Vendor-native
3,131 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 3,131Suspicious LNK Command-Line Padding with Whitespace Characters
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
This rule flags suspicious use of such padding observed in real-world attacks.
Show query
ParentImage="*\\explorer.exe"
| rex field=CommandLine "(?<CommandLineMatch>\\n\\n\\n\\n\\n\\n)"
| eval CommandLineCondition=if(isnotnull(CommandLineMatch), "true", "false")
| search OR ParentCommandLine="*.lnk*" CommandLine IN ("* *", "*\\u0009*", "*\\u000A*", "*\\u0011*", "*\\u0012*", "*\\u0013*", "*\\u000B*", "*\\u000C*", "*\\u000D*") OR CommandLineCondition="true"Suspicious LSASS Access Via MalSecLogon
Detects suspicious access to LSASS handle via a call trace to "seclogon.dll" with a suspicious access right.
Show query
TargetImage="*\\lsass.exe" SourceImage="*\\svchost.exe" GrantedAccess="0x14c0" CallTrace="*seclogon.dll*"
Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location
Detects loading of dbgcore.dll or dbghelp.dll from uncommon locations such as user directories.
These DLLs contain the MiniDumpWriteDump function, which can be abused for credential dumping purposes or in some cases for evading EDR/AV detection by suspending processes.
Show query
Image IN ("*:\\Perflogs\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*\\$Recycle.Bin\\*", "*\\Contacts\\*", "*\\Documents\\*", "*\\Favorites\\*", "*\\Favourites\\*", "*\\inetpub\\wwwroot\\*", "*\\Music\\*", "*\\Pictures\\*", "*\\Start Menu\\Programs\\Startup\\*", "*\\Users\\Default\\*", "*\\Videos\\*") ImageLoaded IN ("*\\dbgcore.dll", "*\\dbghelp.dll")Suspicious MSDT Parent Process
Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
Show query
ParentImage IN ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\wmic.exe", "*\\wscript.exe", "*\\wsl.exe") Image="*\\msdt.exe" OR OriginalFileName="msdt.exe"Suspicious MSExchangeMailboxReplication ASPX Write
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
Show query
Image="*\\MSExchangeMailboxReplication.exe" TargetFilename IN ("*.aspx", "*.asp")Suspicious MSHTA Child Process
Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
Show query
ParentImage="*\\mshta.exe" Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\reg.exe", "*\\regsvr32.exe", "*\\bitsadmin.exe") OR OriginalFileName IN ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "wscript.exe", "cscript.exe", "Bash.exe", "reg.exe", "REGSVR32.EXE", "bitsadmin.exe")Suspicious Manipulation Of Default Accounts Via Net.EXE
Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
Show query
Image IN ("*\\net.exe", "*\\net1.exe") OR OriginalFileName IN ("net.exe", "net1.exe") CommandLine="* user *" CommandLine IN ("* Järjestelmänvalvoja *", "* Rendszergazda *", "* Администратор *", "* Administrateur *", "* Administrador *", "* Administratör *", "* Administrator *", "* guest *", "* DefaultAccount *", "* \"Järjestelmänvalvoja\" *", "* \"Rendszergazda\" *", "* \"Администратор\" *", "* \"Administrateur\" *", "* \"Administrador\" *", "* \"Administratör\" *", "* \"Administrator\" *", "* \"guest\" *", "* \"DefaultAccount\" *", "* 'Järjestelmänvalvoja' *", "* 'Rendszergazda' *", "* 'Администратор' *", "* 'Administrateur' *", "* 'Administrador' *", "* 'Administratör' *", "* 'Administrator' *", "* 'guest' *", "* 'DefaultAccount' *") NOT (CommandLine="*guest*" CommandLine="*/active no*")Suspicious Microsoft Office Child Process
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Show query
ParentImage IN ("*\\EQNEDT32.EXE", "*\\EXCEL.EXE", "*\\MSACCESS.EXE", "*\\MSPUB.exe", "*\\ONENOTE.EXE", "*\\POWERPNT.exe", "*\\VISIO.exe", "*\\WINWORD.EXE", "*\\wordpad.exe", "*\\wordview.exe") OriginalFileName IN ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe") OR Image IN ("*\\AppVLP.exe", "*\\bash.exe", "*\\bitsadmin.exe", "*\\certoc.exe", "*\\certutil.exe", "*\\cmd.exe", "*\\cmstp.exe", "*\\control.exe", "*\\cscript.exe", "*\\curl.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\ieexec.exe", "*\\installutil.exe", "*\\javaw.exe", "*\\mftrace.exe", "*\\Microsoft.Workflow.Compiler.exe", "*\\msbuild.exe", "*\\msdt.exe", "*\\mshta.exe", "*\\msidb.exe", "*\\msiexec.exe", "*\\msxsl.exe", "*\\odbcconf.exe", "*\\pcalua.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regasm.exe", "*\\regsvcs.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\scrcons.exe", "*\\scriptrunner.exe", "*\\sh.exe", "*\\svchost.exe", "*\\verclsid.exe", "*\\wmic.exe", "*\\workfolders.exe", "*\\wscript.exe") OR Image IN ("*\\AppData\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*", "*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\System32\\Tasks\\*")Suspicious Microsoft Office Child Process - MacOS
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
Show query
ParentImage IN ("*Microsoft Word*", "*Microsoft Excel*", "*Microsoft PowerPoint*", "*Microsoft OneNote*") Image IN ("*/bash", "*/curl", "*/dash", "*/fish", "*/osacompile", "*/osascript", "*/sh", "*/zsh", "*/python", "*/python3", "*/wget")Suspicious Microsoft OneNote Child Process
Detects suspicious child processes of the Microsoft OneNote application. This may indicate an attempt to execute malicious embedded objects from a .one file.
