Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Changes To PIM Settings
Detects when changes are made to PIM roles
Show query
any where properties.message:"Update role setting in PIM"
Changes To PIM Settings
Detects when changes are made to PIM roles
Show query
from * metadata _id, _index, _version | where properties.message=="Update role setting in PIM"
Changes To PIM Settings
Detects when changes are made to PIM roles
Show query
properties.message:Update\ role\ setting\ in\ PIM
Changes to Device Registration Policy
Monitor and alert for changes to the device registration policy.
Show query
any where Category:"Policy" and ActivityDisplayName:"Set device registration policies"
Changes to Device Registration Policy
Monitor and alert for changes to the device registration policy.
Show query
from * metadata _id, _index, _version | where Category=="Policy" and ActivityDisplayName=="Set device registration policies"
Changes to Device Registration Policy
Monitor and alert for changes to the device registration policy.
Show query
Category:Policy AND ActivityDisplayName:Set\ device\ registration\ policies
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Show query
any where (Image:"*\\w3wp.exe" or ParentImage:"*\\w3wp.exe") and (CommandLine like~ ("*&ipconfig&echo*", "*&quser&echo*", "*&whoami&echo*", "*&c:&echo*", "*&cd&echo*", "*&dir&echo*", "*&echo [E]*", "*&echo [S]*"))Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\w3wp.exe") or ends_with(ParentImage, "\\w3wp.exe")) and (CommandLine like "*&ipconfig&echo*" or CommandLine like "*&quser&echo*" or CommandLine like "*&whoami&echo*" or CommandLine like "*&c:&echo*" or CommandLine like "*&cd&echo*" or CommandLine like "*&dir&echo*" or CommandLine like "*&echo [E]*" or CommandLine like "*&echo [S]*")
Chopper Webshell Process Pattern
Detects patterns found in process executions cause by China Chopper like tiny (ASPX) webshells
Show query
(Image:*\\w3wp.exe OR ParentImage:*\\w3wp.exe) AND (CommandLine:(*\&ipconfig\&echo* OR *\&quser\&echo* OR *\&whoami\&echo* OR *\&c\:\&echo* OR *\&cd\&echo* OR *\&dir\&echo* OR *\&echo\ \[E\]* OR *\&echo\ \[S\]*))
ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task
Show query
any where ParentImage:"*\\powershell.exe" and ParentCommandLine:"*-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB*" and CommandLine:"*--load-extension=\"*\\Appdata\\local\\chrome\"*" and Image:"*\\chrome.exe"
ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\powershell.exe") and ParentCommandLine like "*-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB*" and CommandLine like "*--load-extension=\"*\\Appdata\\local\\chrome\"*" and ends_with(Image, "\\chrome.exe")
ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task
Show query
ParentImage:*\\powershell.exe AND ParentCommandLine:*\-ExecutionPolicy\ Bypass\ \-WindowStyle\ Hidden\ \-E\ JAB* AND CommandLine:*\-\-load\-extension\=\"*\\Appdata\\local\\chrome\"* AND Image:*\\chrome.exe
Elastic
Converted
EQL
high
Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Show query
any where (Image like~ ("*\\brave.exe", "*\\chrome.exe", "*\\msedge.exe", "*\\opera.exe", "*\\vivaldi.exe")) and CommandLine:"*--headless*" and (CommandLine like~ ("*://run.mocky*", "*://mockbin*"))
Elastic
Converted
ES|QL
high
Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\brave.exe") or ends_with(Image, "\\chrome.exe") or ends_with(Image, "\\msedge.exe") or ends_with(Image, "\\opera.exe") or ends_with(Image, "\\vivaldi.exe")) and CommandLine like "*--headless*" and (CommandLine like "*://run.mocky*" or CommandLine like "*://mockbin*")
Elastic
Converted
Lucene
high
Chromium Browser Headless Execution To Mockbin Like Site
Detects the execution of a Chromium based browser process with the "headless" flag and a URL pointing to the mockbin.org service (which can be used to exfiltrate data).
Show query
(Image:(*\\brave.exe OR *\\chrome.exe OR *\\msedge.exe OR *\\opera.exe OR *\\vivaldi.exe)) AND CommandLine:*\-\-headless* AND (CommandLine:(*\:\/\/run.mocky* OR *\:\/\/mockbin*))
Chroot Execution in Container Context on Linux
Detects chroot execution on Linux when the process appears to run in a container-oriented context: the process title
matches runc init, the entry leader is a container workload, or the parent process is runc. Chroot from inside a
container can pivot to an alternate root filesystem and is a common step in container breakout attempts when combined
with sensitive host mounts.
