Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786DNS Query to External Service Interaction Domains
Detects suspicious DNS queries to external service interaction domains often used for out-of-band interactions after successful RCE
Show query
(query:(*.burpcollaborator.net OR *.canarytokens.com OR *.ceye.io OR *.ddns.1443.eu.org OR *.ddns.bypass.eu.org OR *.ddns.xn\-\-gg8h.eu.org OR *.digimg.store OR *.dns.su18.org OR *.dnshook.site OR *.dnslog.cn OR *.dnslog.ink OR *.instances.httpworkbench.com OR *.interact.sh OR *.log.dnslog.pp.ua OR *.log.dnslog.qzz.io OR *.log.dnslogs.dpdns.org OR *.log.javaweb.org OR *.log.nat.cloudns.ph OR *.oast.fun OR *.oast.live OR *.oast.me OR *.oast.online OR *.oast.pro OR *.oast.site OR *.oastify.com OR *.p8.lol OR *.requestbin.net)) AND (NOT query:*polling.oastify.com*)
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
Show query
any where EventID like~ (150, 770, 771)
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
Show query
from * metadata _id, _index, _version | where EventID in (150, 770, 771)
DNS Server Error Failed Loading the ServerLevelPluginDLL
Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
Show query
EventID:(150 OR 770 OR 771)
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
Show query
any where record_type:"TXT" and (answer like~ ("*IEX*", "*Invoke-Expression*", "*cmd.exe*"))DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
Show query
from * metadata _id, _index, _version | where record_type=="TXT" and (answer like "*IEX*" or answer like "*Invoke-Expression*" or answer like "*cmd.exe*")
DNS TXT Answer with Possible Execution Strings
Detects strings used in command execution in DNS TXT Answer
Show query
record_type:TXT AND (answer:(*IEX* OR *Invoke\-Expression* OR *cmd.exe*))
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
Show query
any where (TargetFilename like~ ("*ntds_capi_*", "*ntds_legacy_*", "*ntds_unknown_*")) and (TargetFilename like~ ("*.cer", "*.key", "*.pfx", "*.pvk"))DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
Show query
from * metadata _id, _index, _version | where (TargetFilename like "*ntds_capi_*" or TargetFilename like "*ntds_legacy_*" or TargetFilename like "*ntds_unknown_*") and (ends_with(TargetFilename, ".cer") or ends_with(TargetFilename, ".key") or ends_with(TargetFilename, ".pfx") or ends_with(TargetFilename, ".pvk"))
DPAPI Backup Keys And Certificate Export Activity IOC
Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
Show query
(TargetFilename:(*ntds_capi_* OR *ntds_legacy_* OR *ntds_unknown_*)) AND (TargetFilename:(*.cer OR *.key OR *.pfx OR *.pvk))
DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
Show query
any where EventID:4662 and ObjectType:"SecretObject" and AccessMask:"0x2" and ObjectName:"*BCKUPKEY*"
DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
Show query
from * metadata _id, _index, _version | where EventID==4662 and ObjectType=="SecretObject" and AccessMask=="0x2" and ObjectName like "*BCKUPKEY*"
DPAPI Domain Backup Key Extraction
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers
Show query
EventID:4662 AND ObjectType:SecretObject AND AccessMask:0x2 AND ObjectName:*BCKUPKEY*
Elastic
Converted
EQL
high
DPRK Threat Actor - C2 Communication DNS Indicators
Detects DNS queries for C2 domains used by DPRK Threat actors.
Show query
any where QueryName like~ ("connection.lockscreen.kro.kr", "updating.dothome.co.kr")
Elastic
Converted
ES|QL
high
DPRK Threat Actor - C2 Communication DNS Indicators
Detects DNS queries for C2 domains used by DPRK Threat actors.
Show query
from * metadata _id, _index, _version | where QueryName in ("connection.lockscreen.kro.kr", "updating.dothome.co.kr")
Elastic
Converted
Lucene
high
DPRK Threat Actor - C2 Communication DNS Indicators
Detects DNS queries for C2 domains used by DPRK Threat actors.
