Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Show query
from * metadata _id, _index, _version | where ends_with(TargetImage, "\\lsass.exe") and CallTrace like "*_ctypes.pyd+*" and CallTrace like "*:\\Windows\\System32\\KERNELBASE.dll+*" and CallTrace like "*:\\Windows\\SYSTEM32\\ntdll.dll+*" and (CallTrace like "*python27.dll+*" or CallTrace like "*python3*.dll+*") and GrantedAccess=="0x1FFFFF"
Credential Dumping Activity By Python Based Tool
Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.
Show query
TargetImage:*\\lsass.exe AND (CallTrace:*_ctypes.pyd\+* AND CallTrace:*\:\\Windows\\System32\\KERNELBASE.dll\+* AND CallTrace:*\:\\Windows\\SYSTEM32\\ntdll.dll\+*) AND (CallTrace:(*python27.dll\+* OR *python3*.dll\+*)) AND GrantedAccess:0x1FFFFF
Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
Show query
any where (TargetImage:"*\\svchost.exe" and GrantedAccess:"0x143a") and (not (SourceImage like~ ("*\\services.exe", "*\\msiexec.exe")))Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
Show query
from * metadata _id, _index, _version | where ends_with(TargetImage, "\\svchost.exe") and GrantedAccess=="0x143a" and not (ends_with(SourceImage, "\\services.exe") or ends_with(SourceImage, "\\msiexec.exe"))
Credential Dumping Attempt Via Svchost
Detects when a process tries to access the memory of svchost to potentially dump credentials.
Show query
(TargetImage:*\\svchost.exe AND GrantedAccess:0x143a) AND (NOT (SourceImage:(*\\services.exe OR *\\msiexec.exe)))
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
Show query
any where SourceImage:"*\\WerFault.exe" and TargetImage:"*\\lsass.exe" and GrantedAccess:"0x1FFFFF"
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
Show query
from * metadata _id, _index, _version | where ends_with(SourceImage, "\\WerFault.exe") and ends_with(TargetImage, "\\lsass.exe") and GrantedAccess=="0x1FFFFF"
Credential Dumping Attempt Via WerFault
Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
Show query
SourceImage:*\\WerFault.exe AND TargetImage:*\\lsass.exe AND GrantedAccess:0x1FFFFF
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
Show query
any where EventID:4697 and (ServiceFileName like~ ("*cachedump*", "*dumpsvc*", "*fgexec*", "*gsecdump*", "*mimidrv*", "*pwdump*", "*servpw*"))Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
Show query
from * metadata _id, _index, _version | where EventID==4697 and (ServiceFileName like "*cachedump*" or ServiceFileName like "*dumpsvc*" or ServiceFileName like "*fgexec*" or ServiceFileName like "*gsecdump*" or ServiceFileName like "*mimidrv*" or ServiceFileName like "*pwdump*" or ServiceFileName like "*servpw*")
Credential Dumping Tools Service Execution - Security
Detects well-known credential dumping tools execution via service execution events
Show query
EventID:4697 AND (ServiceFileName:(*cachedump* OR *dumpsvc* OR *fgexec* OR *gsecdump* OR *mimidrv* OR *pwdump* OR *servpw*))
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
Show query
any where Provider_Name:"Service Control Manager" and EventID:7045 and (ImagePath like~ ("*cachedump*", "*dumpsvc*", "*fgexec*", "*gsecdump*", "*mimidrv*", "*pwdump*", "*servpw*"))Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
Show query
from * metadata _id, _index, _version | where Provider_Name=="Service Control Manager" and EventID==7045 and (ImagePath like "*cachedump*" or ImagePath like "*dumpsvc*" or ImagePath like "*fgexec*" or ImagePath like "*gsecdump*" or ImagePath like "*mimidrv*" or ImagePath like "*pwdump*" or ImagePath like "*servpw*")
Credential Dumping Tools Service Execution - System
Detects well-known credential dumping tools execution via service execution events
Show query
Provider_Name:Service\ Control\ Manager AND EventID:7045 AND (ImagePath:(*cachedump* OR *dumpsvc* OR *fgexec* OR *gsecdump* OR *mimidrv* OR *pwdump* OR *servpw*))
Credential Manipulation - Detected - Elastic Endgame
Elastic Endgame detected Credential Manipulation. Click the Elastic Endgame icon in the event.module column or the link
in the rule.reference column for additional information.
