Vendor-native
3,131 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 3,131Suspicious PsExec Execution - Zeek
detects execution of psexec or paexec with renamed service name, this rule helps to filter out the noise if psexec is used for legit purposes or if attacker uses a different psexec client other than sysinternal one
Show query
path="*\\*" path="*\\IPC$*" name IN ("*-stdin", "*-stdout", "*-stderr") NOT name="PSEXESVC*"Suspicious RDP Redirect Using TSCON
Detects a suspicious RDP session redirect using tscon.exe
Show query
CommandLine="* /dest:rdp-tcp#*"
Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
Detects execution of the built-in script located in "C:\Windows\System32\gatherNetworkInfo.vbs". Which can be used to gather information about the target machine
Show query
CommandLine="*gatherNetworkInfo.vbs*" NOT (Image IN ("*\\cscript.exe", "*\\wscript.exe"))Suspicious Redirection to Local Admin Share
Detects a suspicious output redirection to the local admins share, this technique is often found in malicious scripts or hacktool stagers
Show query
CommandLine="*>*" CommandLine IN ("*\\\\127.0.0.1\\admin$\\*", "*\\\\localhost\\admin$\\*")Suspicious Reg Add BitLocker
Detects suspicious addition to BitLocker related registry keys via the reg.exe utility
Show query
CommandLine="*REG*" CommandLine="*ADD*" CommandLine="*\\SOFTWARE\\Policies\\Microsoft\\FVE*" CommandLine="*/v*" CommandLine="*/f*" CommandLine IN ("*EnableBDEWithNoTPM*", "*UseAdvancedStartup*", "*UseTPM*", "*UseTPMKey*", "*UseTPMKeyPIN*", "*RecoveryKeyMessageSource*", "*UseTPMPIN*", "*RecoveryKeyMessage*")Suspicious Registry Modification From ADS Via Regini.EXE
Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys.
Show query
Image="*\\regini.exe" OR OriginalFileName="REGINI.EXE" | regex CommandLine=":[^ \\\\]"
Suspicious Regsvr32 Execution From Remote Share
Detects REGSVR32.exe to execute DLL hosted on remote shares
Show query
Image="*\\regsvr32.exe" OR OriginalFileName="\\REGSVR32.EXE" CommandLine="* \\\\*"
Suspicious Remote Child Process From Outlook
Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
Show query
ParentImage="*\\outlook.exe" Image="\\\\*"
Suspicious Renamed Comsvcs DLL Loaded By Rundll32
Detects rundll32 loading a renamed comsvcs.dll to dump process memory
Show query
Image="*\\rundll32.exe" Hashes IN ("*IMPHASH=eed93054cb555f3de70eaa9787f32ebb*", "*IMPHASH=5e0dbdec1fce52daae251a110b4f309d*", "*IMPHASH=eadbccbb324829acb5f2bbe87e5549a8*", "*IMPHASH=407ca0f7b523319d758a40d7c0193699*", "*IMPHASH=281d618f4e6271e527e6386ea6f748de*") NOT ImageLoaded="*\\comsvcs.dll"Suspicious Response File Execution Via Odbcconf.EXE
Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
Show query
Image="*\\odbcconf.exe" OR OriginalFileName="odbcconf.exe" CommandLine="* -f *" OR CommandLine="* /f *" OR CommandLine="* –f *" OR CommandLine="* —f *" OR CommandLine="* ―f *" NOT (CommandLine="*.rsp*" OR (ParentImage="C:\\Windows\\System32\\runonce.exe" Image="C:\\Windows\\System32\\odbcconf.exe" CommandLine="*.exe /E /F \"C:\\WINDOWS\\system32\\odbcconf.tmp\"*"))
Suspicious Reverse Shell Command Line
Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell
Show query
"BEGIN {s = \"/inet/tcp/0/" OR "bash -i >& /dev/tcp/" OR "bash -i >& /dev/udp/" OR "sh -i >$ /dev/udp/" OR "sh -i >$ /dev/tcp/" OR "&& while read line 0<&5; do" OR "/bin/bash -c exec 5<>/dev/tcp/" OR "/bin/bash -c exec 5<>/dev/udp/" OR "nc -e /bin/sh " OR "/bin/sh | nc" OR "rm -f backpipe; mknod /tmp/backpipe p && nc " OR ";socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i))))" OR ";STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;" OR "/bin/sh -i <&3 >&3 2>&3" OR "uname -a; w; id; /bin/bash -i" OR "$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};" OR ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');" OR ".to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)" OR ";while(cmd=c.gets);IO.popen(cmd,\"r\"){|io|c.print" OR "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:" OR "rm -f /tmp/p; mknod /tmp/p p &&" OR " | /bin/bash | telnet " OR ",echo=0,raw tcp-listen:" OR "nc -lvvp " OR "xterm -display 1"Suspicious Run Key from Download
Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories
Show query
Image IN ("*\\AppData\\Local\\Packages\\Microsoft.Outlook_*", "*\\AppData\\Local\\Microsoft\\Olk\\Attachments\\*", "*\\Downloads\\*", "*\\Temporary Internet Files\\Content.Outlook\\*", "*\\Local Settings\\Temporary Internet Files\\*") TargetObject IN ("*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*", "*\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run*", "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run*")Suspicious Rundll32 Activity Invoking Sys File
Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452
Show query
CommandLine="*rundll32.exe*" CommandLine IN ("*.sys,*", "*.sys *")Suspicious Rundll32 Execution With Image Extension
Detects the execution of Rundll32.exe with DLL files masquerading as image files
Show query
Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.exe" CommandLine IN ("*.bmp*", "*.cr2*", "*.eps*", "*.gif*", "*.ico*", "*.jpeg*", "*.jpg*", "*.nef*", "*.orf*", "*.png*", "*.raw*", "*.sr2*", "*.tif*", "*.tiff*")Suspicious Rundll32 Invoking Inline VBScript
Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452
Show query
CommandLine="*rundll32.exe*" CommandLine="*Execute*" CommandLine="*RegRead*" CommandLine="*window.close*"
Suspicious SQL Error Messages
Detects SQL error messages that indicate probing for an injection attack
Show query
"quoted string not properly terminated" OR "You have an error in your SQL syntax" OR "Unclosed quotation mark" OR "near \"*\": syntax error" OR "SELECTs to the left and right of UNION do not have the same number of result columns"
Suspicious SYSTEM User Process Creation
Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
Show query
| rex field=CommandLine "(?<CommandLineMatch>net\\s+user\\s+)"
| eval CommandLineCondition=if(isnotnull(CommandLineMatch), "true", "false")
| search IntegrityLevel IN ("System", "S-1-16-16384") User IN ("*AUTHORI*", "*AUTORI*") Image IN ("*\\calc.exe", "*\\cscript.exe", "*\\forfiles.exe", "*\\hh.exe", "*\\mshta.exe", "*\\ping.exe", "*\\wscript.exe") OR CommandLineCondition="true" OR CommandLine IN ("* -NoP *", "* -W Hidden *", "* -decode *", "* /decode *", "* /urlcache *", "* -urlcache *", "* -e* JAB*", "* -e* SUVYI*", "* -e* SQBFAFgA*", "* -e* aWV4I*", "* -e* IAB*", "* -e* PAA*", "* -e* aQBlAHgA*", "*vssadmin delete shadows*", "*reg SAVE HKLM*", "* -ma *", "*Microsoft\\Windows\\CurrentVersion\\Run*", "*.downloadstring(*", "*.downloadfile(*", "* /ticket:*", "*dpapi::*", "*event::clear*", "*event::drop*", "*id::modify*", "*kerberos::*", "*lsadump::*", "*misc::*", "*privilege::*", "*rpc::*", "*sekurlsa::*", "*sid::*", "*token::*", "*vault::cred*", "*vault::list*", "* p::d *", "*;iex(*", "*MiniDump*") NOT ((CommandLine="*ping*" CommandLine="*127.0.0.1*" CommandLine="* -n *") OR (Image="*\\PING.EXE" ParentCommandLine="*\\DismFoDInstall.cmd*") OR ParentImage="*:\\Packages\\Plugins\\Microsoft.GuestConfiguration.ConfigurationforWindows\\*" OR (ParentImage IN ("*:\\Program Files (x86)\\Java\\*", "*:\\Program Files\\Java\\*") ParentImage="*\\bin\\javaws.exe" Image IN ("*:\\Program Files (x86)\\Java\\*", "*:\\Program Files\\Java\\*") Image="*\\bin\\jp2launcher.exe" CommandLine="* -ma *"))Suspicious Scheduled Task Creation
Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc.