Show query
ParentImage="*\\onenote.exe" OriginalFileName IN ("bitsadmin.exe", "CertOC.exe", "CertUtil.exe", "Cmd.Exe", "CMSTP.EXE", "cscript.exe", "curl.exe", "HH.exe", "IEExec.exe", "InstallUtil.exe", "javaw.exe", "Microsoft.Workflow.Compiler.exe", "msdt.exe", "MSHTA.EXE", "msiexec.exe", "Msxsl.exe", "odbcconf.exe", "pcalua.exe", "PowerShell.EXE", "RegAsm.exe", "RegSvcs.exe", "REGSVR32.exe", "RUNDLL32.exe", "schtasks.exe", "ScriptRunner.exe", "wmic.exe", "WorkFolders.exe", "wscript.exe") OR Image IN ("*\\AppVLP.exe", "*\\bash.exe", "*\\bitsadmin.exe", "*\\certoc.exe", "*\\certutil.exe", "*\\cmd.exe", "*\\cmstp.exe", "*\\control.exe", "*\\cscript.exe", "*\\curl.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\ieexec.exe", "*\\installutil.exe", "*\\javaw.exe", "*\\mftrace.exe", "*\\Microsoft.Workflow.Compiler.exe", "*\\msbuild.exe", "*\\msdt.exe", "*\\mshta.exe", "*\\msidb.exe", "*\\msiexec.exe", "*\\msxsl.exe", "*\\odbcconf.exe", "*\\pcalua.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regasm.exe", "*\\regsvcs.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\scrcons.exe", "*\\scriptrunner.exe", "*\\sh.exe", "*\\svchost.exe", "*\\verclsid.exe", "*\\wmic.exe", "*\\workfolders.exe", "*\\wscript.exe") OR (Image="*\\explorer.exe" CommandLine IN ("*.hta*", "*.vb*", "*.wsh*", "*.js*", "*.ps*", "*.scr*", "*.pif*", "*.bat*", "*.cmd*")) OR Image IN ("*\\AppData\\*", "*\\Users\\Public\\*", "*\\ProgramData\\*", "*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\System32\\Tasks\\*") NOT ((Image="*\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe" CommandLine="*-Embedding") OR (Image="*\\AppData\\Local\\Microsoft\\OneDrive\\*" Image="*\\FileCoAuth.exe" CommandLine="*-Embedding"))Suspicious Modification Of Scheduled Tasks
Detects when an attacker tries to modify an already existing scheduled tasks to run from a suspicious location
Attackers can create a simple looking task in order to avoid detection on creation as it's often the most focused on
Instead they modify the task after creation to include their malicious payload
Show query
Image="*\\schtasks.exe" CommandLine="* /Change *" CommandLine="* /TN *" CommandLine IN ("*\\AppData\\Local\\Temp*", "*\\AppData\\Roaming\\*", "*\\Users\\Public\\*", "*\\WINDOWS\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Temporary Internet*", "*C:\\ProgramData\\*", "*C:\\Perflogs\\*", "*%ProgramData%*", "*%appdata%*", "*%comspec%*", "*%localappdata%*") CommandLine IN ("*regsvr32*", "*rundll32*", "*cmd /c *", "*cmd /k *", "*cmd /r *", "*cmd.exe /c *", "*cmd.exe /k *", "*cmd.exe /r *", "*powershell*", "*mshta*", "*wscript*", "*cscript*", "*certutil*", "*bitsadmin*", "*bash.exe*", "*bash *", "*scrcons*", "*wmic *", "*wmic.exe*", "*forfiles*", "*scriptrunner*", "*hh.exe*", "*hh *")Suspicious Mshta.EXE Execution Patterns
Detects suspicious mshta process execution patterns
Show query
(Image="*\\mshta.exe" OR OriginalFileName="MSHTA.EXE" ParentImage IN ("*\\cmd.exe", "*\\cscript.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") CommandLine IN ("*\\AppData\\Local\\*", "*C:\\ProgramData\\*", "*C:\\Users\\Public\\*", "*C:\\Windows\\Temp\\*")) OR (Image="*\\mshta.exe" OR OriginalFileName="MSHTA.EXE" NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*") OR CommandLine IN ("*.htm*", "*.hta*") OR CommandLine IN ("*mshta.exe", "*mshta")))Suspicious Mstsc.EXE Execution With Local RDP File
Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.