Show query
QueryName:(connection.lockscreen.kro.kr OR updating.dothome.co.kr)
DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Show query
any where CommandLine like~ ("*Add-ADDBSidHistory*", "*Add-ADNgcKey*", "*Add-ADReplNgcKey*", "*ConvertFrom-ADManagedPasswordBlob*", "*ConvertFrom-GPPrefPassword*", "*ConvertFrom-ManagedPasswordBlob*", "*ConvertFrom-UnattendXmlPassword*", "*ConvertFrom-UnicodePassword*", "*ConvertTo-AADHash*", "*ConvertTo-GPPrefPassword*", "*ConvertTo-KerberosKey*", "*ConvertTo-LMHash*", "*ConvertTo-MsoPasswordHash*", "*ConvertTo-NTHash*", "*ConvertTo-OrgIdHash*", "*ConvertTo-UnicodePassword*", "*Disable-ADDBAccount*", "*Enable-ADDBAccount*", "*Get-ADDBAccount*", "*Get-ADDBBackupKey*", "*Get-ADDBDomainController*", "*Get-ADDBGroupManagedServiceAccount*", "*Get-ADDBKdsRootKey*", "*Get-ADDBSchemaAttribute*", "*Get-ADDBServiceAccount*", "*Get-ADDefaultPasswordPolicy*", "*Get-ADKeyCredential*", "*Get-ADPasswordPolicy*", "*Get-ADReplAccount*", "*Get-ADReplBackupKey*", "*Get-ADReplicationAccount*", "*Get-ADSIAccount*", "*Get-AzureADUserEx*", "*Get-BootKey*", "*Get-KeyCredential*", "*Get-LsaBackupKey*", "*Get-LsaPolicy*", "*Get-SamPasswordPolicy*", "*Get-SysKey*", "*Get-SystemKey*", "*New-ADDBRestoreFromMediaScript*", "*New-ADKeyCredential*", "*New-ADNgcKey*", "*New-NTHashSet*", "*Remove-ADDBObject*", "*Save-DPAPIBlob*", "*Set-ADAccountPasswordHash*", "*Set-ADDBAccountPassword*", "*Set-ADDBBootKey*", "*Set-ADDBDomainController*", "*Set-ADDBPrimaryGroup*", "*Set-ADDBSysKey*", "*Set-AzureADUserEx*", "*Set-LsaPolicy*", "*Set-SamAccountPasswordHash*", "*Set-WinUserPasswordHash*", "*Test-ADDBPasswordQuality*", "*Test-ADPasswordQuality*", "*Test-ADReplPasswordQuality*", "*Test-PasswordQuality*", "*Unlock-ADDBAccount*", "*Write-ADNgcKey*", "*Write-ADReplNgcKey*")DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Show query
from * metadata _id, _index, _version | where CommandLine like "*Add-ADDBSidHistory*" or CommandLine like "*Add-ADNgcKey*" or CommandLine like "*Add-ADReplNgcKey*" or CommandLine like "*ConvertFrom-ADManagedPasswordBlob*" or CommandLine like "*ConvertFrom-GPPrefPassword*" or CommandLine like "*ConvertFrom-ManagedPasswordBlob*" or CommandLine like "*ConvertFrom-UnattendXmlPassword*" or CommandLine like "*ConvertFrom-UnicodePassword*" or CommandLine like "*ConvertTo-AADHash*" or CommandLine like "*ConvertTo-GPPrefPassword*" or CommandLine like "*ConvertTo-KerberosKey*" or CommandLine like "*ConvertTo-LMHash*" or CommandLine like "*ConvertTo-MsoPasswordHash*" or CommandLine like "*ConvertTo-NTHash*" or CommandLine like "*ConvertTo-OrgIdHash*" or CommandLine like "*ConvertTo-UnicodePassword*" or CommandLine like "*Disable-ADDBAccount*" or CommandLine like "*Enable-ADDBAccount*" or CommandLine like "*Get-ADDBAccount*" or CommandLine like "*Get-ADDBBackupKey*" or CommandLine like "*Get-ADDBDomainController*" or CommandLine like "*Get-ADDBGroupManagedServiceAccount*" or CommandLine like "*Get-ADDBKdsRootKey*" or CommandLine like "*Get-ADDBSchemaAttribute*" or CommandLine like "*Get-ADDBServiceAccount*" or CommandLine like "*Get-ADDefaultPasswordPolicy*" or CommandLine like "*Get-ADKeyCredential*" or CommandLine like "*Get-ADPasswordPolicy*" or CommandLine like "*Get-ADReplAccount*" or CommandLine like "*Get-ADReplBackupKey*" or CommandLine like "*Get-ADReplicationAccount*" or CommandLine like "*Get-ADSIAccount*" or CommandLine like "*Get-AzureADUserEx*" or CommandLine like "*Get-BootKey*" or CommandLine like "*Get-KeyCredential*" or CommandLine like "*Get-LsaBackupKey*" or CommandLine like "*Get-LsaPolicy*" or CommandLine like "*Get-SamPasswordPolicy*" or CommandLine like "*Get-SysKey*" or CommandLine like "*Get-SystemKey*" or CommandLine like "*New-ADDBRestoreFromMediaScript*" or CommandLine like "*New-ADKeyCredential*" or CommandLine like "*New-ADNgcKey*" or CommandLine like "*New-NTHashSet*" or CommandLine like "*Remove-ADDBObject*" or CommandLine like "*Save-DPAPIBlob*" or CommandLine like "*Set-ADAccountPasswordHash*" or CommandLine like "*Set-ADDBAccountPassword*" or CommandLine like "*Set-ADDBBootKey*" or CommandLine like "*Set-ADDBDomainController*" or CommandLine like "*Set-ADDBPrimaryGroup*" or CommandLine like "*Set-ADDBSysKey*" or CommandLine like "*Set-AzureADUserEx*" or CommandLine like "*Set-LsaPolicy*" or CommandLine like "*Set-SamAccountPasswordHash*" or CommandLine like "*Set-WinUserPasswordHash*" or CommandLine like "*Test-ADDBPasswordQuality*" or CommandLine like "*Test-ADPasswordQuality*" or CommandLine like "*Test-ADReplPasswordQuality*" or CommandLine like "*Test-PasswordQuality*" or CommandLine like "*Unlock-ADDBAccount*" or CommandLine like "*Write-ADNgcKey*" or CommandLine like "*Write-ADReplNgcKey*"
DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Show query
CommandLine:(*Add\-ADDBSidHistory* OR *Add\-ADNgcKey* OR *Add\-ADReplNgcKey* OR *ConvertFrom\-ADManagedPasswordBlob* OR *ConvertFrom\-GPPrefPassword* OR *ConvertFrom\-ManagedPasswordBlob* OR *ConvertFrom\-UnattendXmlPassword* OR *ConvertFrom\-UnicodePassword* OR *ConvertTo\-AADHash* OR *ConvertTo\-GPPrefPassword* OR *ConvertTo\-KerberosKey* OR *ConvertTo\-LMHash* OR *ConvertTo\-MsoPasswordHash* OR *ConvertTo\-NTHash* OR *ConvertTo\-OrgIdHash* OR *ConvertTo\-UnicodePassword* OR *Disable\-ADDBAccount* OR *Enable\-ADDBAccount* OR *Get\-ADDBAccount* OR *Get\-ADDBBackupKey* OR *Get\-ADDBDomainController* OR *Get\-ADDBGroupManagedServiceAccount* OR *Get\-ADDBKdsRootKey* OR *Get\-ADDBSchemaAttribute* OR *Get\-ADDBServiceAccount* OR *Get\-ADDefaultPasswordPolicy* OR *Get\-ADKeyCredential* OR *Get\-ADPasswordPolicy* OR *Get\-ADReplAccount* OR *Get\-ADReplBackupKey* OR *Get\-ADReplicationAccount* OR *Get\-ADSIAccount* OR *Get\-AzureADUserEx* OR *Get\-BootKey* OR *Get\-KeyCredential* OR *Get\-LsaBackupKey* OR *Get\-LsaPolicy* OR *Get\-SamPasswordPolicy* OR *Get\-SysKey* OR *Get\-SystemKey* OR *New\-ADDBRestoreFromMediaScript* OR *New\-ADKeyCredential* OR *New\-ADNgcKey* OR *New\-NTHashSet* OR *Remove\-ADDBObject* OR *Save\-DPAPIBlob* OR *Set\-ADAccountPasswordHash* OR *Set\-ADDBAccountPassword* OR *Set\-ADDBBootKey* OR *Set\-ADDBDomainController* OR *Set\-ADDBPrimaryGroup* OR *Set\-ADDBSysKey* OR *Set\-AzureADUserEx* OR *Set\-LsaPolicy* OR *Set\-SamAccountPasswordHash* OR *Set\-WinUserPasswordHash* OR *Test\-ADDBPasswordQuality* OR *Test\-ADPasswordQuality* OR *Test\-ADReplPasswordQuality* OR *Test\-PasswordQuality* OR *Unlock\-ADDBAccount* OR *Write\-ADNgcKey* OR *Write\-ADReplNgcKey*)
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Show query
any where ScriptBlockText like~ ("*Add-ADDBSidHistory*", "*Add-ADNgcKey*", "*Add-ADReplNgcKey*", "*ConvertFrom-ADManagedPasswordBlob*", "*ConvertFrom-GPPrefPassword*", "*ConvertFrom-ManagedPasswordBlob*", "*ConvertFrom-UnattendXmlPassword*", "*ConvertFrom-UnicodePassword*", "*ConvertTo-AADHash*", "*ConvertTo-GPPrefPassword*", "*ConvertTo-KerberosKey*", "*ConvertTo-LMHash*", "*ConvertTo-MsoPasswordHash*", "*ConvertTo-NTHash*", "*ConvertTo-OrgIdHash*", "*ConvertTo-UnicodePassword*", "*Disable-ADDBAccount*", "*Enable-ADDBAccount*", "*Get-ADDBAccount*", "*Get-ADDBBackupKey*", "*Get-ADDBDomainController*", "*Get-ADDBGroupManagedServiceAccount*", "*Get-ADDBKdsRootKey*", "*Get-ADDBSchemaAttribute*", "*Get-ADDBServiceAccount*", "*Get-ADDefaultPasswordPolicy*", "*Get-ADKeyCredential*", "*Get-ADPasswordPolicy*", "*Get-ADReplAccount*", "*Get-ADReplBackupKey*", "*Get-ADReplicationAccount*", "*Get-ADSIAccount*", "*Get-AzureADUserEx*", "*Get-BootKey*", "*Get-KeyCredential*", "*Get-LsaBackupKey*", "*Get-LsaPolicy*", "*Get-SamPasswordPolicy*", "*Get-SysKey*", "*Get-SystemKey*", "*New-ADDBRestoreFromMediaScript*", "*New-ADKeyCredential*", "*New-ADNgcKey*", "*New-NTHashSet*", "*Remove-ADDBObject*", "*Save-DPAPIBlob*", "*Set-ADAccountPasswordHash*", "*Set-ADDBAccountPassword*", "*Set-ADDBBootKey*", "*Set-ADDBDomainController*", "*Set-ADDBPrimaryGroup*", "*Set-ADDBSysKey*", "*Set-AzureADUserEx*", "*Set-LsaPolicy*", "*Set-SamAccountPasswordHash*", "*Set-WinUserPasswordHash*", "*Test-ADDBPasswordQuality*", "*Test-ADPasswordQuality*", "*Test-ADReplPasswordQuality*", "*Test-PasswordQuality*", "*Unlock-ADDBAccount*", "*Write-ADNgcKey*", "*Write-ADReplNgcKey*")DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*Add-ADDBSidHistory*" or ScriptBlockText like "*Add-ADNgcKey*" or ScriptBlockText like "*Add-ADReplNgcKey*" or ScriptBlockText like "*ConvertFrom-ADManagedPasswordBlob*" or ScriptBlockText like "*ConvertFrom-GPPrefPassword*" or ScriptBlockText like "*ConvertFrom-ManagedPasswordBlob*" or ScriptBlockText like "*ConvertFrom-UnattendXmlPassword*" or ScriptBlockText like "*ConvertFrom-UnicodePassword*" or ScriptBlockText like "*ConvertTo-AADHash*" or ScriptBlockText like "*ConvertTo-GPPrefPassword*" or ScriptBlockText like "*ConvertTo-KerberosKey*" or ScriptBlockText like "*ConvertTo-LMHash*" or ScriptBlockText like "*ConvertTo-MsoPasswordHash*" or ScriptBlockText like "*ConvertTo-NTHash*" or ScriptBlockText like "*ConvertTo-OrgIdHash*" or ScriptBlockText like "*ConvertTo-UnicodePassword*" or ScriptBlockText like "*Disable-ADDBAccount*" or ScriptBlockText like "*Enable-ADDBAccount*" or ScriptBlockText like "*Get-ADDBAccount*" or ScriptBlockText like "*Get-ADDBBackupKey*" or ScriptBlockText like "*Get-ADDBDomainController*" or ScriptBlockText like "*Get-ADDBGroupManagedServiceAccount*" or ScriptBlockText like "*Get-ADDBKdsRootKey*" or ScriptBlockText like "*Get-ADDBSchemaAttribute*" or ScriptBlockText like "*Get-ADDBServiceAccount*" or ScriptBlockText like "*Get-ADDefaultPasswordPolicy*" or ScriptBlockText like "*Get-ADKeyCredential*" or ScriptBlockText like "*Get-ADPasswordPolicy*" or ScriptBlockText like "*Get-ADReplAccount*" or ScriptBlockText like "*Get-ADReplBackupKey*" or ScriptBlockText like "*Get-ADReplicationAccount*" or ScriptBlockText like "*Get-ADSIAccount*" or ScriptBlockText like "*Get-AzureADUserEx*" or ScriptBlockText like "*Get-BootKey*" or ScriptBlockText like "*Get-KeyCredential*" or ScriptBlockText like "*Get-LsaBackupKey*" or ScriptBlockText like "*Get-LsaPolicy*" or ScriptBlockText like "*Get-SamPasswordPolicy*" or ScriptBlockText like "*Get-SysKey*" or ScriptBlockText like "*Get-SystemKey*" or ScriptBlockText like "*New-ADDBRestoreFromMediaScript*" or ScriptBlockText like "*New-ADKeyCredential*" or ScriptBlockText like "*New-ADNgcKey*" or ScriptBlockText like "*New-NTHashSet*" or ScriptBlockText like "*Remove-ADDBObject*" or ScriptBlockText like "*Save-DPAPIBlob*" or ScriptBlockText like "*Set-ADAccountPasswordHash*" or ScriptBlockText like "*Set-ADDBAccountPassword*" or ScriptBlockText like "*Set-ADDBBootKey*" or ScriptBlockText like "*Set-ADDBDomainController*" or ScriptBlockText like "*Set-ADDBPrimaryGroup*" or ScriptBlockText like "*Set-ADDBSysKey*" or ScriptBlockText like "*Set-AzureADUserEx*" or ScriptBlockText like "*Set-LsaPolicy*" or ScriptBlockText like "*Set-SamAccountPasswordHash*" or ScriptBlockText like "*Set-WinUserPasswordHash*" or ScriptBlockText like "*Test-ADDBPasswordQuality*" or ScriptBlockText like "*Test-ADPasswordQuality*" or ScriptBlockText like "*Test-ADReplPasswordQuality*" or ScriptBlockText like "*Test-PasswordQuality*" or ScriptBlockText like "*Unlock-ADDBAccount*" or ScriptBlockText like "*Write-ADNgcKey*" or ScriptBlockText like "*Write-ADReplNgcKey*"
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Show query