Show query
EventID=4698 TaskContent IN ("*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Users\\Public\\*", "*\\WINDOWS\\Temp\\*", "*C:\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Temporary Internet*", "*C:\\ProgramData\\*", "*C:\\Perflogs\\*") TaskContent IN ("*regsvr32*", "*rundll32*", "*cmd.exe</Command>*", "*cmd</Command>*", "*<Arguments>/c *", "*<Arguments>/k *", "*<Arguments>/r *", "*powershell*", "*pwsh*", "*mshta*", "*wscript*", "*cscript*", "*certutil*", "*bitsadmin*", "*bash.exe*", "*bash *", "*scrcons*", "*wmic *", "*wmic.exe*", "*forfiles*", "*scriptrunner*", "*hh.exe*")Suspicious Scheduled Task Creation Involving Temp Folder
Detects the creation of scheduled tasks that involves a temporary folder and runs only once
Show query
Image="*\\schtasks.exe" CommandLine="* /create *" CommandLine="* /sc once *" CommandLine="*\\Temp\\*"
Suspicious Scheduled Task Update
Detects update to a scheduled task event that contain suspicious keywords.
Show query
EventID=4702 TaskContentNew IN ("*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*", "*\\Users\\Public\\*", "*\\WINDOWS\\Temp\\*", "*C:\\Temp\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\Temporary Internet*", "*C:\\ProgramData\\*", "*C:\\Perflogs\\*") TaskContentNew IN ("*regsvr32*", "*rundll32*", "*cmd.exe</Command>*", "*cmd</Command>*", "*<Arguments>/c *", "*<Arguments>/k *", "*<Arguments>/r *", "*powershell*", "*pwsh*", "*mshta*", "*wscript*", "*cscript*", "*certutil*", "*bitsadmin*", "*bash.exe*", "*bash *", "*scrcons*", "*wmic *", "*wmic.exe*", "*forfiles*", "*scriptrunner*", "*hh.exe*")Suspicious Scheduled Task Write to System32 Tasks
Detects the creation of tasks from processes executed from suspicious locations
Show query
TargetFilename="*\\Windows\\System32\\Tasks*" Image IN ("*\\AppData\\*", "*C:\\PerfLogs*", "*\\Windows\\System32\\config\\systemprofile*")Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
Show query
Image="*\\schtasks.exe" CommandLine="*/Create*" CommandLine="*/RU*" CommandLine="*/TR*" CommandLine="*C:\\Users\\*" CommandLine="*\\AppData\\Local\\*" CommandLine IN ("*NT AUT*", "* SYSTEM *") NOT (ParentImage="*\\AppData\\Local\\Temp\\*" ParentImage="*TeamViewer_.exe*" Image="*\\schtasks.exe" CommandLine="*/TN TVInstallRestore*")Suspicious Schtasks Schedule Types
Detects scheduled task creations or modification on a suspicious schedule type
Show query
Image="*\\schtasks.exe" OR OriginalFileName="schtasks.exe" CommandLine IN ("* ONLOGON *", "* ONSTART *", "* ONCE *", "* ONIDLE *") NOT (CommandLine IN ("*NT AUT*", "* SYSTEM*", "*HIGHEST*"))Suspicious Scripting in a WMI Consumer
Detects suspicious commands that are related to scripting/powershell in WMI Event Consumers
Show query
(Destination="*new-object*" Destination="*net.webclient*" Destination="*.downloadstring*") OR (Destination="*new-object*" Destination="*net.webclient*" Destination="*.downloadfile*") OR Destination IN ("* iex(*", "* -nop *", "* -noprofile *", "* -decode *", "* -enc *", "*WScript.Shell*", "*System.Security.Cryptography.FromBase64Transform*")Suspicious Serv-U Process Pattern