Show query
Image="*\\mstsc.exe" OR OriginalFileName="mstsc.exe" CommandLine IN ("*.rdp", "*.rdp\"") CommandLine IN ("*:\\Users\\Public\\*", "*:\\Windows\\System32\\spool\\drivers\\color*", "*:\\Windows\\System32\\Tasks_Migrated *", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*:\\Windows\\Tracing\\*", "*\\AppData\\Local\\Temp\\*", "*\\Downloads\\*")Suspicious NTLM Authentication on the Printer Spooler Service
Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service
Show query
Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*C:\\windows\\system32\\davclnt.dll,DavSetCookie*" CommandLine="*http*" CommandLine IN ("*spoolss*", "*srvsvc*", "*/print/pipe/*")Suspicious Named Error
Detects suspicious DNS error messages that indicate a fatal or suspicious error that could be caused by exploiting attempts
Show query
" dropping source port zero packet from " OR " denied AXFR from " OR " exiting (due to fatal error)"
Splunk
Converted
SPL
high
Suspicious Network Connection Binary No CommandLine
Detects suspicious network connections made by a well-known Windows binary run with no command line parameters
Show query
Initiated="true" Image IN ("*\\regsvr32.exe", "*\\rundll32.exe", "*\\dllhost.exe") CommandLine IN ("*\\regsvr32.exe", "*\\rundll32.exe", "*\\dllhost.exe") NOT (CommandLine="" OR NOT CommandLine=*)Suspicious New Service Creation
Detects creation of a new service via "sc" command or the powershell "new-service" cmdlet with suspicious binary paths
Show query
(Image="*\\sc.exe" CommandLine="*create*" CommandLine="*binPath=*") OR (CommandLine="*New-Service*" CommandLine="*-BinaryPathName*") CommandLine IN ("*powershell*", "*mshta*", "*wscript*", "*cscript*", "*svchost*", "*dllhost*", "*cmd *", "*cmd.exe /c*", "*cmd.exe /k*", "*cmd.exe /r*", "*rundll32*", "*C:\\Users\\Public*", "*\\Downloads\\*", "*\\Desktop\\*", "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "*C:\\Windows\\TEMP\\*", "*\\AppData\\Local\\Temp*")
Splunk
Converted
SPL
high
Suspicious Nohup Execution
Detects execution of binaries located in potentially suspicious locations via "nohup"
Show query
Image="*/nohup" CommandLine="*/tmp/*"
Splunk
Converted
SPL
high
Suspicious Obfuscated PowerShell Code
Detects suspicious UTF16 and base64 encoded and often obfuscated PowerShell code often used in command lines
Show query
CommandLine IN ("*IAAtAGIAeABvAHIAIAAwAHgA*", "*AALQBiAHgAbwByACAAMAB4A*", "*gAC0AYgB4AG8AcgAgADAAeA*", "*AC4ASQBuAHYAbwBrAGUAKAApACAAfAAg*", "*AuAEkAbgB2AG8AawBlACgAKQAgAHwAI*", "*ALgBJAG4AdgBvAGsAZQAoACkAIAB8AC*", "*AHsAMQB9AHsAMAB9ACIAIAAtAGYAI*", "*B7ADEAfQB7ADAAfQAiACAALQBmAC*", "*AewAxAH0AewAwAH0AIgAgAC0AZgAg*", "*AHsAMAB9AHsAMwB9ACIAIAAtAGYAI*", "*B7ADAAfQB7ADMAfQAiACAALQBmAC*", "*AewAwAH0AewAzAH0AIgAgAC0AZgAg*", "*AHsAMgB9AHsAMAB9ACIAIAAtAGYAI*", "*B7ADIAfQB7ADAAfQAiACAALQBmAC*", "*AewAyAH0AewAwAH0AIgAgAC0AZgAg*", "*AHsAMQB9AHsAMAB9ACcAIAAtAGYAI*", "*B7ADEAfQB7ADAAfQAnACAALQBmAC*", "*AewAxAH0AewAwAH0AJwAgAC0AZgAg*", "*AHsAMAB9AHsAMwB9ACcAIAAtAGYAI*", "*B7ADAAfQB7ADMAfQAnACAALQBmAC*", "*AewAwAH0AewAzAH0AJwAgAC0AZgAg*", "*AHsAMgB9AHsAMAB9ACcAIAAtAGYAI*", "*B7ADIAfQB7ADAAfQAnACAALQBmAC*", "*AewAyAH0AewAwAH0AJwAgAC0AZgAg*")Suspicious Outlook Child Process
Detects a suspicious process spawning from an Outlook process.
