Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
Show query
any where CommandLine:"*qoperation*" and CommandLine:"*exec*" and CommandLine:"* -af *" and CommandLine:"*.xml *" and CommandLine:"*\\Apache\\webapps\\ROOT\\*" and CommandLine:"*.jsp*"
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
Show query
from * metadata _id, _index, _version | where CommandLine like "*qoperation*" and CommandLine like "*exec*" and CommandLine like "* -af *" and CommandLine like "*.xml *" and CommandLine like "*\\Apache\\webapps\\ROOT\\*" and CommandLine like "*.jsp*"
Commvault QOperation Path Traversal Webshell Drop (CVE-2025-57790)
Detects the use of qoperation.exe with the -file argument to write a JSP file to the webroot, indicating a webshell drop.
This is a post-authentication step corresponding to CVE-2025-57790.
Show query
CommandLine:*qoperation* AND CommandLine:*exec* AND CommandLine:*\ \-af\ * AND CommandLine:*.xml\ * AND CommandLine:*\\Apache\\webapps\\ROOT\\* AND CommandLine:*.jsp*
Conhost Spawned By Suspicious Parent Process
Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be
indicative of code injection.
Conhost.exe CommandLine Path Traversal
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Show query
any where ParentCommandLine:"*conhost*" and CommandLine:"*/../../*"
Conhost.exe CommandLine Path Traversal
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Show query
from * metadata _id, _index, _version | where ParentCommandLine like "*conhost*" and CommandLine like "*/../../*"
Conhost.exe CommandLine Path Traversal
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Show query
ParentCommandLine:*conhost* AND CommandLine:*\/..\/..\/*
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
Show query
any where CommandLine:"*7za.exe*" and CommandLine:"*\\C$\\temp\\log.zip*"
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
Show query
from * metadata _id, _index, _version | where CommandLine like "*7za.exe*" and CommandLine like "*\\C$\\temp\\log.zip*"
Conti NTDS Exfiltration Command
Detects a command used by conti to exfiltrate NTDS
Show query
CommandLine:*7za.exe* AND CommandLine:*\\C$\\temp\\log.zip*
Conti Volume Shadow Listing
Detects a command used by conti to find volume shadow backups
Show query
any where CommandLine:"*vssadmin list shadows*" and CommandLine:"*log.txt*"
Conti Volume Shadow Listing
Detects a command used by conti to find volume shadow backups
Show query
from * metadata _id, _index, _version | where CommandLine like "*vssadmin list shadows*" and CommandLine like "*log.txt*"
Conti Volume Shadow Listing
Detects a command used by conti to find volume shadow backups
Show query
CommandLine:*vssadmin\ list\ shadows* AND CommandLine:*log.txt*
Control Panel Items
Detects the malicious use of a control panel item
Show query
any where ((Image:"*\\reg.exe" or OriginalFileName:"reg.exe") and (CommandLine:"*add*" and CommandLine:"*CurrentVersion\\Control Panel\\CPLs*")) or (CommandLine:"*.cpl" and (not ((CommandLine like~ ("*\\System32\\*", "*%System%*", "*|C:\\Windows\\system32|*")) or (CommandLine:"*regsvr32 *" and CommandLine:"* /s *" and CommandLine:"*igfxCPL.cpl*"))))Control Panel Items
Detects the malicious use of a control panel item
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\reg.exe") or OriginalFileName=="reg.exe") and CommandLine like "*add*" and CommandLine like "*CurrentVersion\\Control Panel\\CPLs*" or ends_with(CommandLine, ".cpl") and not (CommandLine like "*\\System32\\*" or CommandLine like "*%System%*" or CommandLine like "*|C:\\Windows\\system32|*" or CommandLine like "*regsvr32 *" and CommandLine like "* /s *" and CommandLine like "*igfxCPL.cpl*")
Control Panel Items
Detects the malicious use of a control panel item
Show query
((Image:*\\reg.exe OR OriginalFileName:reg.exe) AND (CommandLine:*add* AND CommandLine:*CurrentVersion\\Control\ Panel\\CPLs*)) OR (CommandLine:*.cpl AND (NOT ((CommandLine:(*\\System32\\* OR *%System%* OR *\|C\:\\Windows\\system32\|*)) OR (CommandLine:*regsvr32\ * AND CommandLine:*\ \/s\ * AND CommandLine:*igfxCPL.cpl*))))
Control Panel Process with Unusual Arguments
Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value.
