Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
Show query
any where TargetObject like~ ("*\\Services\\DHCPServer\\Parameters\\CalloutDlls", "*\\Services\\DHCPServer\\Parameters\\CalloutEnabled")DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "\\Services\\DHCPServer\\Parameters\\CalloutDlls") or ends_with(TargetObject, "\\Services\\DHCPServer\\Parameters\\CalloutEnabled")
DHCP Callout DLL Installation
Detects the installation of a Callout DLL via CalloutDlls and CalloutEnabled parameter in Registry, which can be used to execute code in context of the DHCP server (restart required)
Show query
TargetObject:(*\\Services\\DHCPServer\\Parameters\\CalloutDlls OR *\\Services\\DHCPServer\\Parameters\\CalloutEnabled)
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
Show query
any where (EventID like~ (1031, 1032, 1034)) and Provider_Name:"Microsoft-Windows-DHCP-Server"
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
Show query
from * metadata _id, _index, _version | where (EventID in (1031, 1032, 1034)) and Provider_Name=="Microsoft-Windows-DHCP-Server"
DHCP Server Error Failed Loading the CallOut DLL
This rule detects a DHCP server error in which a specified Callout DLL (in registry) could not be loaded
Show query
(EventID:(1031 OR 1032 OR 1034)) AND Provider_Name:Microsoft\-Windows\-DHCP\-Server
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Show query
any where EventID:1033 and Provider_Name:"Microsoft-Windows-DHCP-Server"
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Show query
from * metadata _id, _index, _version | where EventID==1033 and Provider_Name=="Microsoft-Windows-DHCP-Server"
DHCP Server Loaded the CallOut DLL
This rule detects a DHCP server in which a specified Callout DLL (in registry) was loaded
Show query
EventID:1033 AND Provider_Name:Microsoft\-Windows\-DHCP\-Server
DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
Show query
any where (TargetObject like~ ("*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*", "*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*")) and (not (Image:"C:\\Windows\\system32\\lsass.exe" and (Details like~ ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll"))))DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
Show query
from * metadata _id, _index, _version | where (TargetObject like "*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt*" or TargetObject like "*\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*") and not (Image=="C:\\Windows\\system32\\lsass.exe" and (Details in ("%%systemroot%%\\system32\\ntdsa.dll", "%%systemroot%%\\system32\\lsadb.dll")))DLL Load via LSASS
Detects a method to load DLL via LSASS process using an undocumented Registry key
Show query
(TargetObject:(*\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPt* OR *\\CurrentControlSet\\Services\\NTDS\\LsaDbExtPt*)) AND (NOT (Image:C\:\\Windows\\system32\\lsass.exe AND (Details:(%%systemroot%%\\system32\\ntdsa.dll OR %%systemroot%%\\system32\\lsadb.dll))))
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
Show query
any where Image:"*\\cmstp.exe" and (ImageLoaded like~ ("*\\PerfLogs\\*", "*\\ProgramData\\*", "*\\Users\\*", "*\\Windows\\Temp\\*", "*C:\\Temp\\*")) and (ImageLoaded like~ ("*.dll", "*.ocx"))DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\cmstp.exe") and (ImageLoaded like "*\\PerfLogs\\*" or ImageLoaded like "*\\ProgramData\\*" or ImageLoaded like "*\\Users\\*" or ImageLoaded like "*\\Windows\\Temp\\*" or ImageLoaded like "*C:\\Temp\\*") and (ends_with(ImageLoaded, ".dll") or ends_with(ImageLoaded, ".ocx"))
DLL Loaded From Suspicious Location Via Cmspt.EXE
Detects cmstp loading "dll" or "ocx" files from suspicious locations
Show query
Image:*\\cmstp.exe AND (ImageLoaded:(*\\PerfLogs\\* OR *\\ProgramData\\* OR *\\Users\\* OR *\\Windows\\Temp\\* OR *C\:\\Temp\\*)) AND (ImageLoaded:(*.dll OR *.ocx))
DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
Show query
any where (TargetFilename like~ ("C:\\Windows \\*", "C:\\Program Files \\*", "C:\\Program Files (x86) \\*")) and TargetFilename:"*.dll"DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
Show query
from * metadata _id, _index, _version | where (starts_with(TargetFilename, "C:\\Windows \\") or starts_with(TargetFilename, "C:\\Program Files \\") or starts_with(TargetFilename, "C:\\Program Files (x86) \\")) and ends_with(TargetFilename, ".dll")
DLL Search Order Hijackig Via Additional Space in Path
Detects when an attacker create a similar folder structure to windows system folders such as (Windows, Program Files...)
but with a space in order to trick DLL load search order and perform a "DLL Search Order Hijacking" attack
Show query
(TargetFilename:(C\:\\Windows\ \\* OR C\:\\Program\ Files\ \\* OR C\:\\Program\ Files\ \(x86\)\ \\*)) AND TargetFilename:*.dll
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Show query
any where ImageLoaded:"*\\ShellChromeAPI.dll"
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Show query
from * metadata _id, _index, _version | where ends_with(ImageLoaded, "\\ShellChromeAPI.dll")
DLL Sideloading Of ShellChromeAPI.DLL
Detects processes loading the non-existent DLL "ShellChromeAPI". One known example is the "DeviceEnroller" binary in combination with the "PhoneDeepLink" flag tries to load this DLL.