Detects a suspicious process pattern which could be a sign of an exploited Serv-U service
Show query
ParentImage="*\\Serv-U.exe" Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\sh.exe", "*\\bash.exe", "*\\schtasks.exe", "*\\regsvr32.exe", "*\\wmic.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\msiexec.exe", "*\\forfiles.exe", "*\\scriptrunner.exe")Suspicious Service Binary Directory
Detects a service binary running in a suspicious directory
Show query
Image IN ("*\\Users\\Public\\*", "*\\$Recycle.bin*", "*\\Users\\All Users\\*", "*\\Users\\Default\\*", "*\\Users\\Contacts\\*", "*\\Users\\Searches\\*", "*C:\\Perflogs\\*", "*\\config\\systemprofile\\*", "*\\Windows\\Fonts\\*", "*\\Windows\\IME\\*", "*\\Windows\\addins\\*") ParentImage IN ("*\\services.exe", "*\\svchost.exe")Suspicious Service DACL Modification Via Set-Service Cmdlet
Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
Show query
Image="*\\pwsh.exe" OR OriginalFileName="pwsh.dll" CommandLine IN ("*-SecurityDescriptorSddl *", "*-sd *") CommandLine="*Set-Service *" CommandLine="*D;;*" CommandLine IN ("*;;;IU*", "*;;;SU*", "*;;;BA*", "*;;;SY*", "*;;;WD*")Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Show query
ScriptBlockText IN ("*-SecurityDescriptorSddl *", "*-sd *") ScriptBlockText="*Set-Service *" ScriptBlockText="*D;;*" ScriptBlockText IN ("*;;;IU*", "*;;;SU*", "*;;;BA*", "*;;;SY*", "*;;;WD*")Suspicious Service Installation
Detects suspicious service installation commands
Show query
Provider_Name="Service Control Manager" EventID=7045 ImagePath IN ("* -nop *", "* -sta *", "* -w hidden *", "*:\\Temp\\*", "*.downloadfile(*", "*.downloadstring(*", "*\\ADMIN$\\*", "*\\Perflogs\\*", "*&&*")Suspicious Service Installation Script
Detects suspicious service installation scripts
Show query
Provider_Name="Service Control Manager" EventID=7045 ImagePath="* -c *" OR ImagePath="* /c *" OR ImagePath="* –c *" OR ImagePath="* —c *" OR ImagePath="* ―c *" OR ImagePath="* -r *" OR ImagePath="* /r *" OR ImagePath="* –r *" OR ImagePath="* —r *" OR ImagePath="* ―r *" OR ImagePath="* -k *" OR ImagePath="* /k *" OR ImagePath="* –k *" OR ImagePath="* —k *" OR ImagePath="* ―k *" ImagePath IN ("*cscript*", "*mshta*", "*powershell*", "*pwsh*", "*regsvr32*", "*rundll32*", "*wscript*")Suspicious Service Path Modification
Detects service path modification via the "sc" binary to a suspicious command or path
Show query
Image="*\\sc.exe" CommandLine="*config*" CommandLine="*binPath*" CommandLine IN ("*powershell*", "*cmd *", "*mshta*", "*wscript*", "*cscript*", "*rundll32*", "*svchost*", "*dllhost*", "*cmd.exe /c*", "*cmd.exe /k*", "*cmd.exe /r*", "*cmd /c*", "*cmd /k*", "*cmd /r*", "*C:\\Users\\Public*", "*\\Downloads\\*", "*\\Desktop\\*", "*\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "*C:\\Windows\\TEMP\\*", "*\\AppData\\Local\\Temp*")Suspicious ShellExec_RunDLL Call Via Ordinal
Detects suspicious call to the "ShellExec_RunDLL" exported function of SHELL32.DLL through the ordinal number to launch other commands.
Adversary might only use the ordinal number in order to bypass existing detection that alert on usage of ShellExec_RunDLL on CommandLine.