Adversaries may abuse control.exe to proxy execution of malicious code.
Elastic
Converted
EQL
high
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
Show query
any where (Image:"*\\cmd.exe" or OriginalFileName:"Cmd.Exe") and ((CommandLine:"*copy *" and CommandLine:"* \\\\*") and (CommandLine like~ ("*.dmp*", "*.dump*", "*.hdmp*")))
Elastic
Converted
ES|QL
high
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\cmd.exe") or OriginalFileName=="Cmd.Exe") and CommandLine like "*copy *" and CommandLine like "* \\\\*" and (CommandLine like "*.dmp*" or CommandLine like "*.dump*" or CommandLine like "*.hdmp*")
Elastic
Converted
Lucene
high
Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE
Detects usage of the copy builtin cmd command to copy files with the ".dmp"/".dump" extension from a remote share
Show query
(Image:*\\cmd.exe OR OriginalFileName:Cmd.Exe) AND ((CommandLine:*copy\ * AND CommandLine:*\ \\\\*) AND (CommandLine:(*.dmp* OR *.dump* OR *.hdmp*)))
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Show query
any where CommandLine:"*copy *" and CommandLine:"*\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*"
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Show query
from * metadata _id, _index, _version | where CommandLine like "*copy *" and CommandLine like "*\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*"
Copy From VolumeShadowCopy Via Cmd.EXE
Detects the execution of the builtin "copy" command that targets a shadow copy (sometimes used to copy registry hives that are in use)
Show query
CommandLine:*copy\ * AND CommandLine:*\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy*
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
Show query
any where Image:"*/cp" and CommandLine:"*/tmp/*" and (CommandLine like~ ("*passwd*", "*shadow*"))Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/cp") and CommandLine like "*/tmp/*" and (CommandLine like "*passwd*" or CommandLine like "*shadow*")
Copy Passwd Or Shadow From TMP Path
Detects when the file "passwd" or "shadow" is copied from tmp path
Show query
Image:*\/cp AND CommandLine:*\/tmp\/* AND (CommandLine:(*passwd* OR *shadow*))
Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
Show query
any where ((Image:"*\\esentutl.exe" or OriginalFileName:"\\esentutl.exe") and (CommandLine like~ ("*vss*") or CommandLine like~ ("* -m *", "* /m *", "* –m *", "* —m *", "* ―m *") or CommandLine like~ ("* -y *", "* /y *", "* –y *", "* —y *", "* ―y *"))) or (CommandLine like~ ("*\\config\\RegBack\\sam*", "*\\config\\RegBack\\security*", "*\\config\\RegBack\\system*", "*\\config\\sam*", "*\\config\\security*", "*\\config\\system *", "*\\repair\\sam*", "*\\repair\\security*", "*\\repair\\system*", "*\\windows\\ntds\\ntds.dit*"))Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\esentutl.exe") or OriginalFileName=="\\esentutl.exe") and (CommandLine like "*vss*" or CommandLine like "* -m *" or CommandLine like "* /m *" or CommandLine like "* –m *" or CommandLine like "* —m *" or CommandLine like "* ―m *" or CommandLine like "* -y *" or CommandLine like "* /y *" or CommandLine like "* –y *" or CommandLine like "* —y *" or CommandLine like "* ―y *") or CommandLine like "*\\config\\RegBack\\sam*" or CommandLine like "*\\config\\RegBack\\security*" or CommandLine like "*\\config\\RegBack\\system*" or CommandLine like "*\\config\\sam*" or CommandLine like "*\\config\\security*" or CommandLine like "*\\config\\system *" or CommandLine like "*\\repair\\sam*" or CommandLine like "*\\repair\\security*" or CommandLine like "*\\repair\\system*" or CommandLine like "*\\windows\\ntds\\ntds.dit*"
Copying Sensitive Files with Credential Data
Files with well-known filenames (sensitive files with credential data) copying