Show query
ParentImage="*\\OUTLOOK.EXE" Image IN ("*\\AppVLP.exe", "*\\bash.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\mftrace.exe", "*\\msbuild.exe", "*\\msdt.exe", "*\\mshta.exe", "*\\msiexec.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\schtasks.exe", "*\\scrcons.exe", "*\\scriptrunner.exe", "*\\sh.exe", "*\\svchost.exe", "*\\wmic.exe", "*\\wscript.exe")Suspicious Outlook Macro Created
Detects the creation of a macro file for Outlook.
Show query
TargetFilename="*\\Microsoft\\Outlook\\VbaProject.OTM" NOT Image="*\\outlook.exe"
Suspicious Parent Double Extension File Execution
Detect execution of suspicious double extension files in ParentCommandLine
Show query
ParentImage IN ("*.doc.lnk", "*.docx.lnk", "*.xls.lnk", "*.xlsx.lnk", "*.ppt.lnk", "*.pptx.lnk", "*.rtf.lnk", "*.pdf.lnk", "*.txt.lnk", "*.doc.js", "*.docx.js", "*.xls.js", "*.xlsx.js", "*.ppt.js", "*.pptx.js", "*.rtf.js", "*.pdf.js", "*.txt.js") OR ParentCommandLine IN ("*.doc.lnk*", "*.docx.lnk*", "*.xls.lnk*", "*.xlsx.lnk*", "*.ppt.lnk*", "*.pptx.lnk*", "*.rtf.lnk*", "*.pdf.lnk*", "*.txt.lnk*", "*.doc.js*", "*.docx.js*", "*.xls.js*", "*.xlsx.js*", "*.ppt.js*", "*.pptx.js*", "*.rtf.js*", "*.pdf.js*", "*.txt.js*")Suspicious Path In Keyboard Layout IME File Registry Value
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
Show query
TargetObject="*\\Control\\Keyboard Layouts\\*" TargetObject="*Ime File*" Details IN ("*:\\Perflogs\\*", "*:\\Users\\Public\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Temporary Internet*") OR (Details="*:\\Users\\*" Details="*\\Favorites\\*") OR (Details="*:\\Users\\*" Details="*\\Favourites\\*") OR (Details="*:\\Users\\*" Details="*\\Contacts\\*")Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
Show query
Image="*\\VMwareToolBoxCmd.exe" OR OriginalFileName="toolbox-cmd.exe" CommandLine="* script *" CommandLine="* set *" CommandLine IN ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*:\\Windows\\System32\\Tasks\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*\\AppData\\Local\\Temp*")Suspicious Ping/Del Command Combination
Detects a method often used by ransomware. Which combines the "ping" to wait a couple of seconds and then "del" to delete the file in question. Its used to hide the file responsible for the initial infection for example
Show query
CommandLine="* -n *" OR CommandLine="* /n *" OR CommandLine="* –n *" OR CommandLine="* —n *" OR CommandLine="* ―n *" CommandLine="*Nul*" CommandLine="* -f *" OR CommandLine="* /f *" OR CommandLine="* –f *" OR CommandLine="* —f *" OR CommandLine="* ―f *" OR CommandLine="* -q *" OR CommandLine="* /q *" OR CommandLine="* –q *" OR CommandLine="* —q *" OR CommandLine="* ―q *" CommandLine="*ping*" CommandLine="*del *"
Suspicious Plink Port Forwarding
Detects suspicious Plink tunnel port forwarding to a local port
Show query
Description="Command-line SSH, Telnet, and Rlogin client" CommandLine="* -R *"
Suspicious PowerShell Download and Execute Pattern
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
Show query
CommandLine IN ("*IEX ((New-Object Net.WebClient).DownloadString*", "*IEX (New-Object Net.WebClient).DownloadString*", "*IEX((New-Object Net.WebClient).DownloadString*", "*IEX(New-Object Net.WebClient).DownloadString*", "* -command (New-Object System.Net.WebClient).DownloadFile(*", "* -c (New-Object System.Net.WebClient).DownloadFile(*")Suspicious PowerShell Encoded Command Patterns
Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
Show query
Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell.Exe", "pwsh.dll") CommandLine IN ("* -e *", "* -en *", "* -enc *", "* -enco*") CommandLine IN ("* JAB*", "* SUVYI*", "* SQBFAFgA*", "* aWV4I*", "* IAB*", "* PAA*", "* aQBlAHgA*") NOT (ParentImage IN ("*C:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\*", "*\\gc_worker.exe*"))Suspicious PowerShell IEX Execution Patterns
Detects suspicious ways to run Invoke-Execution using IEX alias
Show query
(Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("* | iex;*", "* | iex *", "* | iex}*", "* | IEX ;*", "* | IEX -Error*", "* | IEX (new*", "*);IEX *") CommandLine IN ("*::FromBase64String*", "*.GetString([System.Convert]::*")) OR CommandLine IN ("*)|iex;$*", "*);iex($*", "*);iex $*", "* | IEX | *", "* | iex\\\"*")Suspicious PowerShell Invocations - Generic
Detects suspicious PowerShell invocation command parameters
Show query
ScriptBlockText IN ("* -enc *", "* -EncodedCommand *", "* -ec *") ScriptBlockText IN ("* -w hidden *", "* -window hidden *", "* -windowstyle hidden *", "* -w 1 *") ScriptBlockText IN ("* -noni *", "* -noninteractive *")Suspicious PowerShell Invocations - Generic - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Show query
ContextInfo IN ("* -enc *", "* -EncodedCommand *", "* -ec *") ContextInfo IN ("* -w hidden *", "* -window hidden *", "* -windowstyle hidden *", "* -w 1 *") ContextInfo IN ("* -noni *", "* -noninteractive *")Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
Show query
(ScriptBlockText="*-nop*" ScriptBlockText="* -w *" ScriptBlockText="*hidden*" ScriptBlockText="* -c *" ScriptBlockText="*[Convert]::FromBase64String*") OR (ScriptBlockText="* -w *" ScriptBlockText="*hidden*" ScriptBlockText="*-noni*" ScriptBlockText="*-nop*" ScriptBlockText="* -c *" ScriptBlockText="*iex*" ScriptBlockText="*New-Object*") OR (ScriptBlockText="* -w *" ScriptBlockText="*hidden*" ScriptBlockText="*-ep*" ScriptBlockText="*bypass*" ScriptBlockText="*-Enc*") OR (ScriptBlockText="*powershell*" ScriptBlockText="*reg*" ScriptBlockText="*add*" ScriptBlockText IN ("*\\software\\microsoft\\windows\\currentversion\\run*", "*\\software\\wow6432node\\microsoft\\windows\\currentversion\\run*", "*\\software\\microsoft\\windows\\currentversion\\policies\\explorer\\run*")) OR (ScriptBlockText="*bypass*" ScriptBlockText="*-noprofile*" ScriptBlockText="*-windowstyle*" ScriptBlockText="*hidden*" ScriptBlockText="*new-object*" ScriptBlockText="*system.net.webclient*" ScriptBlockText="*.download*") OR (ScriptBlockText="*iex*" ScriptBlockText="*New-Object*" ScriptBlockText="*Net.WebClient*" ScriptBlockText="*.Download*") NOT (ScriptBlockText IN ("*(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1*", "*(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')*", "*Write-ChocolateyWarning*"))Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Show query
(ContextInfo="*-nop*" ContextInfo="* -w *" ContextInfo="*hidden*" ContextInfo="* -c *" ContextInfo="*[Convert]::FromBase64String*") OR (ContextInfo="* -w *" ContextInfo="*hidden*" ContextInfo="*-noni*" ContextInfo="*-nop*" ContextInfo="* -c *" ContextInfo="*iex*" ContextInfo="*New-Object*") OR (ContextInfo="* -w *" ContextInfo="*hidden*" ContextInfo="*-ep*" ContextInfo="*bypass*" ContextInfo="*-Enc*") OR (ContextInfo="*powershell*" ContextInfo="*reg*" ContextInfo="*add*" ContextInfo IN ("*\\software\\microsoft\\windows\\currentversion\\run*", "*\\software\\wow6432node\\microsoft\\windows\\currentversion\\run*", "*\\software\\microsoft\\windows\\currentversion\\policies\\explorer\\run*")) OR (ContextInfo="*bypass*" ContextInfo="*-noprofile*" ContextInfo="*-windowstyle*" ContextInfo="*hidden*" ContextInfo="*new-object*" ContextInfo="*system.net.webclient*" ContextInfo="*.download*") OR (ContextInfo="*iex*" ContextInfo="*New-Object*" ContextInfo="*Net.WebClient*" ContextInfo="*.Download*") NOT (ContextInfo IN ("*(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1*", "*Write-ChocolateyWarning*"))Suspicious PowerShell Parameter Substring
Detects suspicious PowerShell invocation with a parameter substring
Show query