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
Show query
any where (Image:"*/grep" and CommandLine:"*password*") or CommandLine:"*laZagne*"
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/grep") and CommandLine like "*password*" or CommandLine like "*laZagne*"
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
Show query
(Image:*\/grep AND CommandLine:*password*) OR CommandLine:*laZagne*
Credentials In Files - Linux
Detecting attempts to extract passwords with grep
Show query
any where type:"EXECVE" and ("grep" and "password")Credentials In Files - Linux
Detecting attempts to extract passwords with grep
Show query
type:EXECVE AND (*grep* AND *password*)
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
Show query
any where EventID:16 and Provider_Name:"Microsoft-Windows-Kernel-General" and (HiveName like~ ("*\\Temp\\SAM*", "*\\Temp\\SECURITY*"))Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
Show query
from * metadata _id, _index, _version | where EventID==16 and Provider_Name=="Microsoft-Windows-Kernel-General" and (HiveName like "*\\Temp\\SAM*" or HiveName like "*\\Temp\\SECURITY*")
Critical Hive In Suspicious Location Access Bits Cleared
Detects events from the Kernel-General ETW indicating that the access bits of a hive with a system like hive name located in the temp directory have been reset.
This occurs when an application tries to access a hive and the hive has not be recognized since the last 7 days (by default).
Registry hive dumping utilities such as QuarksPwDump were seen emitting this behavior.
Show query
EventID:16 AND Provider_Name:Microsoft\-Windows\-Kernel\-General AND (HiveName:(*\\Temp\\SAM* OR *\\Temp\\SECURITY*))
Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
Show query
any where cs-method:"GET" and ("=<script>" or "=%3Cscript%3E" or "=%253Cscript%253E" or "<iframe " or "%3Ciframe " or "<svg " or "%3Csvg " or "document.cookie" or "document.domain" or " onerror=" or " onresize=" or " onload=\"" or "onmouseover=" or "${alert" or "javascript:alert" or "javascript%3Aalert") and (not sc-status:404)Cross Site Scripting Strings
Detects XSS attempts injected via GET requests in access logs
Show query
cs-method:GET AND (*\=\<script\>* OR *\=%3Cscript%3E* OR *\=%253Cscript%253E* OR *\<iframe\ * OR *%3Ciframe\ * OR *\<svg\ * OR *%3Csvg\ * OR *document.cookie* OR *document.domain* OR *\ onerror\=* OR *\ onresize\=* OR *\ onload\=\"* OR *onmouseover\=* OR *$\{alert* OR *javascript\:alert* OR *javascript%3Aalert*) AND (NOT sc-status:404)Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
Show query
any where c-useragent like~ ("XMRig *", "ccminer*")Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
Show query
from * metadata _id, _index, _version | where starts_with(`c-useragent`, "XMRig ") or starts_with(`c-useragent`, "ccminer")
Crypto Miner User Agent
Detects suspicious user agent strings used by crypto miners in proxy logs
Show query
c-useragent:(XMRig\ * OR ccminer*)
Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Show query