Show query
((Image:*\\esentutl.exe OR OriginalFileName:\\esentutl.exe) AND (CommandLine:(*vss*) OR CommandLine:(*\ \-m\ * OR *\ \/m\ * OR *\ –m\ * OR *\ —m\ * OR *\ ―m\ *) OR CommandLine:(*\ \-y\ * OR *\ \/y\ * OR *\ –y\ * OR *\ —y\ * OR *\ ―y\ *))) OR (CommandLine:(*\\config\\RegBack\\sam* OR *\\config\\RegBack\\security* OR *\\config\\RegBack\\system* OR *\\config\\sam* OR *\\config\\security* OR *\\config\\system\ * OR *\\repair\\sam* OR *\\repair\\security* OR *\\repair\\system* OR *\\windows\\ntds\\ntds.dit*))
Elastic
Original
ESQL
high
Correlated Alerts on Similar User Identities
This rule correlates alerts from multiple integrations and event categories that involve different user.name values which
may represent the same real-world identity. It uses an LLM-based similarity analysis to evaluate whether multiple user identifiers
(e.g. naming variations, formats, aliases, or domain differences) likely belong to the same person.
Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Show query
any where ScriptBlockText:"*Win32_ShadowCopy*" and ScriptBlockText:"*).Create(*" and ScriptBlockText:"*ClientAccessible*"
Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*Win32_ShadowCopy*" and ScriptBlockText like "*).Create(*" and ScriptBlockText like "*ClientAccessible*"
Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Show query
ScriptBlockText:*Win32_ShadowCopy* AND ScriptBlockText:*\).Create\(* AND ScriptBlockText:*ClientAccessible*
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Show query
any where (Image:"*\\createdump.exe" or OriginalFileName:"FX_VER_INTERNALNAME_STR") and (CommandLine like~ ("* -u *", "* --full *", "* -f *", "* --name *", "*.dmp *"))CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\createdump.exe") or OriginalFileName=="FX_VER_INTERNALNAME_STR") and (CommandLine like "* -u *" or CommandLine like "* --full *" or CommandLine like "* -f *" or CommandLine like "* --name *" or CommandLine like "*.dmp *")
CreateDump Process Dump
Detects uses of the createdump.exe LOLOBIN utility to dump process memory
Show query
(Image:*\\createdump.exe OR OriginalFileName:FX_VER_INTERNALNAME_STR) AND (CommandLine:(*\ \-u\ * OR *\ \-\-full\ * OR *\ \-f\ * OR *\ \-\-name\ * OR *.dmp\ *))
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Show query
any where TargetFilename:"C:\\program.exe"
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Show query
from * metadata _id, _index, _version | where TargetFilename=="C:\\program.exe"
Creation Exe for Service with Unquoted Path
Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
Show query
TargetFilename:C\:\\program.exe
Creation of a Hidden Local User Account
Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is
sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using
the net users command.
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
Show query
any where TargetObject:"*\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*" and TargetObject:"*$\\(Default)" and Image:"*\\lsass.exe"
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*" and ends_with(TargetObject, "$\\(Default)") and ends_with(Image, "\\lsass.exe")
Creation of a Local Hidden User Account by Registry
Sysmon registry detection of a local hidden user account.
Show query
TargetObject:*\\SAM\\SAM\\Domains\\Account\\Users\\Names\\* AND TargetObject:*$\\\(Default\) AND Image:*\\lsass.exe
Creation or Modification of Domain Backup DPAPI private key
Identifies the creation or modification of Domain Backup private keys. Adversaries may extract the Data Protection API
(DPAPI) domain backup key from a Domain Controller (DC) to be able to decrypt any domain user master key file.