ScriptBlockText:(*Add\-ADDBSidHistory* OR *Add\-ADNgcKey* OR *Add\-ADReplNgcKey* OR *ConvertFrom\-ADManagedPasswordBlob* OR *ConvertFrom\-GPPrefPassword* OR *ConvertFrom\-ManagedPasswordBlob* OR *ConvertFrom\-UnattendXmlPassword* OR *ConvertFrom\-UnicodePassword* OR *ConvertTo\-AADHash* OR *ConvertTo\-GPPrefPassword* OR *ConvertTo\-KerberosKey* OR *ConvertTo\-LMHash* OR *ConvertTo\-MsoPasswordHash* OR *ConvertTo\-NTHash* OR *ConvertTo\-OrgIdHash* OR *ConvertTo\-UnicodePassword* OR *Disable\-ADDBAccount* OR *Enable\-ADDBAccount* OR *Get\-ADDBAccount* OR *Get\-ADDBBackupKey* OR *Get\-ADDBDomainController* OR *Get\-ADDBGroupManagedServiceAccount* OR *Get\-ADDBKdsRootKey* OR *Get\-ADDBSchemaAttribute* OR *Get\-ADDBServiceAccount* OR *Get\-ADDefaultPasswordPolicy* OR *Get\-ADKeyCredential* OR *Get\-ADPasswordPolicy* OR *Get\-ADReplAccount* OR *Get\-ADReplBackupKey* OR *Get\-ADReplicationAccount* OR *Get\-ADSIAccount* OR *Get\-AzureADUserEx* OR *Get\-BootKey* OR *Get\-KeyCredential* OR *Get\-LsaBackupKey* OR *Get\-LsaPolicy* OR *Get\-SamPasswordPolicy* OR *Get\-SysKey* OR *Get\-SystemKey* OR *New\-ADDBRestoreFromMediaScript* OR *New\-ADKeyCredential* OR *New\-ADNgcKey* OR *New\-NTHashSet* OR *Remove\-ADDBObject* OR *Save\-DPAPIBlob* OR *Set\-ADAccountPasswordHash* OR *Set\-ADDBAccountPassword* OR *Set\-ADDBBootKey* OR *Set\-ADDBDomainController* OR *Set\-ADDBPrimaryGroup* OR *Set\-ADDBSysKey* OR *Set\-AzureADUserEx* OR *Set\-LsaPolicy* OR *Set\-SamAccountPasswordHash* OR *Set\-WinUserPasswordHash* OR *Test\-ADDBPasswordQuality* OR *Test\-ADPasswordQuality* OR *Test\-ADReplPasswordQuality* OR *Test\-PasswordQuality* OR *Unlock\-ADDBAccount* OR *Write\-ADNgcKey* OR *Write\-ADReplNgcKey*)
DarkGate - Autoit3.EXE Execution Parameters
Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within
the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
command-and-control server.
Show query
any where ((Image:"*\\Autoit3.exe" or OriginalFileName:"AutoIt3.exe") and (ParentImage like~ ("*\\cmd.exe", "*\\KeyScramblerLogon.exe", "*\\msiexec.exe"))) and (not (Image like~ ("*:\\Program Files (x86)\\AutoIt3\\AutoIt3.exe", "*:\\Program Files\\AutoIt3\\AutoIt3.exe")))DarkGate - Autoit3.EXE Execution Parameters
Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within
the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
command-and-control server.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\Autoit3.exe") or OriginalFileName=="AutoIt3.exe") and (ends_with(ParentImage, "\\cmd.exe") or ends_with(ParentImage, "\\KeyScramblerLogon.exe") or ends_with(ParentImage, "\\msiexec.exe")) and not (ends_with(Image, ":\\Program Files (x86)\\AutoIt3\\AutoIt3.exe") or ends_with(Image, ":\\Program Files\\AutoIt3\\AutoIt3.exe"))
DarkGate - Autoit3.EXE Execution Parameters
Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within
the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate
command-and-control server.
