Tool
Splunk
12,786 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,786Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Show query
from * metadata _id, _index, _version | where (CommandLine like "*Get-WmiObject*" or CommandLine like "*gwmi*" or CommandLine like "*Get-CimInstance*" or CommandLine like "*gcim*") and CommandLine like "*Win32_ShadowCopy*" and (CommandLine like "*.Delete()*" or CommandLine like "*Remove-WmiObject*" or CommandLine like "*rwmi*" or CommandLine like "*Remove-CimInstance*" or CommandLine like "*rcim*")
Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Show query
(CommandLine:(*Get\-WmiObject* OR *gwmi* OR *Get\-CimInstance* OR *gcim*)) AND CommandLine:*Win32_ShadowCopy* AND (CommandLine:(*.Delete\(\)* OR *Remove\-WmiObject* OR *rwmi* OR *Remove\-CimInstance* OR *rcim*))
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Show query
any where (ScriptBlockText like~ ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*")) and ScriptBlockText:"*Win32_ShadowCopy*" and (ScriptBlockText like~ ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*"))Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Show query
from * metadata _id, _index, _version | where (ScriptBlockText like "*Get-WmiObject*" or ScriptBlockText like "*gwmi*" or ScriptBlockText like "*Get-CimInstance*" or ScriptBlockText like "*gcim*") and ScriptBlockText like "*Win32_ShadowCopy*" and (ScriptBlockText like "*.Delete()*" or ScriptBlockText like "*Remove-WmiObject*" or ScriptBlockText like "*rwmi*" or ScriptBlockText like "*Remove-CimInstance*" or ScriptBlockText like "*rcim*")
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Show query
(ScriptBlockText:(*Get\-WmiObject* OR *gwmi* OR *Get\-CimInstance* OR *gcim*)) AND ScriptBlockText:*Win32_ShadowCopy* AND (ScriptBlockText:(*.Delete\(\)* OR *Remove\-WmiObject* OR *rwmi* OR *Remove\-CimInstance* OR *rcim*))
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Show query
any where (Image:"*\\sc.exe" or OriginalFileName:"sc.exe") and (CommandLine:"*sdset*" and CommandLine:"*D;*") and (CommandLine like~ ("*;IU*", "*;SU*", "*;BA*", "*;SY*", "*;WD*"))Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\sc.exe") or OriginalFileName=="sc.exe") and CommandLine like "*sdset*" and CommandLine like "*D;*" and (CommandLine like "*;IU*" or CommandLine like "*;SU*" or CommandLine like "*;BA*" or CommandLine like "*;SY*" or CommandLine like "*;WD*")
Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
Detects suspicious DACL modifications to deny access to a service that affects critical trustees. This can be used to hide services or make them unstoppable.
Show query
(Image:*\\sc.exe OR OriginalFileName:sc.exe) AND (CommandLine:*sdset* AND CommandLine:*D;*) AND (CommandLine:(*;IU* OR *;SU* OR *;BA* OR *;SY* OR *;WD*))
Deprecated - AWS Root Login Without MFA
Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best
practices indicate that the root user should be protected by MFA.
Deprecated - Agent Spoofing - Mismatched Agent ID
Detects events that have a mismatch on the expected event agent ID. The status "agent_id_mismatch/mismatch" occurs when
the expected agent ID associated with the API key does not match the actual agent ID in an event. This could indicate
attempts to spoof events in order to masquerade actual activity to evade detection.
Deprecated - EggShell Backdoor Execution
Identifies the execution of and EggShell Backdoor. EggShell is a known post exploitation tool for macOS and Linux.
Deprecated - Potential DNS Tunneling via Iodine
Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls,
network security groups, and network access lists while evading detection.
Deprecated - Potential Password Spraying of Microsoft 365 User Accounts
Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30
minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to
obtain unauthorized access to user accounts.