Cisco ASA Exploitation Activity - Proxy
Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
Show query
any where cs-method:"GET" and (cs-uri-stem like~ ("/+CSCOU+/MacTunnelStart.jar", "/+CSCOL+/csvrloader64.cab", "/+CSCOL+/csvrloader.jar"))Cisco ASA Exploitation Activity - Proxy
Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
Show query
from * metadata _id, _index, _version | where `cs-method`=="GET" and (`cs-uri-stem` in ("/+CSCOU+/MacTunnelStart.jar", "/+CSCOL+/csvrloader64.cab", "/+CSCOL+/csvrloader.jar"))Cisco ASA Exploitation Activity - Proxy
Detects suspicious requests to Cisco ASA WebVpn via proxy logs associated with CVE-2025-20333 and CVE-2025-20362 exploitation.
Show query
cs-method:GET AND (cs-uri-stem:(\/\+CSCOU\+\/MacTunnelStart.jar OR \/\+CSCOL\+\/csvrloader64.cab OR \/\+CSCOL\+\/csvrloader.jar))
Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
Show query
any where (cs-uri-query like~ ("*+CSCOT+/translation-table*", "*+CSCOT+/oem-customization*")) and (cs-uri-query like~ ("*&textdomain=/*", "*&textdomain=%*", "*&name=/*", "*&name=%*")) and sc-status:200Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
Show query
from * metadata _id, _index, _version | where (`cs-uri-query` like "*+CSCOT+/translation-table*" or `cs-uri-query` like "*+CSCOT+/oem-customization*") and (`cs-uri-query` like "*&textdomain=/*" or `cs-uri-query` like "*&textdomain=%*" or `cs-uri-query` like "*&name=/*" or `cs-uri-query` like "*&name=%*") and `sc-status`==200
Cisco ASA FTD Exploit CVE-2020-3452
Detects exploitation attempts on Cisco ASA FTD systems exploiting CVE-2020-3452 with a status code of 200 (sccessful exploitation)
Show query
(cs-uri-query:(*\+CSCOT\+\/translation\-table* OR *\+CSCOT\+\/oem\-customization*)) AND (cs-uri-query:(*\&textdomain\=\/* OR *\&textdomain\=%* OR *\&name\=\/* OR *\&name\=%*)) AND sc-status:200
Cisco Clear Logs
Clear command history in network OS which is used for defense evasion
Show query
any where "clear logging" or "clear archive"
Cisco Clear Logs
Clear command history in network OS which is used for defense evasion
Show query
*clear\ logging* OR *clear\ archive*
Cisco Crypto Commands
Show when private keys are being exported from the device, or when new certificates are installed
Show query
any where "crypto pki export" or "crypto pki import" or "crypto pki trustpoint"
Cisco Crypto Commands
Show when private keys are being exported from the device, or when new certificates are installed
Show query
*crypto\ pki\ export* OR *crypto\ pki\ import* OR *crypto\ pki\ trustpoint*
Cisco Disabling Logging
Turn off logging locally or remote
Show query
any where "no logging" or "no aaa new-model"
Cisco Disabling Logging
Turn off logging locally or remote
Show query
*no\ logging* OR *no\ aaa\ new\-model*
Cisco Local Accounts
Find local accounts being created or modified as well as remote authentication configurations
Show query
any where "username" or "aaa"
Cisco Local Accounts
Find local accounts being created or modified as well as remote authentication configurations
Show query
*username* OR *aaa*
Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Show query
any where ScriptBlockText:"*Clear-History*" or ((ScriptBlockText like~ ("*Remove-Item*", "*rm*")) and (ScriptBlockText like~ ("*ConsoleHost_history.txt*", "*(Get-PSReadlineOption).HistorySavePath*")))Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*Clear-History*" or (ScriptBlockText like "*Remove-Item*" or ScriptBlockText like "*rm*") and (ScriptBlockText like "*ConsoleHost_history.txt*" or ScriptBlockText like "*(Get-PSReadlineOption).HistorySavePath*")
Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Show query
ScriptBlockText:*Clear\-History* OR ((ScriptBlockText:(*Remove\-Item* OR *rm*)) AND (ScriptBlockText:(*ConsoleHost_history.txt* OR *\(Get\-PSReadlineOption\).HistorySavePath*)))
Cmd.EXE Missing Space Characters Execution Anomaly
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
Show query
any where ((CommandLine like~ ("*cmd.exe/c*", "*\\cmd/c*", "*\"cmd/c*", "*cmd.exe/k*", "*\\cmd/k*", "*\"cmd/k*", "*cmd.exe/r*", "*\\cmd/r*", "*\"cmd/r*")) or (CommandLine like~ ("*/cwhoami*", "*/cpowershell*", "*/cschtasks*", "*/cbitsadmin*", "*/ccertutil*", "*/kwhoami*", "*/kpowershell*", "*/kschtasks*", "*/kbitsadmin*", "*/kcertutil*")) or (CommandLine like~ ("*cmd.exe /c*", "*cmd /c*", "*cmd.exe /k*", "*cmd /k*", "*cmd.exe /r*", "*cmd /r*"))) and (not ((CommandLine like~ ("*cmd.exe /c *", "*cmd /c *", "*cmd.exe /k *", "*cmd /k *", "*cmd.exe /r *", "*cmd /r *")) or (CommandLine like~ ("*AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules*", "*cmd.exe/c .", "cmd.exe /c", "cmd /c"))))Cmd.EXE Missing Space Characters Execution Anomaly
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
Show query
from * metadata _id, _index, _version | where (CommandLine like "*cmd.exe/c*" or CommandLine like "*\\cmd/c*" or CommandLine like "*\"cmd/c*" or CommandLine like "*cmd.exe/k*" or CommandLine like "*\\cmd/k*" or CommandLine like "*\"cmd/k*" or CommandLine like "*cmd.exe/r*" or CommandLine like "*\\cmd/r*" or CommandLine like "*\"cmd/r*" or CommandLine like "*/cwhoami*" or CommandLine like "*/cpowershell*" or CommandLine like "*/cschtasks*" or CommandLine like "*/cbitsadmin*" or CommandLine like "*/ccertutil*" or CommandLine like "*/kwhoami*" or CommandLine like "*/kpowershell*" or CommandLine like "*/kschtasks*" or CommandLine like "*/kbitsadmin*" or CommandLine like "*/kcertutil*" or CommandLine like "*cmd.exe /c*" or CommandLine like "*cmd /c*" or CommandLine like "*cmd.exe /k*" or CommandLine like "*cmd /k*" or CommandLine like "*cmd.exe /r*" or CommandLine like "*cmd /r*") and not (CommandLine like "*cmd.exe /c *" or CommandLine like "*cmd /c *" or CommandLine like "*cmd.exe /k *" or CommandLine like "*cmd /k *" or CommandLine like "*cmd.exe /r *" or CommandLine like "*cmd /r *" or CommandLine like "*AppData\\Local\\Programs\\Microsoft VS Code\\resources\\app\\node_modules*" or ends_with(CommandLine, "cmd.exe/c .") or CommandLine=="cmd.exe /c" or CommandLine=="cmd /c")
Cmd.EXE Missing Space Characters Execution Anomaly
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
Show query
((CommandLine:(*cmd.exe\/c* OR *\\cmd\/c* OR *\"cmd\/c* OR *cmd.exe\/k* OR *\\cmd\/k* OR *\"cmd\/k* OR *cmd.exe\/r* OR *\\cmd\/r* OR *\"cmd\/r*)) OR (CommandLine:(*\/cwhoami* OR *\/cpowershell* OR *\/cschtasks* OR *\/cbitsadmin* OR *\/ccertutil* OR *\/kwhoami* OR *\/kpowershell* OR *\/kschtasks* OR *\/kbitsadmin* OR *\/kcertutil*)) OR (CommandLine:(*cmd.exe\ \/c* OR *cmd\ \/c* OR *cmd.exe\ \/k* OR *cmd\ \/k* OR *cmd.exe\ \/r* OR *cmd\ \/r*))) AND (NOT ((CommandLine:(*cmd.exe\ \/c\ * OR *cmd\ \/c\ * OR *cmd.exe\ \/k\ * OR *cmd\ \/k\ * OR *cmd.exe\ \/r\ * OR *cmd\ \/r\ *)) OR (CommandLine:(*AppData\\Local\\Programs\\Microsoft\ VS\ Code\\resources\\app\\node_modules* OR *cmd.exe\/c\ . OR cmd.exe\ \/c OR cmd\ \/c))))
Cobalt Strike Command and Control Beacon
Cobalt Strike is a threat emulation platform commonly modified and used by adversaries to conduct network attack and
exploitation campaigns. This rule detects a network activity algorithm leveraged by Cobalt Strike implant beacons for
command and control.
