cs-method:GET AND cs-uri:*\/oauth\/idp\/.well\-known\/openid\-configuration* AND cs-host:/.{150}/CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
Show query
any where cs-method:"GET" and cs-uri-stem:"*/oauth/idp/.well-known/openid-configuration*" and cs-host regex~ ".{150}"CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
Show query
from * metadata _id, _index, _version | where `cs-method`=="GET" and `cs-uri-stem` like "*/oauth/idp/.well-known/openid-configuration*" and `cs-host` rlike ".{150}"CVE-2023-4966 Exploitation Attempt - Citrix ADC Sensitive Information Disclosure - Webserver
Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
Show query
cs-method:GET AND cs-uri-stem:*\/oauth\/idp\/.well\-known\/openid\-configuration* AND cs-host:/.{150}/
Elastic
Converted
EQL
high
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
Show query
any where (cs-method:"GET" and (cs-uri-stem:"*/access/set*" and cs-uri-stem:"*param=enableapi*" and cs-uri-stem:"*value=1*")) and ("Basic Jz" or "Basic c7" or "Basic nO" or "Basic ';")
Elastic
Converted
Lucene
high
CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
Show query
(cs-method:GET AND (cs-uri-stem:*\/access\/set* AND cs-uri-stem:*param\=enableapi* AND cs-uri-stem:*value\=1*)) AND (*Basic\ Jz* OR *Basic\ c7* OR *Basic\ nO* OR *Basic\ ';*)
CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
Show query
any where Provider_Name:"Application Error" and EventID:1000 and (Data:"*lsass.exe*" and Data:"*WLDAP32.dll*")
CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
Show query
from * metadata _id, _index, _version | where Provider_Name=="Application Error" and EventID==1000 and Data like "*lsass.exe*" and Data like "*WLDAP32.dll*"
CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
Show query
Provider_Name:Application\ Error AND EventID:1000 AND (Data:*lsass.exe* AND Data:*WLDAP32.dll*)
CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
Show query
any where ParentImage:"*\\javaw.exe" and (ParentCommandLine like~ ("*Harmony*", "*lexicom*", "*VersaLex*", "*VLTrader*")) and Image:"*\\cmd.exe" and (CommandLine like~ ("*powershell*", "* -enc *", "* -EncodedCommand*", "*.Download*"))CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\javaw.exe") and (ParentCommandLine like "*Harmony*" or ParentCommandLine like "*lexicom*" or ParentCommandLine like "*VersaLex*" or ParentCommandLine like "*VLTrader*") and ends_with(Image, "\\cmd.exe") and (CommandLine like "*powershell*" or CommandLine like "* -enc *" or CommandLine like "* -EncodedCommand*" or CommandLine like "*.Download*")
CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
Show query
ParentImage:*\\javaw.exe AND (ParentCommandLine:(*Harmony* OR *lexicom* OR *VersaLex* OR *VLTrader*)) AND Image:*\\cmd.exe AND (CommandLine:(*powershell* OR *\ \-enc\ * OR *\ \-EncodedCommand* OR *.Download*))
Elastic
Converted
EQL
high
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
Show query
any where (Image:"*\\wusa.exe" and CommandLine:"*/extract:*") and (CommandLine like~ ("*:\\PerfLogs\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\Appdata\\Local\\Temp\\*"))
Elastic
Converted
ES|QL
high
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\wusa.exe") and CommandLine like "*/extract:*" and (CommandLine like "*:\\PerfLogs\\*" or CommandLine like "*:\\Users\\Public\\*" or CommandLine like "*:\\Windows\\Temp\\*" or CommandLine like "*\\Appdata\\Local\\Temp\\*")
Elastic
Converted
Lucene
high
Cab File Extraction Via Wusa.EXE From Potentially Suspicious Paths
Detects the execution of the "wusa.exe" (Windows Update Standalone Installer) utility to extract ".cab" files using the "/extract" argument from potentially suspicious paths.
Show query
(Image:*\\wusa.exe AND CommandLine:*\/extract\:*) AND (CommandLine:(*\:\\PerfLogs\\* OR *\:\\Users\\Public\\* OR *\:\\Windows\\Temp\\* OR *\\Appdata\\Local\\Temp\\*))
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
Show query
any where Image:"*/capsh" and CommandLine:"* --"
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/capsh") and ends_with(CommandLine, " --")
Capsh Shell Invocation - Linux
Detects the use of the "capsh" utility to invoke a shell.