Show query
ParentCommandLine="*SHELL32.DLL*" ParentCommandLine IN ("*#568*", "*#570*", "*#572*", "*#576*") ParentCommandLine IN ("*comspec*", "*iex*", "*Invoke-*", "*msiexec*", "*odbcconf*", "*regsvr32*") OR ParentCommandLine IN ("*\\Desktop\\*", "*\\ProgramData\\*", "*\\Temp\\*", "*\\Users\\Public\\*") OR Image IN ("*\\bash.exe", "*\\bitsadmin.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\curl.exe", "*\\mshta.exe", "*\\msiexec.exe", "*\\msxsl.exe", "*\\odbcconf.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\schtasks.exe", "*\\wmic.exe", "*\\wscript.exe")
Splunk
Converted
SPL
high
Suspicious Shells Spawn by Java Utility Keytool
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Show query
ParentImage="*\\keytool.exe" Image IN ("*\\cmd.exe", "*\\sh.exe", "*\\bash.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\schtasks.exe", "*\\certutil.exe", "*\\whoami.exe", "*\\bitsadmin.exe", "*\\wscript.exe", "*\\cscript.exe", "*\\scrcons.exe", "*\\regsvr32.exe", "*\\hh.exe", "*\\wmic.exe", "*\\mshta.exe", "*\\rundll32.exe", "*\\forfiles.exe", "*\\scriptrunner.exe", "*\\mftrace.exe", "*\\AppVLP.exe", "*\\systeminfo.exe", "*\\reg.exe", "*\\query.exe")Suspicious Shim Database Patching Activity
Detects installation of new shim databases that try to patch sections of known processes for potential process injection or persistence.
Show query
TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Custom\\*" TargetObject IN ("*\\csrss.exe", "*\\dllhost.exe", "*\\explorer.exe", "*\\RuntimeBroker.exe", "*\\services.exe", "*\\sihost.exe", "*\\svchost.exe", "*\\taskhostw.exe", "*\\winlogon.exe", "*\\WmiPrvSe.exe")Suspicious SignIns From A Non Registered Device
Detects risky authentication from a non AD registered device without MFA being required.
Show query
Status="Success" AuthenticationRequirement="singleFactorAuthentication" RiskState="atRisk" DeviceDetail.trusttype="" OR NOT DeviceDetail.trusttype=*
Suspicious Space Characters in RunMRU Registry Path - ClickFix
Detects the occurrence of numerous space characters in RunMRU registry paths, which may indicate execution via phishing lures using clickfix techniques to hide malicious commands in the Windows Run dialog box from naked eyes.
Show query
TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*" Details="*#*" Details IN ("* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *")Suspicious Space Characters in TypedPaths Registry Path - FileFix
Detects the occurrence of numerous space characters in TypedPaths registry paths, which may indicate execution via phishing lures using file-fix techniques to hide malicious commands.
Show query
TargetObject="*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths\\url1" Details="*#*" Details IN ("* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *", "* *")Suspicious Speech Runtime Binary Child Process
Detects suspicious Speech Runtime Binary Execution by monitoring its child processes.
Child processes spawned by SpeechRuntime.exe could indicate an attempt for lateral movement via COM & DCOM hijacking.
Show query
ParentImage="*\\SpeechRuntime.exe"
Suspicious Splwow64 Without Params
Detects suspicious Splwow64.exe process without any command line parameters
Show query
Image="*\\splwow64.exe" CommandLine="*splwow64.exe"
Suspicious Spool Service Child Process
Detects suspicious print spool service (spoolsv.exe) child processes.
Show query
ParentImage="*\\spoolsv.exe" IntegrityLevel IN ("System", "S-1-16-16384") Image IN ("*\\gpupdate.exe", "*\\whoami.exe", "*\\nltest.exe", "*\\taskkill.exe", "*\\wmic.exe", "*\\taskmgr.exe", "*\\sc.exe", "*\\findstr.exe", "*\\curl.exe", "*\\wget.exe", "*\\certutil.exe", "*\\bitsadmin.exe", "*\\accesschk.exe", "*\\wevtutil.exe", "*\\bcdedit.exe", "*\\fsutil.exe", "*\\cipher.exe", "*\\schtasks.exe", "*\\write.exe", "*\\wuauclt.exe", "*\\systeminfo.exe", "*\\reg.exe", "*\\query.exe") OR (Image IN ("*\\net.exe", "*\\net1.exe") NOT CommandLine="*start*") OR (Image="*\\cmd.exe" NOT (CommandLine IN ("*.spl*", "*route add*", "*program files*"))) OR (Image="*\\netsh.exe" NOT (CommandLine IN ("*add portopening*", "*rule name*"))) OR (Image IN ("*\\powershell.exe", "*\\pwsh.exe") NOT CommandLine="*.spl*") OR (Image="*\\rundll32.exe" OR OriginalFileName="RUNDLL32.EXE" CommandLine="*rundll32.exe")Suspicious Startup Folder Persistence
Detects the creation of potentially malicious script and executable files in Windows startup folders, which is a common persistence technique used by threat actors.