CobaltStrike Load by Rundll32
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
Show query
any where (Image:"*\\rundll32.exe" or OriginalFileName:"RUNDLL32.EXE" or (CommandLine like~ ("*rundll32.exe*", "*rundll32 *"))) and (CommandLine:"*.dll*" and (CommandLine like~ ("* StartW", "*,StartW")))CobaltStrike Load by Rundll32
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\rundll32.exe") or OriginalFileName=="RUNDLL32.EXE" or CommandLine like "*rundll32.exe*" or CommandLine like "*rundll32 *") and CommandLine like "*.dll*" and (ends_with(CommandLine, " StartW") or ends_with(CommandLine, ",StartW"))
CobaltStrike Load by Rundll32
Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line.
Show query
(Image:*\\rundll32.exe OR OriginalFileName:RUNDLL32.EXE OR (CommandLine:(*rundll32.exe* OR *rundll32\ *))) AND (CommandLine:*.dll* AND (CommandLine:(*\ StartW OR *,StartW)))
CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
Show query
any where (((PipeName like~ ("\\DserNamePipe*", "\\f4c3*", "\\f53f*", "\\fullduplex_*", "\\mojo.5688.8052.183894939787088877*", "\\mojo.5688.8052.35780273329370473*", "\\MsFteWds*", "\\msrpc_*", "\\mypipe-f*", "\\mypipe-h*", "\\ntsvcs*", "\\PGMessagePipe*", "\\rpc_*", "\\scerpc*", "\\SearchTextHarvester*", "\\spoolss*", "\\win_svc*", "\\win\\msrpc_*", "\\windows.update.manager*", "\\wkssvc*")) or (PipeName like~ ("\\demoagent_11", "\\demoagent_22"))) or (PipeName:"\\Winsock2\\CatalogChangeListener-*" and PipeName:"*-0,")) and (not (PipeName like~ ("\\wkssvc", "\\spoolss", "\\scerpc", "\\ntsvcs", "\\SearchTextHarvester", "\\PGMessagePipe", "\\MsFteWds"))) and (not ((Image like~ ("*:\\Program Files\\Websense\\*", "*:\\Program Files (x86)\\Websense\\*")) and (PipeName like~ ("\\DserNamePipeR*", "\\DserNamePipeW*"))))CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
Show query
from * metadata _id, _index, _version | where (starts_with(PipeName, "\\DserNamePipe") or starts_with(PipeName, "\\f4c3") or starts_with(PipeName, "\\f53f") or starts_with(PipeName, "\\fullduplex_") or starts_with(PipeName, "\\mojo.5688.8052.183894939787088877") or starts_with(PipeName, "\\mojo.5688.8052.35780273329370473") or starts_with(PipeName, "\\MsFteWds") or starts_with(PipeName, "\\msrpc_") or starts_with(PipeName, "\\mypipe-f") or starts_with(PipeName, "\\mypipe-h") or starts_with(PipeName, "\\ntsvcs") or starts_with(PipeName, "\\PGMessagePipe") or starts_with(PipeName, "\\rpc_") or starts_with(PipeName, "\\scerpc") or starts_with(PipeName, "\\SearchTextHarvester") or starts_with(PipeName, "\\spoolss") or starts_with(PipeName, "\\win_svc") or starts_with(PipeName, "\\win\\msrpc_") or starts_with(PipeName, "\\windows.update.manager") or starts_with(PipeName, "\\wkssvc") or PipeName in ("\\demoagent_11", "\\demoagent_22") or starts_with(PipeName, "\\Winsock2\\CatalogChangeListener-") and ends_with(PipeName, "-0,")) and not (PipeName in ("\\wkssvc", "\\spoolss", "\\scerpc", "\\ntsvcs", "\\SearchTextHarvester", "\\PGMessagePipe", "\\MsFteWds")) and not ((Image like "*:\\Program Files\\Websense\\*" or Image like "*:\\Program Files (x86)\\Websense\\*") and (starts_with(PipeName, "\\DserNamePipeR") or starts_with(PipeName, "\\DserNamePipeW")))CobaltStrike Named Pipe Patterns
Detects the creation of a named pipe with a pattern found in CobaltStrike malleable C2 profiles
Show query