Deprecated - SSH Connection Established Inside A Running Container
This rule detects an incoming SSH connection established inside a running container. Running an ssh daemon inside a
container should be avoided and monitored closely if necessary. If an attacker gains valid credentials they can use it
to gain initial access or establish persistence within a compromised environment.
Deprecated - SSH Process Launched From Inside A Container
This rule detects an SSH or SSHD process executed from inside a container. This includes both the client ssh binary and
server ssh daemon process. SSH usage inside a container should be avoided and monitored closely when necessary. With
valid credentials an attacker may move laterally to other containers or to the underlying host through container
breakout. They may also use valid SSH credentials as a persistence mechanism.
Deprecated - SUNBURST Command and Control Activity
The malware known as SUNBURST targets the SolarWind's Orion business software for command and control. This rule detects
post-exploitation command and control activity of the SUNBURST backdoor.
Deprecated - Sudo Heap-Based Buffer Overflow Attempt
Identifies the attempted use of a heap-based buffer overflow vulnerability for the Sudo binary in Unix-like systems
(CVE-2021-3156). Successful exploitation allows an unprivileged user to escalate to the root user.
Elastic
Original
ESQL
high
Detection Alert on a Process Exhibiting CPU Spike
This rule correlates security alerts with processes exhibiting unusually high CPU utilization on the same host and process
ID within a short time window. This behavior may indicate malicious activity such as malware execution, cryptomining, exploit
payload execution, or abuse of system resources following initial compromise.
Devcon Execution Disabling VMware VMCI Device
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
Show query
any where (Image:"*\\devcon.exe" or OriginalFileName:"DevCon.exe") and CommandLine:"* disable *" and (CommandLine like~ ("*15AD&DEV_0740*", "*VMWVMCIHOSTDEV*"))Devcon Execution Disabling VMware VMCI Device
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\devcon.exe") or OriginalFileName=="DevCon.exe") and CommandLine like "* disable *" and (CommandLine like "*15AD&DEV_0740*" or CommandLine like "*VMWVMCIHOSTDEV*")
Devcon Execution Disabling VMware VMCI Device
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
Show query
(Image:*\\devcon.exe OR OriginalFileName:DevCon.exe) AND CommandLine:*\ disable\ * AND (CommandLine:(*15AD\&DEV_0740* OR *VMWVMCIHOSTDEV*))
Elastic
Converted
EQL
high
Devil Bait Potential C2 Communication Traffic
Detects potential C2 communication related to Devil Bait malware
Show query
any where cs-method:"GET" and (cs-uri:"*/cross.php?op=*" and cs-uri:"*&dt=*" and cs-uri:"*&uid=*")
Elastic
Converted
ES|QL
high
Devil Bait Potential C2 Communication Traffic
Detects potential C2 communication related to Devil Bait malware
Show query
from * metadata _id, _index, _version | where `cs-method`=="GET" and `cs-uri` like "*/cross.php?op=*" and `cs-uri` like "*&dt=*" and `cs-uri` like "*&uid=*"
Elastic
Converted
Lucene
high
Devil Bait Potential C2 Communication Traffic
Detects potential C2 communication related to Devil Bait malware
Show query
cs-method:GET AND (cs-uri:*\/cross.php?op\=* AND cs-uri:*\&dt\=* AND cs-uri:*\&uid\=*)
Devtoolslauncher.exe Executes Specified Binary
The Devtoolslauncher.exe executes other binary
Show query
any where Image:"*\\devtoolslauncher.exe" and CommandLine:"*LaunchForDeploy*"
Devtoolslauncher.exe Executes Specified Binary
The Devtoolslauncher.exe executes other binary
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\devtoolslauncher.exe") and CommandLine like "*LaunchForDeploy*"