These files (.ps1, .vbs, .js, .bat, etc.) are automatically executed when a user logs in, making the Startup folder an attractive target for attackers.
This technique is frequently observed in malvertising campaigns and malware distribution where attackers attempt to maintain long-term access to compromised systems.
Show query
TargetFilename="*\\Windows\\Start Menu\\Programs\\Startup\\*" TargetFilename IN ("*.bat", "*.cmd", "*.dll", "*.hta", "*.jar", "*.js", "*.jse", "*.msi", "*.ps1", "*.psd1", "*.psm1", "*.scr", "*.url", "*.vba", "*.vbe", "*.vbs", "*.wsf")Suspicious Svchost Process Access
Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
Show query
TargetImage="*:\\Windows\\System32\\svchost.exe" GrantedAccess="0x1F3FFF" CallTrace="*UNKNOWN*" NOT (SourceImage="*:\\Program Files\\Microsoft Visual Studio\\*" SourceImage="*\\MSBuild\\Current\\Bin\\MSBuild.exe" CallTrace IN ("*Microsoft.Build.ni.dll*", "*System.ni.dll*"))Suspicious TSCON Start as SYSTEM
Detects a tscon.exe start as LOCAL SYSTEM
Show query
User IN ("*AUTHORI*", "*AUTORI*") Image="*\\tscon.exe"Suspicious Teams Application Related ObjectAcess Event
Detects an access to authentication tokens and accounts of Microsoft Teams desktop application.
Show query
EventID=4663 ObjectName IN ("*\\Microsoft\\Teams\\Cookies*", "*\\Microsoft\\Teams\\Local Storage\\leveldb*") NOT ProcessName="*\\Microsoft\\Teams\\current\\Teams.exe*"Suspicious UltraVNC Execution
Detects suspicious UltraVNC command line flag combination that indicate a auto reconnect upon execution, e.g. startup (as seen being used by Gamaredon threat group)
Show query
CommandLine="*-autoreconnect *" CommandLine="*-connect *" CommandLine="*-id:*"
Suspicious Uninstall of Windows Defender Feature via PowerShell
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
Show query
Image IN ("*\\powershell_ise.exe", "*\\powershell.exe", "*\\pwsh.exe") OR OriginalFileName IN ("PowerShell_ISE.EXE", "PowerShell.EXE", "pwsh.dll") CommandLine IN ("*Uninstall-WindowsFeature*", "*Remove-WindowsFeature*") CommandLine="*Windows-Defender*"Suspicious Unsigned Dbghelp/Dbgcore DLL Loaded
Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes.
Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll.
As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
Show query
ImageLoaded IN ("*\\dbghelp.dll", "*\\dbgcore.dll") Signed="false"Suspicious Unsigned Thor Scanner Execution
Detects loading and execution of an unsigned thor scanner binary.
Show query
Image IN ("*\\thor.exe", "*\\thor64.exe") ImageLoaded IN ("*\\thor.exe", "*\\thor64.exe") NOT (Signed="true" SignatureStatus="valid" Signature="Nextron Systems GmbH")
Splunk
Converted
SPL
high
Suspicious Usage Of ShellExec_RunDLL
Detects suspicious usage of the ShellExec_RunDLL function to launch other commands as seen in the the raspberry-robin attack
Show query
CommandLine="*ShellExec_RunDLL*" CommandLine IN ("*\\Desktop\\*", "*\\Temp\\*", "*\\Users\\Public\\*", "*comspec*", "*iex*", "*Invoke-*", "*msiexec*", "*odbcconf*", "*regsvr32*")Suspicious Use of CSharp Interactive Console
Detects the execution of CSharp interactive console by PowerShell
Show query
Image="*\\csi.exe" ParentImage IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\powershell_ise.exe") OriginalFileName="csi.exe"Showing 1251-1300 of 3,131