(((PipeName:(\\DserNamePipe* OR \\f4c3* OR \\f53f* OR \\fullduplex_* OR \\mojo.5688.8052.183894939787088877* OR \\mojo.5688.8052.35780273329370473* OR \\MsFteWds* OR \\msrpc_* OR \\mypipe\-f* OR \\mypipe\-h* OR \\ntsvcs* OR \\PGMessagePipe* OR \\rpc_* OR \\scerpc* OR \\SearchTextHarvester* OR \\spoolss* OR \\win_svc* OR \\win\\msrpc_* OR \\windows.update.manager* OR \\wkssvc*)) OR (PipeName:(\\demoagent_11 OR \\demoagent_22))) OR (PipeName:\\Winsock2\\CatalogChangeListener\-* AND PipeName:*\-0,)) AND (NOT (PipeName:(\\wkssvc OR \\spoolss OR \\scerpc OR \\ntsvcs OR \\SearchTextHarvester OR \\PGMessagePipe OR \\MsFteWds))) AND (NOT ((Image:(*\:\\Program\ Files\\Websense\\* OR *\:\\Program\ Files\ \(x86\)\\Websense\\*)) AND (PipeName:(\\DserNamePipeR* OR \\DserNamePipeW*))))
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Show query
any where EventID:4697 and ((ServiceFileName:"*ADMIN$*" and ServiceFileName:"*.exe*") or (ServiceFileName:"*%COMSPEC%*" and ServiceFileName:"*start*" and ServiceFileName:"*powershell*") or ServiceFileName:"*powershell -nop -w hidden -encodedcommand*" or ServiceFileName like~ ("*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*", "*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*", "*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*"))CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Show query
from * metadata _id, _index, _version | where EventID==4697 and (ServiceFileName like "*ADMIN$*" and ServiceFileName like "*.exe*" or ServiceFileName like "*%COMSPEC%*" and ServiceFileName like "*start*" and ServiceFileName like "*powershell*" or ServiceFileName like "*powershell -nop -w hidden -encodedcommand*" or ServiceFileName like "*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO*" or ServiceFileName like "*lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT*" or ServiceFileName like "*JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*")
CobaltStrike Service Installations - Security
Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement
Show query
EventID:4697 AND ((ServiceFileName:*ADMIN$* AND ServiceFileName:*.exe*) OR (ServiceFileName:*%COMSPEC%* AND ServiceFileName:*start* AND ServiceFileName:*powershell*) OR ServiceFileName:*powershell\ \-nop\ \-w\ hidden\ \-encodedcommand* OR ServiceFileName:(*SUVYIChOZXctT2JqZWN0IE5ldC5XZWJjbGllbnQpLkRvd25sb2FkU3RyaW5nKCdodHRwOi8vMTI3LjAuMC4xO* OR *lFWCAoTmV3LU9iamVjdCBOZXQuV2ViY2xpZW50KS5Eb3dubG9hZFN0cmluZygnaHR0cDovLzEyNy4wLjAuMT* OR *JRVggKE5ldy1PYmplY3QgTmV0LldlYmNsaWVudCkuRG93bmxvYWRTdHJpbmcoJ2h0dHA6Ly8xMjcuMC4wLjE6*))
Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
Office add-ins can be used to add functionality to Office programs
Show query
any where ScriptBlockText:"*new-object *" and ScriptBlockText:"*-ComObject *" and ScriptBlockText:"*.application*" and ScriptBlockText:"*.RegisterXLL*"
Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
Office add-ins can be used to add functionality to Office programs
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*new-object *" and ScriptBlockText like "*-ComObject *" and ScriptBlockText like "*.application*" and ScriptBlockText like "*.RegisterXLL*"
Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
Office add-ins can be used to add functionality to Office programs
Show query
ScriptBlockText:*new\-object\ * AND ScriptBlockText:*\-ComObject\ * AND ScriptBlockText:*.application* AND ScriptBlockText:*.RegisterXLL*
Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See `man ld.so` for more information.
Show query
any where "/etc/ld.so.preload"
Showing 1001-1050 of 12,786