Vendor-native
3,131 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 3,131Suspicious User Agent
Detects suspicious malformed user agent strings in proxy logs
Show query
"c-useragent" IN ("user-agent*", "Mozilla/3.0 *", "Mozilla/2.0 *", "Mozilla/1.0 *", "Mozilla *", " Mozilla/*", "Mozila/*", "Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol*") OR "c-useragent" IN ("* (compatible;MSIE *", "*.0;Windows NT *", "*loader*") OR "c-useragent" IN ("_", "CertUtil URL Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)", "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0", "HTTPS", "Erbium-UA-4ce7c27cb4be9d32e333bf032c88235a", "x", "xxx") NOT ("c-useragent"="Mozilla/3.0 * Acrobat *" OR "cs-host" IN ("*.acrobat.com", "*.adobe.com", "*.adobe.io"))Suspicious Velociraptor Child Process
Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.
Show query
ParentImage="*\\Velociraptor.exe" (CommandLine="*code.exe*" CommandLine="*tunnel*" CommandLine="*--accept-server-license-terms*") OR (CommandLine="*msiexec*" CommandLine="*/i*" CommandLine="*http*") OR (Image IN ("*\\powershell.exe", "*\\powershell_ise.exe", "*\\pwsh.exe") CommandLine IN ("*Invoke-WebRequest *", "*IWR *", "*.DownloadFile*", "*.DownloadString*"))Suspicious Volume Shadow Copy VSS_PS.dll Load
Detects the image load of vss_ps.dll by uncommon executables. This DLL is used by the Volume Shadow Copy Service (VSS) to manage shadow copies of files and volumes.
It is often abused by attackers to delete or manipulate shadow copies, which can hinder forensic investigations and data recovery efforts.
The fact that it is loaded by processes that are not typically associated with VSS operations can indicate suspicious activity.
Show query
ImageLoaded="*\\vss_ps.dll" NOT ((Image="C:\\Windows\\*" Image IN ("*\\clussvc.exe", "*\\dismhost.exe", "*\\dllhost.exe", "*\\inetsrv\\appcmd.exe", "*\\inetsrv\\iissetup.exe", "*\\msiexec.exe", "*\\rundll32.exe", "*\\searchindexer.exe", "*\\srtasks.exe", "*\\svchost.exe", "*\\System32\\SystemPropertiesAdvanced.exe", "*\\taskhostw.exe", "*\\thor.exe", "*\\thor64.exe", "*\\tiworker.exe", "*\\vssvc.exe", "*\\vssadmin.exe", "*\\WmiPrvSE.exe", "*\\wsmprovhost.exe")) OR (CommandLine="C:\\$WinREAgent\\Scratch\\*" CommandLine="*\\dismhost.exe {*") OR NOT Image=*) NOT (Image IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*"))Suspicious Volume Shadow Copy Vssapi.dll Load
Detects the image load of VSS DLL by uncommon executables
Show query
ImageLoaded="*\\vssapi.dll" NOT (Image IN ("C:\\Windows\\explorer.exe", "C:\\Windows\\ImmersiveControlPanel\\SystemSettings.exe") OR Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\Temp\\{*", "C:\\Windows\\WinSxS\\*") OR Image IN ("C:\\Program Files\\*", "C:\\Program Files (x86)\\*") OR NOT Image=*) NOT (Image="C:\\ProgramData\\Package Cache\\*" OR (Image="*\\temp\\is-*" Image="*\\avira_system_speedup.tmp*"))Suspicious WMIC Execution Via Office Process
Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin).
Show query
ParentImage IN ("*\\WINWORD.EXE", "*\\EXCEL.EXE", "*\\POWERPNT.exe", "*\\MSPUB.exe", "*\\VISIO.exe", "*\\MSACCESS.EXE", "*\\EQNEDT32.EXE", "*\\ONENOTE.EXE", "*\\wordpad.exe", "*\\wordview.exe") Image="*\\wbem\\WMIC.exe" OR OriginalFileName="wmic.exe" CommandLine="*process*" CommandLine="*create*" CommandLine="*call*" CommandLine IN ("*regsvr32*", "*rundll32*", "*msiexec*", "*mshta*", "*verclsid*", "*wscript*", "*cscript*")Suspicious WebDav Client Execution Via Rundll32.EXE
Detects "svchost.exe" spawning "rundll32.exe" with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-23397
Show query
ParentImage="*\\svchost.exe" ParentCommandLine="*-s WebClient*" Image="*\\rundll32.exe" CommandLine="*C:\\windows\\system32\\davclnt.dll,DavSetCookie*" NOT (CommandLine IN ("*://10.*", "*://192.168.*", "*://172.16.*", "*://172.17.*", "*://172.18.*", "*://172.19.*", "*://172.20.*", "*://172.21.*", "*://172.22.*", "*://172.23.*", "*://172.24.*", "*://172.25.*", "*://172.26.*", "*://172.27.*", "*://172.28.*", "*://172.29.*", "*://172.30.*", "*://172.31.*", "*://127.*", "*://169.254.*"))
| regex CommandLine="://\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"Suspicious Windows ANONYMOUS LOGON Local Account Created
Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts.