any where (Image:"*\\csc.exe" or OriginalFileName:"csc.exe") and ((ParentImage like~ ("*\\cscript.exe", "*\\excel.exe", "*\\mshta.exe", "*\\onenote.exe", "*\\outlook.exe", "*\\powerpnt.exe", "*\\winword.exe", "*\\wscript.exe")) or ((ParentImage like~ ("*\\powershell.exe", "*\\pwsh.exe")) and (ParentCommandLine like~ ("*-Encoded *", "*FromBase64String*"))) or (ParentCommandLine regex~ "(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$" or (ParentCommandLine like~ ("*:\\PerfLogs\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\Temporary Internet*")) or (ParentCommandLine:"*:\\Users\\*" and ParentCommandLine:"*\\Favorites\\*") or (ParentCommandLine:"*:\\Users\\*" and ParentCommandLine:"*\\Favourites\\*") or (ParentCommandLine:"*:\\Users\\*" and ParentCommandLine:"*\\Contacts\\*") or (ParentCommandLine:"*:\\Users\\*" and ParentCommandLine:"*\\Pictures\\*"))) and (not ((ParentImage like~ ("C:\\Program Files (x86)\\*", "C:\\Program Files\\*")) or ParentImage:"C:\\Windows\\System32\\sdiagnhost.exe" or ParentImage:"C:\\Windows\\System32\\inetsrv\\w3wp.exe")) and (not (ParentImage:"C:\\ProgramData\\chocolatey\\choco.exe" or ParentCommandLine:"*\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection*" or (ParentCommandLine like~ ("*JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw*", "*cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA*", "*nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA*"))))Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\csc.exe") or OriginalFileName=="csc.exe") and (ends_with(ParentImage, "\\cscript.exe") or ends_with(ParentImage, "\\excel.exe") or ends_with(ParentImage, "\\mshta.exe") or ends_with(ParentImage, "\\onenote.exe") or ends_with(ParentImage, "\\outlook.exe") or ends_with(ParentImage, "\\powerpnt.exe") or ends_with(ParentImage, "\\winword.exe") or ends_with(ParentImage, "\\wscript.exe") or (ends_with(ParentImage, "\\powershell.exe") or ends_with(ParentImage, "\\pwsh.exe")) and (ParentCommandLine like "*-Encoded *" or ParentCommandLine like "*FromBase64String*") or ParentCommandLine rlike "(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\\\[Aa]pp[Dd]ata\\\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\\\[^\\\\]{1,256}$" or ParentCommandLine like "*:\\PerfLogs\\*" or ParentCommandLine like "*:\\Users\\Public\\*" or ParentCommandLine like "*:\\Windows\\Temp\\*" or ParentCommandLine like "*\\Temporary Internet*" or ParentCommandLine like "*:\\Users\\*" and ParentCommandLine like "*\\Favorites\\*" or ParentCommandLine like "*:\\Users\\*" and ParentCommandLine like "*\\Favourites\\*" or ParentCommandLine like "*:\\Users\\*" and ParentCommandLine like "*\\Contacts\\*" or ParentCommandLine like "*:\\Users\\*" and ParentCommandLine like "*\\Pictures\\*") and not (starts_with(ParentImage, "C:\\Program Files (x86)\\") or starts_with(ParentImage, "C:\\Program Files\\") or ParentImage=="C:\\Windows\\System32\\sdiagnhost.exe" or ParentImage=="C:\\Windows\\System32\\inetsrv\\w3wp.exe") and not (ParentImage=="C:\\ProgramData\\chocolatey\\choco.exe" or ParentCommandLine like "*\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection*" or ParentCommandLine like "*JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw*" or ParentCommandLine like "*cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA*" or ParentCommandLine like "*nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA*")Csc.EXE Execution Form Potentially Suspicious Parent
Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.