Adversaries can drop their own renamed DLL and execute it via DeviceEnroller.exe using this parameter
Show query
ImageLoaded:*\\ShellChromeAPI.dll
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
Show query
any where Image:"*\\VMwareXferlogs.exe" and (not Image:"C:\\Program Files\\VMware\\*")
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\VMwareXferlogs.exe") and not starts_with(Image, "C:\\Program Files\\VMware\\")
DLL Sideloading by VMware Xfer Utility
Detects execution of VMware Xfer utility (VMwareXferlogs.exe) from the non-default directory which may be an attempt to sideload arbitrary DLL
Show query
Image:*\\VMwareXferlogs.exe AND (NOT Image:C\:\\Program\ Files\\VMware\\*)
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
Show query
any where Image like~ ("*\\iodine.exe", "*\\dnscat2*")DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\iodine.exe") or Image like "*\\dnscat2*"
DNS Exfiltration and Tunneling Tools Execution
Well-known DNS Exfiltration tools execution
Show query
Image:(*\\iodine.exe OR *\\dnscat2*)
DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
Show query
any where QueryName:"*servicebus.windows.net*" and Image:"*HybridConnectionManager*"
DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
Show query
from * metadata _id, _index, _version | where QueryName like "*servicebus.windows.net*" and Image like "*HybridConnectionManager*"
DNS HybridConnectionManager Service Bus
Detects Azure Hybrid Connection Manager services querying the Azure service bus service
Show query
QueryName:*servicebus.windows.net* AND Image:*HybridConnectionManager*
DNS Query To Katz Stealer Domains
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
Show query
any where QueryName like~ ("*katz-panel.com*", "*katz-stealer.com*", "*katzstealer.com*", "*twist2katz.com*")DNS Query To Katz Stealer Domains
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
Show query
from * metadata _id, _index, _version | where QueryName like "*katz-panel.com*" or QueryName like "*katz-stealer.com*" or QueryName like "*katzstealer.com*" or QueryName like "*twist2katz.com*"
DNS Query To Katz Stealer Domains
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
Show query
QueryName:(*katz\-panel.com* OR *katz\-stealer.com* OR *katzstealer.com* OR *twist2katz.com*)
DNS Query To Katz Stealer Domains - Network
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
Show query
any where query like~ ("*katz-panel.com*", "*katz-stealer.com*", "*katzstealer.com*", "*twist2katz.com*")DNS Query To Katz Stealer Domains - Network
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
Show query
from * metadata _id, _index, _version | where query like "*katz-panel.com*" or query like "*katz-stealer.com*" or query like "*katzstealer.com*" or query like "*twist2katz.com*"
DNS Query To Katz Stealer Domains - Network
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
Show query
query:(*katz\-panel.com* OR *katz\-stealer.com* OR *katzstealer.com* OR *twist2katz.com*)
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
Show query
any where QueryName like~ ("*.hiddenservice.net", "*.onion.ca", "*.onion.cab", "*.onion.casa", "*.onion.city", "*.onion.direct", "*.onion.dog", "*.onion.glass", "*.onion.gq", "*.onion.ink", "*.onion.it", "*.onion.link", "*.onion.lt", "*.onion.lu", "*.onion.nu", "*.onion.pet", "*.onion.plus", "*.onion.rip", "*.onion.sh", "*.onion.to", "*.onion.top", "*.onion", "*.s1.tor-gateways.de", "*.s2.tor-gateways.de", "*.s3.tor-gateways.de", "*.s4.tor-gateways.de", "*.s5.tor-gateways.de", "*.t2w.pw", "*.tor2web.ae.org", "*.tor2web.blutmagie.de", "*.tor2web.com", "*.tor2web.fi", "*.tor2web.io", "*.tor2web.org", "*.tor2web.xyz", "*.torlink.co")DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
Show query
from * metadata _id, _index, _version | where ends_with(QueryName, ".hiddenservice.net") or ends_with(QueryName, ".onion.ca") or ends_with(QueryName, ".onion.cab") or ends_with(QueryName, ".onion.casa") or ends_with(QueryName, ".onion.city") or ends_with(QueryName, ".onion.direct") or ends_with(QueryName, ".onion.dog") or ends_with(QueryName, ".onion.glass") or ends_with(QueryName, ".onion.gq") or ends_with(QueryName, ".onion.ink") or ends_with(QueryName, ".onion.it") or ends_with(QueryName, ".onion.link") or ends_with(QueryName, ".onion.lt") or ends_with(QueryName, ".onion.lu") or ends_with(QueryName, ".onion.nu") or ends_with(QueryName, ".onion.pet") or ends_with(QueryName, ".onion.plus") or