Devtoolslauncher.exe Executes Specified Binary
The Devtoolslauncher.exe executes other binary
Show query
Image:*\\devtoolslauncher.exe AND CommandLine:*LaunchForDeploy*
Dfsvc.EXE Initiated Network Connection Over Uncommon Port
Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
Show query
any where (Image:"*:\\Windows\\Microsoft.NET\\*" and Image:"*\\dfsvc.exe" and Initiated:"true") and (not (DestinationPort like~ (80, 443))) and (not (DestinationIsIpv6:"true" and DestinationPort:53))
Dfsvc.EXE Initiated Network Connection Over Uncommon Port
Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
Show query
from * metadata _id, _index, _version | where Image like "*:\\Windows\\Microsoft.NET\\*" and ends_with(Image, "\\dfsvc.exe") and Initiated=="true" and not (DestinationPort in (80, 443)) and not (DestinationIsIpv6=="true" and DestinationPort==53)
Dfsvc.EXE Initiated Network Connection Over Uncommon Port
Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
Show query
(Image:*\:\\Windows\\Microsoft.NET\\* AND Image:*\\dfsvc.exe AND Initiated:true) AND (NOT (DestinationPort:(80 OR 443))) AND (NOT (DestinationIsIpv6:true AND DestinationPort:53))
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
Show query
any where Image:"*\\msdt.exe" and ImageLoaded:"*\\sdiageng.dll"
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\msdt.exe") and ends_with(ImageLoaded, "\\sdiageng.dll")
Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
Show query
Image:*\\msdt.exe AND ImageLoaded:*\\sdiageng.dll
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Show query
any where (Image:"*:\\ProgramData\\clip.exe" and ImageLoaded:"*:\\ProgramData\\Version.dll") or (Image:"*:\\ProgramData\\wsmprovhost.exe" and ImageLoaded:"*:\\ProgramData\\DSROLE.dll")
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Show query
from * metadata _id, _index, _version | where ends_with(Image, ":\\ProgramData\\clip.exe") and ends_with(ImageLoaded, ":\\ProgramData\\Version.dll") or ends_with(Image, ":\\ProgramData\\wsmprovhost.exe") and ends_with(ImageLoaded, ":\\ProgramData\\DSROLE.dll")
Diamond Sleet APT DLL Sideloading Indicators
Detects DLL sideloading activity seen used by Diamond Sleet APT
Show query
(Image:*\:\\ProgramData\\clip.exe AND ImageLoaded:*\:\\ProgramData\\Version.dll) OR (Image:*\:\\ProgramData\\wsmprovhost.exe AND ImageLoaded:*\:\\ProgramData\\DSROLE.dll)
Elastic
Converted
EQL
high
Diamond Sleet APT DNS Communication Indicators
Detects DNS queries related to Diamond Sleet APT activity
Show query
any where QueryName like~ ("*3dkit.org*", "*dersmarketim.com*", "*galerielamy.com*", "*olidhealth.com*")
Elastic
Converted
ES|QL
high
Diamond Sleet APT DNS Communication Indicators
Detects DNS queries related to Diamond Sleet APT activity
Show query
from * metadata _id, _index, _version | where QueryName like "*3dkit.org*" or QueryName like "*dersmarketim.com*" or QueryName like "*galerielamy.com*" or QueryName like "*olidhealth.com*"
Elastic
Converted
Lucene
high
Diamond Sleet APT DNS Communication Indicators
Detects DNS queries related to Diamond Sleet APT activity
Show query
QueryName:(*3dkit.org* OR *dersmarketim.com* OR *galerielamy.com* OR *olidhealth.com*)
Elastic
Converted
EQL
high
Diamond Sleet APT File Creation Indicators
Detects file creation activity that is related to Diamond Sleet APT activity
Show query
any where TargetFilename like~ ("*:\\ProgramData\\4800-84DC-063A6A41C5C", "*:\\ProgramData\\clip.exe", "*:\\ProgramData\\DSROLE.dll", "*:\\ProgramData\\Forest64.exe", "*:\\ProgramData\\readme.md", "*:\\ProgramData\\Version.dll", "*:\\ProgramData\\wsmprovhost.exe")
Elastic
Converted
ES|QL
high