Show query
((Image:*\\Autoit3.exe OR OriginalFileName:AutoIt3.exe) AND (ParentImage:(*\\cmd.exe OR *\\KeyScramblerLogon.exe OR *\\msiexec.exe))) AND (NOT (Image:(*\:\\Program\ Files\ \(x86\)\\AutoIt3\\AutoIt3.exe OR *\:\\Program\ Files\\AutoIt3\\AutoIt3.exe)))
DarkGate - User Created Via Net.EXE
Detects creation of local users via the net.exe command with the name of "DarkGate"
Show query
any where (Image like~ ("*\\net.exe", "*\\net1.exe")) and (CommandLine:"*user*" and CommandLine:"*add*" and CommandLine:"*DarkGate*" and CommandLine:"*SafeMode*")DarkGate - User Created Via Net.EXE
Detects creation of local users via the net.exe command with the name of "DarkGate"
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\net.exe") or ends_with(Image, "\\net1.exe")) and CommandLine like "*user*" and CommandLine like "*add*" and CommandLine like "*DarkGate*" and CommandLine like "*SafeMode*"
DarkGate - User Created Via Net.EXE
Detects creation of local users via the net.exe command with the name of "DarkGate"
Show query
(Image:(*\\net.exe OR *\\net1.exe)) AND (CommandLine:*user* AND CommandLine:*add* AND CommandLine:*DarkGate* AND CommandLine:*SafeMode*)
Elastic
Original
EQL
high
T1027, T1027.010, T1140, T1059, T1059.004, T1059.006, T1059.011, T1204, T1204.002 ↗
Decoded Payload Piped to Interpreter Detected via Defend for Containers
This rule detects the execution of a base64 decoded payload to an interpreter inside a container. Attackers
may use this technique to execute malicious code, while attempting to evade detection.
Elastic
Converted
EQL
high
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
Show query
any where certificate.serial:"8BB00EE"
Elastic
Converted
ES|QL
high
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
Show query
from * metadata _id, _index, _version | where certificate.serial=="8BB00EE"
Elastic
Converted
Lucene
high
Default Cobalt Strike Certificate
Detects the presence of default Cobalt Strike certificate in the HTTPS traffic
Show query
certificate.serial:8BB00EE
Default Cobalt Strike Team Server Certificate
This rule detects the use of the default Cobalt Strike Team Server TLS certificate. Cobalt Strike is software for
Adversary Simulations and Red Team Operations which are security assessments that replicate the tactics and techniques
of an advanced adversary in a network. Modifications to the Packetbeat configuration can be made to include MD5 and
SHA256 hashing algorithms (the default is SHA1). See the References section for additional information on module
configuration.
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Show query
any where TargetObject:"*\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber" and (not Details:"DWORD (0x00000d3d)")
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "\\Control\\Terminal Server\\WinStations\\RDP-Tcp\\PortNumber") and not Details=="DWORD (0x00000d3d)"
Default RDP Port Changed to Non Standard Port
Detects changes to the default RDP port.
Remote desktop is a common feature in operating systems. It allows a user to log into a remote system using an interactive session with a graphical user interface.
Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
Show query
TargetObject:*\\Control\\Terminal\ Server\\WinStations\\RDP\-Tcp\\PortNumber AND (NOT Details:DWORD\ \(0x00000d3d\))
Delegated Managed Service Account Modification by an Unusual User
Detects modifications to the msDS-ManagedAccountPrecededByLink attribute of a delegated managed service account by an
unusual subject account. Attackers can abuse this attribute to inherit a target account's permissions and further
elevate privileges.