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Show query
any where (TargetFilename like~ ("*\\fgdump-log*", "*\\kirbi*", "*\\pwdump*", "*\\pwhashes*", "*\\wce_ccache*", "*\\wce_krbtkts*")) or (TargetFilename like~ ("*\\cachedump.exe", "*\\cachedump64.exe", "*\\DumpExt.dll", "*\\DumpSvc.exe", "*\\Dumpy.exe", "*\\fgexec.exe", "*\\lsremora.dll", "*\\lsremora64.dll", "*\\NTDS.out", "*\\procdump.exe", "*\\procdump64.exe", "*\\procdump64a.exe", "*\\pstgdump.exe", "*\\pwdump.exe", "*\\SAM.out", "*\\SECURITY.out", "*\\servpw.exe", "*\\servpw64.exe", "*\\SYSTEM.out", "*\\test.pwd", "*\\wceaux.dll"))Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Show query
from * metadata _id, _index, _version | where TargetFilename like "*\\fgdump-log*" or TargetFilename like "*\\kirbi*" or TargetFilename like "*\\pwdump*" or TargetFilename like "*\\pwhashes*" or TargetFilename like "*\\wce_ccache*" or TargetFilename like "*\\wce_krbtkts*" or ends_with(TargetFilename, "\\cachedump.exe") or ends_with(TargetFilename, "\\cachedump64.exe") or ends_with(TargetFilename, "\\DumpExt.dll") or ends_with(TargetFilename, "\\DumpSvc.exe") or ends_with(TargetFilename, "\\Dumpy.exe") or ends_with(TargetFilename, "\\fgexec.exe") or ends_with(TargetFilename, "\\lsremora.dll") or ends_with(TargetFilename, "\\lsremora64.dll") or ends_with(TargetFilename, "\\NTDS.out") or ends_with(TargetFilename, "\\procdump.exe") or ends_with(TargetFilename, "\\procdump64.exe") or ends_with(TargetFilename, "\\procdump64a.exe") or ends_with(TargetFilename, "\\pstgdump.exe") or ends_with(TargetFilename, "\\pwdump.exe") or ends_with(TargetFilename, "\\SAM.out") or ends_with(TargetFilename, "\\SECURITY.out") or ends_with(TargetFilename, "\\servpw.exe") or ends_with(TargetFilename, "\\servpw64.exe") or ends_with(TargetFilename, "\\SYSTEM.out") or ends_with(TargetFilename, "\\test.pwd") or ends_with(TargetFilename, "\\wceaux.dll")
Cred Dump Tools Dropped Files
Files with well-known filenames (parts of credential dump software or files produced by them) creation
Show query
(TargetFilename:(*\\fgdump\-log* OR *\\kirbi* OR *\\pwdump* OR *\\pwhashes* OR *\\wce_ccache* OR *\\wce_krbtkts*)) OR (TargetFilename:(*\\cachedump.exe OR *\\cachedump64.exe OR *\\DumpExt.dll OR *\\DumpSvc.exe OR *\\Dumpy.exe OR *\\fgexec.exe OR *\\lsremora.dll OR *\\lsremora64.dll OR *\\NTDS.out OR *\\procdump.exe OR *\\procdump64.exe OR *\\procdump64a.exe OR *\\pstgdump.exe OR *\\pwdump.exe OR *\\SAM.out OR *\\SECURITY.out OR *\\servpw.exe OR *\\servpw64.exe OR *\\SYSTEM.out OR *\\test.pwd OR *\\wceaux.dll))
Credential Acquisition via Registry Hive Dumping
Identifies attempts to export a registry hive which may contain credentials using the Windows reg.exe tool.
Credential Dumping - Detected - Elastic Endgame
Elastic Endgame detected Credential Dumping. Click the Elastic Endgame icon in the event.module column or the link in
the rule.reference column for additional information.
Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Show query
any where TargetImage:"*\\lsass.exe" and (CallTrace:"*_ctypes.pyd+*" and CallTrace:"*:\\Windows\\System32\\KERNELBASE.dll+*" and CallTrace:"*:\\Windows\\SYSTEM32\\ntdll.dll+*") and (CallTrace like~ ("*python27.dll+*", "*python3*.dll+*")) and GrantedAccess:"0x1FFFFF"Showing 1101-1150 of 12,786