Image IN ("*\\powershell.exe", "*\\pwsh.exe") CommandLine IN ("* -windowstyle h *", "* -windowstyl h*", "* -windowsty h*", "* -windowst h*", "* -windows h*", "* -windo h*", "* -wind h*", "* -win h*", "* -wi h*", "* -win h *", "* -win hi *", "* -win hid *", "* -win hidd *", "* -win hidde *", "* -NoPr *", "* -NoPro *", "* -NoProf *", "* -NoProfi *", "* -NoProfil *", "* -nonin *", "* -nonint *", "* -noninte *", "* -noninter *", "* -nonintera *", "* -noninterac *", "* -noninteract *", "* -noninteracti *", "* -noninteractiv *", "* -ec *", "* -encodedComman *", "* -encodedComma *", "* -encodedComm *", "* -encodedCom *", "* -encodedCo *", "* -encodedC *", "* -encoded *", "* -encode *", "* -encod *", "* -enco *", "* -en *", "* -executionpolic *", "* -executionpoli *", "* -executionpol *", "* -executionpo *", "* -executionp *", "* -execution bypass*", "* -executio bypass*", "* -executi bypass*", "* -execut bypass*", "* -execu bypass*", "* -exec bypass*", "* -exe bypass*", "* -ex bypass*", "* -ep bypass*", "* /windowstyle h *", "* /windowstyl h*", "* /windowsty h*", "* /windowst h*", "* /windows h*", "* /windo h*", "* /wind h*", "* /win h*", "* /wi h*", "* /win h *", "* /win hi *", "* /win hid *", "* /win hidd *", "* /win hidde *", "* /NoPr *", "* /NoPro *", "* /NoProf *", "* /NoProfi *", "* /NoProfil *", "* /nonin *", "* /nonint *", "* /noninte *", "* /noninter *", "* /nonintera *", "* /noninterac *", "* /noninteract *", "* /noninteracti *", "* /noninteractiv *", "* /ec *", "* /encodedComman *", "* /encodedComma *", "* /encodedComm *", "* /encodedCom *", "* /encodedCo *", "* /encodedC *", "* /encoded *", "* /encode *", "* /encod *", "* /enco *", "* /en *", "* /executionpolic *", "* /executionpoli *", "* /executionpol *", "* /executionpo *", "* /executionp *", "* /execution bypass*", "* /executio bypass*", "* /executi bypass*", "* /execut bypass*", "* /execu bypass*", "* /exec bypass*", "* /exe bypass*", "* /ex bypass*", "* /ep bypass*")Suspicious PowerShell Parent Process
Detects a suspicious or uncommon parent processes of PowerShell
Show query
ParentImage="*tomcat*" OR ParentImage IN ("*\\amigo.exe", "*\\browser.exe", "*\\chrome.exe", "*\\firefox.exe", "*\\httpd.exe", "*\\iexplore.exe", "*\\jbosssvc.exe", "*\\microsoftedge.exe", "*\\microsoftedgecp.exe", "*\\MicrosoftEdgeSH.exe", "*\\mshta.exe", "*\\nginx.exe", "*\\outlook.exe", "*\\php-cgi.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\safari.exe", "*\\services.exe", "*\\sqlagent.exe", "*\\sqlserver.exe", "*\\sqlservr.exe", "*\\vivaldi.exe", "*\\w3wp.exe") Image IN ("*\\powershell.exe", "*\\pwsh.exe") OR CommandLine IN ("*/c powershell*", "*/c pwsh*") OR Description="Windows PowerShell" OR Product="PowerShell Core 6" OR OriginalFileName IN ("PowerShell.EXE", "pwsh.dll")Suspicious Printer Driver Empty Manufacturer
Detects a suspicious printer driver installation with an empty Manufacturer value
Show query
TargetObject="*\\Control\\Print\\Environments\\Windows x64\\Drivers*" TargetObject="*\\Manufacturer*" Details="(Empty)" NOT (TargetObject="*\\CutePDF Writer v4.0\\*" OR TargetObject IN ("*\\VNC Printer (PS)\\*", "*\\VNC Printer (UD)\\*") OR TargetObject="*\\Version-3\\PDF24\\*")Suspicious Process Access of MsMpEng by WerFaultSecure - EDR-Freeze
Detects process access events where WerFaultSecure accesses MsMpEng.exe with dbgcore.dll or dbghelp.dll in the call trace, indicating potential EDR freeze techniques.
This technique leverages WerFaultSecure.exe running as a Protected Process Light (PPL) with WinTCB protection level to call MiniDumpWriteDump and suspend EDR/AV processes, allowing malicious activity to execute undetected during the suspension period.
Show query
SourceImage="*\\WerFaultSecure.exe" TargetImage="*\\MsMpEng.exe" CallTrace IN ("*\\dbgcore.dll*", "*\\dbghelp.dll*")Suspicious Process Access to LSASS with Dbgcore/Dbghelp DLLs
Detects suspicious process access to LSASS.exe from processes located in uncommon locations with dbgcore.dll or dbghelp.dll in the call trace.
These DLLs contain functions like MiniDumpWriteDump that can be abused for credential dumping purposes. While modern tools like Mimikatz have moved to using ntdll.dll,
dbgcore.dll and dbghelp.dll are still used by basic credential dumping utilities and legacy tools for LSASS memory access and process suspension techniques.