Delegated Permissions Granted For All Users
Detects when highly privileged delegated permissions are granted on behalf of all users
Show query
any where properties.message:"Add delegated permission grant"
Delegated Permissions Granted For All Users
Detects when highly privileged delegated permissions are granted on behalf of all users
Show query
from * metadata _id, _index, _version | where properties.message=="Add delegated permission grant"
Delegated Permissions Granted For All Users
Detects when highly privileged delegated permissions are granted on behalf of all users
Show query
properties.message:Add\ delegated\ permission\ grant
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Show query
any where Image:"*\\schtasks.exe" and (CommandLine:"* /delete *" and CommandLine:"*/tn \**" and CommandLine:"* /f*")
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\schtasks.exe") and CommandLine like "* /delete *" and CommandLine like "*/tn \**" and CommandLine like "* /f*"
Delete All Scheduled Tasks
Detects the usage of schtasks with the delete flag and the asterisk symbol to delete all tasks from the schedule of the local computer, including tasks scheduled by other users.
Show query
Image:*\\schtasks.exe AND (CommandLine:*\ \/delete\ * AND CommandLine:*\/tn\ \** AND CommandLine:*\ \/f*)
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Show query
any where (Image:"*\\schtasks.exe" or OriginalFileName:"schtasks.exe") and CommandLine like~ ("*-delete*", "*/delete*", "*–delete*", "*—delete*", "*―delete*") and (CommandLine like~ ("*\\Windows\\BitLocker*", "*\\Windows\\ExploitGuard*", "*\\Windows\\SystemRestore\\SR*", "*\\Windows\\UpdateOrchestrator\\*", "*\\Windows\\Windows Defender\\*", "*\\Windows\\WindowsBackup\\*", "*\\Windows\\WindowsUpdate\\*"))Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\schtasks.exe") or OriginalFileName=="schtasks.exe") and (CommandLine like "*-delete*" or CommandLine like "*/delete*" or CommandLine like "*–delete*" or CommandLine like "*—delete*" or CommandLine like "*―delete*") and (CommandLine like "*\\Windows\\BitLocker*" or CommandLine like "*\\Windows\\ExploitGuard*" or CommandLine like "*\\Windows\\SystemRestore\\SR*" or CommandLine like "*\\Windows\\UpdateOrchestrator\\*" or CommandLine like "*\\Windows\\Windows Defender\\*" or CommandLine like "*\\Windows\\WindowsBackup\\*" or CommandLine like "*\\Windows\\WindowsUpdate\\*")
Delete Important Scheduled Task
Detects when adversaries stop services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
Show query
(Image:*\\schtasks.exe OR OriginalFileName:schtasks.exe) AND CommandLine:(*\-delete* OR *\/delete* OR *–delete* OR *—delete* OR *―delete*) AND (CommandLine:(*\\Windows\\BitLocker* OR *\\Windows\\ExploitGuard* OR *\\Windows\\SystemRestore\\SR* OR *\\Windows\\UpdateOrchestrator\\* OR *\\Windows\\Windows\ Defender\\* OR *\\Windows\\WindowsBackup\\* OR *\\Windows\\WindowsUpdate\\*))
Delete Volume Shadow Copies Via WMI With PowerShell
Shadow Copies deletion using operating systems utilities via PowerShell
Show query
any where (Data:"*Get-WmiObject*" and Data:"*Win32_ShadowCopy*") and (Data like~ ("*Delete()*", "*Remove-WmiObject*"))Delete Volume Shadow Copies Via WMI With PowerShell
Shadow Copies deletion using operating systems utilities via PowerShell
Show query
from * metadata _id, _index, _version | where Data like "*Get-WmiObject*" and Data like "*Win32_ShadowCopy*" and (Data like "*Delete()*" or Data like "*Remove-WmiObject*")
Delete Volume Shadow Copies Via WMI With PowerShell
Shadow Copies deletion using operating systems utilities via PowerShell
Show query
(Data:*Get\-WmiObject* AND Data:*Win32_ShadowCopy*) AND (Data:(*Delete\(\)* OR *Remove\-WmiObject*))
Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Show query
any where (CommandLine like~ ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*")) and CommandLine:"*Win32_ShadowCopy*" and (CommandLine like~ ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*"))Showing 1251-1300 of 12,786