ends_with(QueryName, ".onion.rip") or ends_with(QueryName, ".onion.sh") or ends_with(QueryName, ".onion.to") or ends_with(QueryName, ".onion.top") or ends_with(QueryName, ".onion") or ends_with(QueryName, ".s1.tor-gateways.de") or ends_with(QueryName, ".s2.tor-gateways.de") or ends_with(QueryName, ".s3.tor-gateways.de") or ends_with(QueryName, ".s4.tor-gateways.de") or ends_with(QueryName, ".s5.tor-gateways.de") or ends_with(QueryName, ".t2w.pw") or ends_with(QueryName, ".tor2web.ae.org") or ends_with(QueryName, ".tor2web.blutmagie.de") or ends_with(QueryName, ".tor2web.com") or ends_with(QueryName, ".tor2web.fi") or ends_with(QueryName, ".tor2web.io") or ends_with(QueryName, ".tor2web.org") or ends_with(QueryName, ".tor2web.xyz") or ends_with(QueryName, ".torlink.co")
DNS Query Tor .Onion Address - Sysmon
Detects DNS queries to an ".onion" address related to Tor routing networks
Show query
QueryName:(*.hiddenservice.net OR *.onion.ca OR *.onion.cab OR *.onion.casa OR *.onion.city OR *.onion.direct OR *.onion.dog OR *.onion.glass OR *.onion.gq OR *.onion.ink OR *.onion.it OR *.onion.link OR *.onion.lt OR *.onion.lu OR *.onion.nu OR *.onion.pet OR *.onion.plus OR *.onion.rip OR *.onion.sh OR *.onion.to OR *.onion.top OR *.onion OR *.s1.tor\-gateways.de OR *.s2.tor\-gateways.de OR *.s3.tor\-gateways.de OR *.s4.tor\-gateways.de OR *.s5.tor\-gateways.de OR *.t2w.pw OR *.tor2web.ae.org OR *.tor2web.blutmagie.de OR *.tor2web.com OR *.tor2web.fi OR *.tor2web.io OR *.tor2web.org OR *.tor2web.xyz OR *.torlink.co)
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
Show query
any where Image:"*\\finger.exe"
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\finger.exe")
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
Show query
Image:*\\finger.exe
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Show query
any where EventID:3008 and QueryName:"*.anonfiles.com*"
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Show query
from * metadata _id, _index, _version | where EventID==3008 and QueryName like "*.anonfiles.com*"
DNS Query for Anonfiles.com Domain - DNS Client
Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
Show query
EventID:3008 AND QueryName:*.anonfiles.com*
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
Show query
any where QueryName:"*.anonfiles.com*"
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
Show query
from * metadata _id, _index, _version | where QueryName like "*.anonfiles.com*"
DNS Query for Anonfiles.com Domain - Sysmon
Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
Show query
QueryName:*.anonfiles.com*
DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Show query
any where (query like~ ("*.burpcollaborator.net", "*.canarytokens.com", "*.ceye.io", "*.ddns.1443.eu.org", "*.ddns.bypass.eu.org", "*.ddns.xn--gg8h.eu.org", "*.digimg.store", "*.dns.su18.org", "*.dnshook.site", "*.dnslog.cn", "*.dnslog.ink", "*.instances.httpworkbench.com", "*.interact.sh", "*.log.dnslog.pp.ua", "*.log.dnslog.qzz.io", "*.log.dnslogs.dpdns.org", "*.log.javaweb.org", "*.log.nat.cloudns.ph", "*.oast.fun", "*.oast.live", "*.oast.me", "*.oast.online", "*.oast.pro", "*.oast.site", "*.oastify.com", "*.p8.lol", "*.requestbin.net")) and (not query:"*polling.oastify.com*")DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Show query
from * metadata _id, _index, _version | where (ends_with(query, ".burpcollaborator.net") or ends_with(query, ".canarytokens.com") or ends_with(query, ".ceye.io") or ends_with(query, ".ddns.1443.eu.org") or ends_with(query, ".ddns.bypass.eu.org") or ends_with(query, ".ddns.xn--gg8h.eu.org") or ends_with(query, ".digimg.store") or ends_with(query, ".dns.su18.org") or ends_with(query, ".dnshook.site") or ends_with(query, ".dnslog.cn") or ends_with(query, ".dnslog.ink") or ends_with(query, ".instances.httpworkbench.com") or ends_with(query, ".interact.sh") or ends_with(query, ".log.dnslog.pp.ua") or ends_with(query, ".log.dnslog.qzz.io") or ends_with(query, ".log.dnslogs.dpdns.org") or ends_with(query, ".log.javaweb.org") or ends_with(query, ".log.nat.cloudns.ph") or ends_with(query, ".oast.fun") or ends_with(query, ".oast.live") or ends_with(query, ".oast.me") or ends_with(query, ".oast.online") or ends_with(query, ".oast.pro") or ends_with(query, ".oast.site") or ends_with(query, ".oastify.com") or ends_with(query, ".p8.lol") or ends_with(query, ".requestbin.net")) and not query like "*polling.oastify.com*"
Showing 1201-1250 of 12,786