Show query
TargetImage="*\\lsass.exe" CallTrace IN ("*dbgcore.dll*", "*dbghelp.dll*") SourceImage IN ("*:\\Perflogs\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*\\$Recycle.Bin\\*", "*\\AppData\\Roaming\\*", "*\\Contacts\\*", "*\\Desktop\\*", "*\\Documents\\*", "*\\Downloads\\*", "*\\Favorites\\*", "*\\Favourites\\*", "*\\inetpub\\wwwroot\\*", "*\\Music\\*", "*\\Pictures\\*", "*\\Start Menu\\Programs\\Startup\\*", "*\\Users\\Default\\*", "*\\Videos\\*", "*\\Windows\\Temp\\*")Suspicious Process By Web Server Process
Detects potentially suspicious processes being spawned by a web server process which could be the result of a successfully placed web shell or exploitation
Show query
ParentImage IN ("*\\caddy.exe", "*\\httpd.exe", "*\\nginx.exe", "*\\php-cgi.exe", "*\\php.exe", "*\\tomcat.exe", "*\\UMWorkerProcess.exe", "*\\w3wp.exe", "*\\ws_TomcatService.exe") OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") ParentImage IN ("*-tomcat-*", "*\\tomcat*")) OR (ParentImage IN ("*\\java.exe", "*\\javaw.exe") ParentCommandLine IN ("*CATALINA_HOME*", "*catalina.home*", "*catalina.jar*")) Image IN ("*\\arp.exe", "*\\at.exe", "*\\bash.exe", "*\\bitsadmin.exe", "*\\certutil.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\dsget.exe", "*\\hostname.exe", "*\\nbtstat.exe", "*\\net.exe", "*\\net1.exe", "*\\netdom.exe", "*\\netsh.exe", "*\\nltest.exe", "*\\ntdsutil.exe", "*\\powershell_ise.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\qprocess.exe", "*\\query.exe", "*\\qwinsta.exe", "*\\reg.exe", "*\\rundll32.exe", "*\\sc.exe", "*\\sh.exe", "*\\wmic.exe", "*\\wscript.exe", "*\\wusa.exe") NOT ((ParentImage="*\\java.exe" CommandLine="*Windows\\system32\\cmd.exe /c C:\\ManageEngine\\ADManager \"Plus\\ES\\bin\\elasticsearch.bat -Enode.name=RMP-NODE1 -pelasticsearch-pid.txt") OR (ParentImage="*\\java.exe" CommandLine="*sc query*" CommandLine="*ADManager Plus*"))Suspicious Process Created Via Wmic.EXE
Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
Show query
CommandLine="*process *" CommandLine="*call *" CommandLine="*create *" CommandLine IN ("*rundll32*", "*bitsadmin*", "*regsvr32*", "*cmd.exe /c *", "*cmd.exe /k *", "*cmd.exe /r *", "*cmd /c *", "*cmd /k *", "*cmd /r *", "*powershell*", "*pwsh*", "*certutil*", "*cscript*", "*wscript*", "*mshta*", "*\\Users\\Public\\*", "*\\Windows\\Temp\\*", "*\\AppData\\Local\\*", "*%temp%*", "*%tmp%*", "*%ProgramData%*", "*%appdata%*", "*%comspec%*", "*%localappdata%*")
Splunk
Converted
SPL
high
Suspicious Process Execution From Fake Recycle.Bin Folder
Detects process execution from a fake recycle bin folder, often used to avoid security solution.
Show query
Image IN ("*RECYCLERS.BIN\\*", "*RECYCLER.BIN\\*")Suspicious Process Masquerading As SvcHost.EXE
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
Show query
Image="*\\svchost.exe" NOT (Image IN ("C:\\Windows\\System32\\svchost.exe", "C:\\Windows\\SysWOW64\\svchost.exe") OR OriginalFileName="svchost.exe")Suspicious Process Parents
Detects suspicious parent processes that should not have any children or should only have a single possible child program
Show query
ParentImage IN ("*\\minesweeper.exe", "*\\winver.exe", "*\\bitsadmin.exe") OR (ParentImage IN ("*\\csrss.exe", "*\\certutil.exe", "*\\eventvwr.exe", "*\\calc.exe", "*\\notepad.exe") NOT (Image IN ("*\\WerFault.exe", "*\\wermgr.exe", "*\\conhost.exe", "*\\mmc.exe", "*\\win32calc.exe", "*\\notepad.exe") OR NOT Image=*))Suspicious Process Patterns NTDS.DIT Exfil
Detects suspicious process patterns used in NTDS.DIT exfiltration
Show query