Diamond Sleet APT File Creation Indicators
Detects file creation activity that is related to Diamond Sleet APT activity
Show query
from * metadata _id, _index, _version | where ends_with(TargetFilename, ":\\ProgramData\\4800-84DC-063A6A41C5C") or ends_with(TargetFilename, ":\\ProgramData\\clip.exe") or ends_with(TargetFilename, ":\\ProgramData\\DSROLE.dll") or ends_with(TargetFilename, ":\\ProgramData\\Forest64.exe") or ends_with(TargetFilename, ":\\ProgramData\\readme.md") or ends_with(TargetFilename, ":\\ProgramData\\Version.dll") or ends_with(TargetFilename, ":\\ProgramData\\wsmprovhost.exe")
Elastic
Converted
Lucene
high
Diamond Sleet APT File Creation Indicators
Detects file creation activity that is related to Diamond Sleet APT activity
Show query
TargetFilename:(*\:\\ProgramData\\4800\-84DC\-063A6A41C5C OR *\:\\ProgramData\\clip.exe OR *\:\\ProgramData\\DSROLE.dll OR *\:\\ProgramData\\Forest64.exe OR *\:\\ProgramData\\readme.md OR *\:\\ProgramData\\Version.dll OR *\:\\ProgramData\\wsmprovhost.exe)
Elastic
Converted
EQL
high
Diamond Sleet APT Process Activity Indicators
Detects process creation activity indicators related to Diamond Sleet APT
Show query
any where CommandLine:"* uTYNkfKxHiZrx3KJ*"
Elastic
Converted
ES|QL
high
Diamond Sleet APT Process Activity Indicators
Detects process creation activity indicators related to Diamond Sleet APT
Show query
from * metadata _id, _index, _version | where CommandLine like "* uTYNkfKxHiZrx3KJ*"
Elastic
Converted
Lucene
high
Diamond Sleet APT Process Activity Indicators
Detects process creation activity indicators related to Diamond Sleet APT
Show query
CommandLine:*\ uTYNkfKxHiZrx3KJ*
Diamond Sleet APT Scheduled Task Creation - Registry
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Show query
any where TargetObject:"*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\*" and TargetObject:"*Windows TeamCity Settings User Interface*"
Diamond Sleet APT Scheduled Task Creation - Registry
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\*" and TargetObject like "*Windows TeamCity Settings User Interface*"
Diamond Sleet APT Scheduled Task Creation - Registry
Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
Show query
TargetObject:*\\SOFTWARE\\Microsoft\\Windows\ NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\* AND TargetObject:*Windows\ TeamCity\ Settings\ User\ Interface*
Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value.
During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
Show query
any where TargetObject:"*\\Control\\Lsa\\DsrmAdminLogonBehavior" and (not Details:"DWORD (0x00000000)")
Directory Service Restore Mode(DSRM) Registry Value Tampering
Detects changes to "DsrmAdminLogonBehavior" registry value.
During a Domain Controller (DC) promotion, administrators create a Directory Services Restore Mode (DSRM) local administrator account with a password that rarely changes. The DSRM account is an “Administrator” account that logs in with the DSRM mode when the server is booting up to restore AD backups or recover the server from a failure.
Attackers could abuse DSRM account to maintain their persistence and access to the organization's Active Directory.
If the "DsrmAdminLogonBehavior" value is set to "0", the administrator account can only be used if the DC starts in DSRM.
If the "DsrmAdminLogonBehavior" value is set to "1", the administrator account can only be used if the local AD DS service is stopped.
If the "DsrmAdminLogonBehavior" value is set to "2", the administrator account can always be used.
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "\\Control\\Lsa\\DsrmAdminLogonBehavior") and not Details=="DWORD (0x00000000)"
Showing 1301-1350 of 12,786