Show query
Image:*\/capsh AND CommandLine:*\ \-\-
Chafer Malware URL Pattern
Detects HTTP request used by Chafer malware to receive data from its C2.
Show query
any where c-uri:"*/asp.asp\?ui=*"
Chafer Malware URL Pattern
Detects HTTP request used by Chafer malware to receive data from its C2.
Show query
from * metadata _id, _index, _version | where `c-uri` like "*/asp.asp\?ui=*"
Chafer Malware URL Pattern
Detects HTTP request used by Chafer malware to receive data from its C2.
Show query
c-uri:*\/asp.asp\?ui\=*
Change Default File Association To Executable Via Assoc
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Show query
any where ((Image:"*\\cmd.exe" or OriginalFileName:"Cmd.Exe") and (CommandLine:"*assoc *" and CommandLine:"*exefile*")) and (not CommandLine:"*.exe=exefile*")
Change Default File Association To Executable Via Assoc
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\cmd.exe") or OriginalFileName=="Cmd.Exe") and CommandLine like "*assoc *" and CommandLine like "*exefile*" and not CommandLine like "*.exe=exefile*"
Change Default File Association To Executable Via Assoc
Detects when a program changes the default file association of any extension to an executable.
When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Show query
((Image:*\\cmd.exe OR OriginalFileName:Cmd.Exe) AND (CommandLine:*assoc\ * AND CommandLine:*exefile*)) AND (NOT CommandLine:*.exe\=exefile*)
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
Show query
any where TargetObject:"HKLM\\System\\CurrentControlSet\\Services\\Fax\\ObjectName" and (not Details:"*NetworkService*")
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
Show query
from * metadata _id, _index, _version | where TargetObject=="HKLM\\System\\CurrentControlSet\\Services\\Fax\\ObjectName" and not Details like "*NetworkService*"
Change User Account Associated with the FAX Service
Detect change of the user account associated with the FAX service to avoid the escalation problem.
Show query
TargetObject:HKLM\\System\\CurrentControlSet\\Services\\Fax\\ObjectName AND (NOT Details:*NetworkService*)
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
Show query
any where (TargetObject:"*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*" and TargetObject:"*\\ChannelAccess" and (Details like~ ("*(A;;0x1;;;LA)*", "*(A;;0x1;;;SY)*", "*(A;;0x5;;;BA)*"))) and (not (Image:"C:\\Windows\\servicing\\TrustedInstaller.exe" or (Image:"C:\\Windows\\WinSxS\\*" and Image:"*\\TiWorker.exe")))Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\*" and ends_with(TargetObject, "\\ChannelAccess") and (Details like "*(A;;0x1;;;LA)*" or Details like "*(A;;0x1;;;SY)*" or Details like "*(A;;0x5;;;BA)*") and not (Image=="C:\\Windows\\servicing\\TrustedInstaller.exe" or starts_with(Image, "C:\\Windows\\WinSxS\\") and ends_with(Image, "\\TiWorker.exe"))
Change Winevt Channel Access Permission Via Registry
Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
Show query
(TargetObject:*\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Channels\\* AND TargetObject:*\\ChannelAccess AND (Details:(*\(A;;0x1;;;LA\)* OR *\(A;;0x1;;;SY\)* OR *\(A;;0x5;;;BA\)*))) AND (NOT (Image:C\:\\Windows\\servicing\\TrustedInstaller.exe OR (Image:C\:\\Windows\\WinSxS\\* AND Image:*\\TiWorker.exe)))
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
Show query
any where (TargetObject:"*\\Software\\Microsoft\\Fax\\Device Providers\\*" and TargetObject:"*\\ImageName*") and (not Details:"%systemroot%\\system32\\fxst30.dll")
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\Software\\Microsoft\\Fax\\Device Providers\\*" and TargetObject like "*\\ImageName*" and not Details=="%systemroot%\\system32\\fxst30.dll"
Change the Fax Dll
Detect possible persistence using Fax DLL load when service restart
Show query
(TargetObject:*\\Software\\Microsoft\\Fax\\Device\ Providers\\* AND TargetObject:*\\ImageName*) AND (NOT Details:%systemroot%\\system32\\fxst30.dll)
Showing 951-1000 of 12,786