Image IN ("*\\NTDSDump.exe", "*\\NTDSDumpEx.exe") OR (CommandLine="*ntds.dit*" CommandLine="*system.hiv*") OR CommandLine="*NTDSgrab.ps1*" OR (CommandLine="*ac i ntds*" CommandLine="*create full*") OR (CommandLine="*/c copy *" CommandLine="*\\windows\\ntds\\ntds.dit*") OR (CommandLine="*activate instance ntds*" CommandLine="*create full*") OR (CommandLine="*powershell*" CommandLine="*ntds.dit*") OR (CommandLine="*ntds.dit*" ParentImage IN ("*\\apache*", "*\\tomcat*", "*\\AppData\\*", "*\\Temp\\*", "*\\Public\\*", "*\\PerfLogs\\*") OR Image IN ("*\\apache*", "*\\tomcat*", "*\\AppData\\*", "*\\Temp\\*", "*\\Public\\*", "*\\PerfLogs\\*"))
Splunk
Converted
SPL
high
Suspicious Processes Spawned by Java.EXE
Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
Show query
ParentImage="*\\java.exe" Image IN ("*\\AppVLP.exe", "*\\bitsadmin.exe", "*\\certutil.exe", "*\\cscript.exe", "*\\curl.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\mftrace.exe", "*\\mshta.exe", "*\\net.exe", "*\\net1.exe", "*\\query.exe", "*\\reg.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\schtasks.exe", "*\\scrcons.exe", "*\\scriptrunner.exe", "*\\sh.exe", "*\\systeminfo.exe", "*\\whoami.exe", "*\\wmic.exe", "*\\wscript.exe")Suspicious Processes Spawned by WinRM
Detects suspicious processes including shells spawnd from WinRM host process
Show query
ParentImage="*\\wsmprovhost.exe" Image IN ("*\\cmd.exe", "*\\sh.exe", "*\\bash.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wsl.exe", "*\\schtasks.exe", "*\\certutil.exe", "*\\whoami.exe", "*\\bitsadmin.exe")Suspicious Program Location Whitelisted In Firewall Via Netsh.EXE
Detects Netsh command execution that whitelists a program located in a suspicious location in the Windows Firewall
Show query
Image="*\\netsh.exe" OR OriginalFileName="netsh.exe" (CommandLine="*firewall*" CommandLine="*add*" CommandLine="*allowedprogram*") OR (CommandLine="*advfirewall*" CommandLine="*firewall*" CommandLine="*add*" CommandLine="*rule*" CommandLine="*action=allow*" CommandLine="*program=*") CommandLine IN ("*:\\$Recycle.bin\\*", "*:\\RECYCLER.BIN\\*", "*:\\RECYCLERS.BIN\\*", "*:\\SystemVolumeInformation\\*", "*:\\Temp\\*", "*:\\Users\\Default\\*", "*:\\Users\\Desktop\\*", "*:\\Users\\Public\\*", "*:\\Windows\\addins\\*", "*:\\Windows\\cursors\\*", "*:\\Windows\\debug\\*", "*:\\Windows\\drivers\\*", "*:\\Windows\\fonts\\*", "*:\\Windows\\help\\*", "*:\\Windows\\system32\\tasks\\*", "*:\\Windows\\Tasks\\*", "*:\\Windows\\Temp\\*", "*\\Downloads\\*", "*\\Local Settings\\Temporary Internet Files\\*", "*\\Temporary Internet Files\\Content.Outlook\\*", "*%Public%\\*", "*%TEMP%*", "*%TMP%*")Suspicious Program Names
Detects suspicious patterns in program names or folders that are often found in malicious samples or hacktools
Show query
Image IN ("*\\CVE-202*", "*\\CVE202*") OR Image IN ("*\\poc.exe", "*\\artifact.exe", "*\\artifact64.exe", "*\\artifact_protected.exe", "*\\artifact32.exe", "*\\artifact32big.exe", "*obfuscated.exe", "*obfusc.exe", "*\\meterpreter") OR CommandLine IN ("*inject.ps1*", "*Invoke-CVE*", "*pupy.ps1*", "*payload.ps1*", "*beacon.ps1*", "*PowerView.ps1*", "*bypass.ps1*", "*obfuscated.ps1*", "*obfusc.ps1*", "*obfus.ps1*", "*obfs.ps1*", "*evil.ps1*", "*MiniDogz.ps1*", "*_enc.ps1*", "*\\shell.ps1*", "*\\rshell.ps1*", "*revshell.ps1*", "*\\av.ps1*", "*\\av_test.ps1*", "*adrecon.ps1*", "*mimikatz.ps1*", "*\\PowerUp_*", "*powerup.ps1*", "*\\Temp\\a.ps1*", "*\\Temp\\p.ps1*", "*\\Temp\\1.ps1*", "*Hound.ps1*", "*encode.ps1*", "*powercat.ps1*")Suspicious Provlaunch.EXE Child Process
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Show query
ParentImage="*\\provlaunch.exe" Image IN ("*\\calc.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\notepad.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe") OR Image IN ("*:\\PerfLogs\\*", "*:\\Temp\\*", "*:\\Users\\Public\\*", "*\\AppData\\Temp\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*")Suspicious PsExec Execution
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Show query
EventID=5145 ShareName="\\\\\*\\IPC$" RelativeTargetName IN ("*-stdin", "*-stdout", "*-stderr") NOT RelativeTargetName="PSEXESVC*"Showing 1201-1250 of 3,131