Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Code Injection by ld.so Preload
Detects the ld.so preload persistence file. See `man ld.so` for more information.
Show query
*\/etc\/ld.so.preload*
CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers
Show query
any where EventID:3023
CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers
Show query
from * metadata _id, _index, _version | where EventID==3023
CodeIntegrity - Blocked Driver Load With Revoked Certificate
Detects blocked load attempts of revoked drivers
Show query
EventID:3023
Elastic
Converted
EQL
high
CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.
Show query
any where EventID:3036
Elastic
Converted
ES|QL
high
CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.
Show query
from * metadata _id, _index, _version | where EventID==3036
Elastic
Converted
Lucene
high
CodeIntegrity - Blocked Image Load With Revoked Certificate
Detects blocked image load events with revoked certificates by code integrity.
Show query
EventID:3036
CodeIntegrity - Blocked Image/Driver Load For Policy Violation
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
Show query
any where EventID:3077
CodeIntegrity - Blocked Image/Driver Load For Policy Violation
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
Show query
from * metadata _id, _index, _version | where EventID==3077
CodeIntegrity - Blocked Image/Driver Load For Policy Violation
Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
Show query
EventID:3077
Elastic
Converted
EQL
high
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
Detects block events for files that are disallowed by code integrity for protected processes
Show query
any where EventID:3104
Elastic
Converted
ES|QL
high
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
Detects block events for files that are disallowed by code integrity for protected processes
Show query
from * metadata _id, _index, _version | where EventID==3104
Elastic
Converted
Lucene
high
CodeIntegrity - Disallowed File For Protected Processes Has Been Blocked
Detects block events for files that are disallowed by code integrity for protected processes
Show query
EventID:3104
Elastic
Converted
EQL
high
CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.
Show query
any where EventID like~ (3032, 3035)
Elastic
Converted
ES|QL
high
CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.
Show query
from * metadata _id, _index, _version | where EventID in (3032, 3035)
Elastic
Converted
Lucene
high
CodeIntegrity - Revoked Image Loaded
Detects image load events with revoked certificates by code integrity.
Show query
EventID:(3032 OR 3035)
Elastic
Converted
EQL
high
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver
Show query
any where EventID like~ (3021, 3022)
Elastic
Converted
ES|QL
high
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver
Show query
from * metadata _id, _index, _version | where EventID in (3021, 3022)
Elastic
Converted
Lucene
high
CodeIntegrity - Revoked Kernel Driver Loaded
Detects the load of a revoked kernel driver
Show query
EventID:(3021 OR 3022)
Elastic
Converted
EQL
high
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.
Show query
any where (EventID like~ (3082, 3083)) and (not (FileNameBuffer like~ ("system32\\drivers\\vsock.sys", "System32\\drivers\\vmci.sys")))
Elastic
Converted
ES|QL
high
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.
Show query
from * metadata _id, _index, _version | where (EventID in (3082, 3083)) and not (FileNameBuffer in ("system32\\drivers\\vsock.sys", "System32\\drivers\\vmci.sys"))
Elastic
Converted
Lucene
high
CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
Detects loaded kernel modules that did not meet the WHQL signing requirements.
Show query
(EventID:(3082 OR 3083)) AND (NOT (FileNameBuffer:(system32\\drivers\\vsock.sys OR System32\\drivers\\vmci.sys)))
Elastic
Converted
EQL
high
CodeIntegrity - Unsigned Image Loaded
Detects loaded unsigned image on the system
Show query
any where EventID:3037
Elastic
Converted
ES|QL
high
CodeIntegrity - Unsigned Image Loaded
Detects loaded unsigned image on the system
Show query
from * metadata _id, _index, _version | where EventID==3037
Elastic
Converted
Lucene
high
CodeIntegrity - Unsigned Image Loaded
Detects loaded unsigned image on the system
Show query
EventID:3037
Elastic
Converted
EQL
high
CodeIntegrity - Unsigned Kernel Module Loaded
Detects the presence of a loaded unsigned kernel module on the system.
Show query
any where EventID:3001
Elastic
Converted
ES|QL
high
CodeIntegrity - Unsigned Kernel Module Loaded
Detects the presence of a loaded unsigned kernel module on the system.
Show query
from * metadata _id, _index, _version | where EventID==3001
Elastic
Converted
Lucene
high
CodeIntegrity - Unsigned Kernel Module Loaded
Detects the presence of a loaded unsigned kernel module on the system.
Show query
EventID:3001
ComRAT Network Communication
Detects Turla ComRAT network communication.
Show query
any where c-uri:"*/index/index.php\?h=*"
ComRAT Network Communication
Detects Turla ComRAT network communication.
Show query
from * metadata _id, _index, _version | where `c-uri` like "*/index/index.php\?h=*"
ComRAT Network Communication
Detects Turla ComRAT network communication.
Show query
c-uri:*\/index\/index.php\?h\=*
Command Obfuscation via Unicode Modifier Letters
Identifies the presence of Unicode modifier letters in the process command_line. Adversaries sometimes replace ASCII
characters with visually similar Unicode modifier letters to evade simple string-based detections.
Command and Scripting Interpreter via Windows Scripts
Identifies PowerShell, PowerShell ISE, or Cmd execution spawned from Windows Script Host or MSHTA.
Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
Show query
any where ("rm /var/log/syslog" or "rm -r /var/log/syslog" or "rm -f /var/log/syslog" or "rm -rf /var/log/syslog" or "mv /var/log/syslog" or " >/var/log/syslog" or " > /var/log/syslog") and (not "/syslog.")Commands to Clear or Remove the Syslog - Builtin
Detects specific commands commonly used to remove or empty the syslog
Show query
(*rm\ \/var\/log\/syslog* OR *rm\ \-r\ \/var\/log\/syslog* OR *rm\ \-f\ \/var\/log\/syslog* OR *rm\ \-rf\ \/var\/log\/syslog* OR *mv\ \/var\/log\/syslog* OR *\ \>\/var\/log\/syslog* OR *\ \>\ \/var\/log\/syslog*) AND (NOT *\/syslog.*)
Communication To LocaltoNet Tunneling Service Initiated
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Show query
any where (DestinationHostname like~ ("*.localto.net", "*.localtonet.com")) and Initiated:"true"Communication To LocaltoNet Tunneling Service Initiated
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Show query
from * metadata _id, _index, _version | where (ends_with(DestinationHostname, ".localto.net") or ends_with(DestinationHostname, ".localtonet.com")) and Initiated=="true"
Communication To LocaltoNet Tunneling Service Initiated
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Show query
(DestinationHostname:(*.localto.net OR *.localtonet.com)) AND Initiated:true
Communication To LocaltoNet Tunneling Service Initiated - Linux
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Show query
any where (DestinationHostname like~ ("*.localto.net", "*.localtonet.com")) and Initiated:"true"Communication To LocaltoNet Tunneling Service Initiated - Linux
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Show query
from * metadata _id, _index, _version | where (ends_with(DestinationHostname, ".localto.net") or ends_with(DestinationHostname, ".localtonet.com")) and Initiated=="true"
Communication To LocaltoNet Tunneling Service Initiated - Linux
Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
Attackers have been seen to use this service for command-and-control activities to bypass MFA and perimeter controls.
Show query
(DestinationHostname:(*.localto.net OR *.localtonet.com)) AND Initiated:true
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Show query
any where DestinationHostname like~ ("*tunnel.us.ngrok.com*", "*tunnel.eu.ngrok.com*", "*tunnel.ap.ngrok.com*", "*tunnel.au.ngrok.com*", "*tunnel.sa.ngrok.com*", "*tunnel.jp.ngrok.com*", "*tunnel.in.ngrok.com*")Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Show query
from * metadata _id, _index, _version | where DestinationHostname like "*tunnel.us.ngrok.com*" or DestinationHostname like "*tunnel.eu.ngrok.com*" or DestinationHostname like "*tunnel.ap.ngrok.com*" or DestinationHostname like "*tunnel.au.ngrok.com*" or DestinationHostname like "*tunnel.sa.ngrok.com*" or DestinationHostname like "*tunnel.jp.ngrok.com*" or DestinationHostname like "*tunnel.in.ngrok.com*"
Communication To Ngrok Tunneling Service - Linux
Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors
Show query
DestinationHostname:(*tunnel.us.ngrok.com* OR *tunnel.eu.ngrok.com* OR *tunnel.ap.ngrok.com* OR *tunnel.au.ngrok.com* OR *tunnel.sa.ngrok.com* OR *tunnel.jp.ngrok.com* OR *tunnel.in.ngrok.com*)
Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Show query
any where DestinationHostname like~ ("*tunnel.us.ngrok.com*", "*tunnel.eu.ngrok.com*", "*tunnel.ap.ngrok.com*", "*tunnel.au.ngrok.com*", "*tunnel.sa.ngrok.com*", "*tunnel.jp.ngrok.com*", "*tunnel.in.ngrok.com*")Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Show query
from * metadata _id, _index, _version | where DestinationHostname like "*tunnel.us.ngrok.com*" or DestinationHostname like "*tunnel.eu.ngrok.com*" or DestinationHostname like "*tunnel.ap.ngrok.com*" or DestinationHostname like "*tunnel.au.ngrok.com*" or DestinationHostname like "*tunnel.sa.ngrok.com*" or DestinationHostname like "*tunnel.jp.ngrok.com*" or DestinationHostname like "*tunnel.in.ngrok.com*"
Communication To Ngrok Tunneling Service Initiated
Detects an executable initiating a network connection to "ngrok" tunneling domains.
Attackers were seen using this "ngrok" in order to store their second stage payloads and malware.
While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download.
Show query
DestinationHostname:(*tunnel.us.ngrok.com* OR *tunnel.eu.ngrok.com* OR *tunnel.ap.ngrok.com* OR *tunnel.au.ngrok.com* OR *tunnel.sa.ngrok.com* OR *tunnel.jp.ngrok.com* OR *tunnel.in.ngrok.com*)
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
Show query
any where CommandLine:"*qlogin*" and CommandLine:"* -cs *" and CommandLine:"* -localadmin*" and CommandLine:"* -clp *" and CommandLine:"*_localadmin__*"
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
Show query
from * metadata _id, _index, _version | where CommandLine like "*qlogin*" and CommandLine like "* -cs *" and CommandLine like "* -localadmin*" and CommandLine like "* -clp *" and CommandLine like "*_localadmin__*"
Commvault QLogin Argument Injection Authentication Bypass (CVE-2025-57791)
Detects the use of argument injection in the Commvault qlogin command - potential exploitation for CVE-2025-57791.
An attacker can inject the `-localadmin` parameter via the password field to bypass authentication and gain a privileged token.
Show query
CommandLine:*qlogin* AND CommandLine:*\ \-cs\ * AND CommandLine:*\ \-localadmin* AND CommandLine:*\ \-clp\ * AND CommandLine:*_localadmin__*
Showing 1051-1100 of 12,786