Show query
(Image:*\\csc.exe OR OriginalFileName:csc.exe) AND ((ParentImage:(*\\cscript.exe OR *\\excel.exe OR *\\mshta.exe OR *\\onenote.exe OR *\\outlook.exe OR *\\powerpnt.exe OR *\\winword.exe OR *\\wscript.exe)) OR ((ParentImage:(*\\powershell.exe OR *\\pwsh.exe)) AND (ParentCommandLine:(*\-Encoded\ * OR *FromBase64String*))) OR (ParentCommandLine:/(?:[Pp]rogram[Dd]ata|%(?:[Ll]ocal)?[Aa]pp[Dd]ata%|\\[Aa]pp[Dd]ata\\(?:[Ll]ocal(?:[Ll]ow)?|[Rr]oaming))\\[^\\]{1,256}$/ OR (ParentCommandLine:(*\:\\PerfLogs\\* OR *\:\\Users\\Public\\* OR *\:\\Windows\\Temp\\* OR *\\Temporary\ Internet*)) OR (ParentCommandLine:*\:\\Users\\* AND ParentCommandLine:*\\Favorites\\*) OR (ParentCommandLine:*\:\\Users\\* AND ParentCommandLine:*\\Favourites\\*) OR (ParentCommandLine:*\:\\Users\\* AND ParentCommandLine:*\\Contacts\\*) OR (ParentCommandLine:*\:\\Users\\* AND ParentCommandLine:*\\Pictures\\*))) AND (NOT ((ParentImage:(C\:\\Program\ Files\ \(x86\)\\* OR C\:\\Program\ Files\\*)) OR ParentImage:C\:\\Windows\\System32\\sdiagnhost.exe OR ParentImage:C\:\\Windows\\System32\\inetsrv\\w3wp.exe)) AND (NOT (ParentImage:C\:\\ProgramData\\chocolatey\\choco.exe OR ParentCommandLine:*\\ProgramData\\Microsoft\\Windows\ Defender\ Advanced\ Threat\ Protection* OR (ParentCommandLine:(*JwB7ACIAZgBhAGkAbABlAGQAIgA6AHQAcgB1AGUALAAiAG0AcwBnACIAOgAiAEEAbgBzAGkAYgBsAGUAIAByAGUAcQB1AGkAcgBlAHMAIABQAG8AdwBlAHIAUwBoAGUAbABsACAAdgAzAC4AMAAgAG8AcgAgAG4AZQB3AGUAcgAiAH0AJw* OR *cAewAiAGYAYQBpAGwAZQBkACIAOgB0AHIAdQBlACwAIgBtAHMAZwAiADoAIgBBAG4AcwBpAGIAbABlACAAcgBlAHEAdQBpAHIAZQBzACAAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAMwAuADAAIABvAHIAIABuAGUAdwBlAHIAIgB9ACcA* OR *nAHsAIgBmAGEAaQBsAGUAZAAiADoAdAByAHUAZQAsACIAbQBzAGcAIgA6ACIAQQBuAHMAaQBiAGwAZQAgAHIAZQBxAHUAaQByAGUAcwAgAFAAbwB3AGUAcgBTAGgAZQBsAGwAIAB2ADMALgAwACAAbwByACAAbgBlAHcAZQByACIAfQAnA*))))Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
Show query
any where ((OriginalFileName like~ ("wscript.exe", "cscript.exe")) or (Image like~ ("*\\wscript.exe", "*\\cscript.exe"))) and (CommandLine like~ ("*.csv*", "*.dat*", "*.doc*", "*.gif*", "*.jpeg*", "*.jpg*", "*.png*", "*.ppt*", "*.txt*", "*.xls*", "*.xml*"))Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
Show query
from * metadata _id, _index, _version | where (OriginalFileName in ("wscript.exe", "cscript.exe") or ends_with(Image, "\\wscript.exe") or ends_with(Image, "\\cscript.exe")) and (CommandLine like "*.csv*" or CommandLine like "*.dat*" or CommandLine like "*.doc*" or CommandLine like "*.gif*" or CommandLine like "*.jpeg*" or CommandLine like "*.jpg*" or CommandLine like "*.png*" or CommandLine like "*.ppt*" or CommandLine like "*.txt*" or CommandLine like "*.xls*" or CommandLine like "*.xml*")Cscript/Wscript Uncommon Script Extension Execution
Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
Show query
((OriginalFileName:(wscript.exe OR cscript.exe)) OR (Image:(*\\wscript.exe OR *\\cscript.exe))) AND (CommandLine:(*.csv* OR *.dat* OR *.doc* OR *.gif* OR *.jpeg* OR *.jpg* OR *.png* OR *.ppt* OR *.txt* OR *.xls* OR *.xml*))
Cupsd or Foomatic-rip Shell Execution
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the
foomatic-rip parent process. These flaws impact components like cups-browsed, libcupsfilters, libppd, and foomatic-rip,
allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data through crafted UDP packets or
network spoofing. This can result in arbitrary command execution when a print job is initiated.
Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Show query
any where CommandLine like~ ("* -c *", "* /c *", "* –c *", "* —c *", "* ―c *") and (CommandLine:"*curl *" and CommandLine:"*http*" and CommandLine:"*-o*" and CommandLine:"*&*")Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Show query
from * metadata _id, _index, _version | where (CommandLine like "* -c *" or CommandLine like "* /c *" or CommandLine like "* –c *" or CommandLine like "* —c *" or CommandLine like "* ―c *") and CommandLine like "*curl *" and CommandLine like "*http*" and CommandLine like "*-o*" and CommandLine like "*&*"
Curl Download And Execute Combination
Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
Show query
CommandLine:(*\ \-c\ * OR *\ \/c\ * OR *\ –c\ * OR *\ —c\ * OR *\ ―c\ *) AND (CommandLine:*curl\ * AND CommandLine:*http* AND CommandLine:*\-o* AND CommandLine:*\&*)
Curl Execution via Shell Profile
Detects when curl is executed via a shell profile upon login. This indicates a curl command was added to the
user's shell profile (like .zshrc or .bashrc) and is executed automatically at login, which could be used for
persistence and payload delivery.
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
Show query
any where TargetObject:"*shell\\open\\command\\*" and (Details:"*powershell*" and Details:"*-command*")
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
Show query
from * metadata _id, _index, _version | where TargetObject like "*shell\\open\\command\\*" and Details like "*powershell*" and Details like "*-command*"
Custom File Open Handler Executes PowerShell
Detects the abuse of custom file open handler, executing powershell
Show query
TargetObject:*shell\\open\\command\\* AND (Details:*powershell* AND Details:*\-command*)
CyberArk Privileged Access Security Error
Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code
correlates to the CyberArk Vault Audit Action Code.
CyberArk Privileged Access Security Recommended Monitor
Identifies the occurrence of a CyberArk Privileged Access Security (PAS) non-error level audit event which is
recommended for monitoring by the vendor. The event.code correlates to the CyberArk Vault Audit Action Code.
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Show query
any where (EventID:5145 and RelativeTargetName:"*\\Internet Explorer\\iertutil.dll") and (not SubjectUserName:"*$")
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Show query
from * metadata _id, _index, _version | where EventID==5145 and ends_with(RelativeTargetName, "\\Internet Explorer\\iertutil.dll") and not ends_with(SubjectUserName, "$")
DCOM InternetExplorer.Application Iertutil DLL Hijack - Security
Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario.
Show query
(EventID:5145 AND RelativeTargetName:*\\Internet\ Explorer\\iertutil.dll) AND (NOT SubjectUserName:*$)
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
Show query
any where (cs-uri-query:"*?dwn=*" and cs-uri-query:"*&fn=*" and cs-uri-query:"*.html?*") or (cs-uri-query:"*&dwn=*" and cs-uri-query:"*?fn=*" and cs-uri-query:"*.html?*")
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
Show query
from * metadata _id, _index, _version | where `cs-uri-query` like "*?dwn=*" and `cs-uri-query` like "*&fn=*" and `cs-uri-query` like "*.html?*" or `cs-uri-query` like "*&dwn=*" and `cs-uri-query` like "*?fn=*" and `cs-uri-query` like "*.html?*"
DEWMODE Webshell Access
Detects access to DEWMODE webshell as described in FIREEYE report
Show query
(cs-uri-query:*?dwn\=* AND cs-uri-query:*\&fn\=* AND cs-uri-query:*.html?*) OR (cs-uri-query:*\&dwn\=* AND cs-uri-query:*?fn\=* AND cs-uri-query:*.html?*)
Showing 1151-1200 of 12,786