Show query
EventID=4720 SamAccountName="*ANONYMOUS*" SamAccountName="*LOGON*"
Suspicious Windows Defender Registry Key Tampering Via Reg.EXE
Detects the usage of "reg.exe" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection
Show query
Image="*\\reg.exe" OR OriginalFileName="reg.exe" CommandLine IN ("*SOFTWARE\\Microsoft\\Windows Defender\\*", "*SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center*", "*SOFTWARE\\Policies\\Microsoft\\Windows Defender\\*") (CommandLine="* add *" CommandLine="*d 0*" CommandLine IN ("*DisallowExploitProtectionOverride*", "*EnableControlledFolderAccess*", "*MpEnablePus*", "*PUAProtection*", "*SpynetReporting*", "*SubmitSamplesConsent*", "*TamperProtection*")) OR (CommandLine="* add *" CommandLine="*d 1*" CommandLine IN ("*DisableAccess*", "*DisableAntiSpyware*", "*DisableAntiSpywareRealtimeProtection*", "*DisableAntiVirus*", "*DisableAntiVirusSignatures*", "*DisableArchiveScanning*", "*DisableBehaviorMonitoring*", "*DisableBlockAtFirstSeen*", "*DisableCloudProtection*", "*DisableConfig*", "*DisableEnhancedNotifications*", "*DisableIntrusionPreventionSystem*", "*DisableIOAVProtection*", "*DisableNetworkProtection*", "*DisableOnAccessProtection*", "*DisablePrivacyMode*", "*DisableRealtimeMonitoring*", "*DisableRoutinelyTakingAction*", "*DisableScanOnRealtimeEnable*", "*DisableScriptScanning*", "*DisableSecurityCenter*", "*Notification_Suppress*", "*SignatureDisableUpdateOnStartupWithoutEngine*"))Suspicious Windows Service Tampering
Detects the usage of binaries such as 'net', 'sc' or 'powershell' in order to stop, pause, disable or delete critical or important Windows services such as AV, Backup, etc. As seen being used in some ransomware scripts
Show query
OriginalFileName IN ("net.exe", "net1.exe", "PowerShell_ISE.EXE", "PowerShell.EXE", "psservice.exe", "pwsh.dll", "sc.exe", "wmic.exe") OR Image IN ("*\\net.exe", "*\\net1.exe", "*\\PowerShell_ISE.EXE", "*\\powershell.exe", "*\\PsService.exe", "*\\PsService64.exe", "*\\pwsh.exe", "*\\sc.exe", "*\\wmic.exe") CommandLine IN ("* delete *", "*.delete()*", "* pause *", "* stop *", "*Stop-Service *", "*Remove-Service *") OR (CommandLine="*config*" CommandLine="*start=disabled*") CommandLine IN ("*143Svc*", "*Acronis VSS Provider*", "*AcronisAgent*", "*AcrSch2Svc*", "*AdobeARMservice*", "*AHS Service*", "*Antivirus*", "*Apache4*", "*ARSM*", "*aswBcc*", "*AteraAgent*", "*Avast Business Console Client Antivirus Service*", "*avast! Antivirus*", "*AVG Antivirus*", "*avgAdminClient*", "*AvgAdminServer*", "*AVP1*", "*BackupExec*", "*bedbg*", "*BITS*", "*BrokerInfrastructure*", "*CASLicenceServer*", "*CASWebServer*", "*Client Agent 7.60*", "*Core Browsing Protection*", "*Core Mail Protection*", "*Core Scanning Server*", "*DCAgent*", "*dwmrcs*", "*EhttpSr*", "*ekrn*", "*Enterprise Client Service*", "*epag*", "*EPIntegrationService*", "*EPProtectedService*", "*EPRedline*", "*EPSecurityService*", "*EPUpdateService*", "*EraserSvc11710*", "*EsgShKernel*", "*ESHASRV*", "*FA_Scheduler*", "*FirebirdGuardianDefaultInstance*", "*FirebirdServerDefaultInstance*", "*FontCache3.0.0.0*", "*HealthTLService*", "*hmpalertsvc*", "*HMS*", "*HostControllerService*", "*hvdsvc*", "*IAStorDataMgrSvc*", "*IBMHPS*", "*ibmspsvc*", "*IISAdmin*", "*IMANSVC*", "*IMAP4Svc*", "*instance2*", "*KAVFS*", "*KAVFSGT*", "*kavfsslp*", "*KeyIso*", "*klbackupdisk*", "*klbackupflt*", "*klflt*", "*klhk*", "*KLIF*", "*klim6*", "*klkbdflt*", "*klmouflt*", "*klnagent*", "*klpd*", "*kltap*", "*KSDE1.0.0*", "*LogProcessorService*", "*M8EndpointAgent*", "*macmnsvc*", "*masvc*", "*MBAMService*", "*MBCloudEA*", "*MBEndpointAgent*", "*McAfeeDLPAgentService*", "*McAfeeEngineService*", "*MCAFEEEVENTPARSERSRV*", "*McAfeeFramework*", "*MCAFEETOMCATSRV530*", "*McShield*", "*McTaskManager*", "*mfefire*", "*mfemms*", "*mfevto*", "*mfevtp*", "*mfewc*", "*MMS*", "*mozyprobackup*", "*mpssvc*", "*MSComplianceAudit*", "*MSDTC*", "*MsDtsServer*", "*MSExchange*", "*msftesq1SPROO*", "*msftesql$PROD*", "*msftesql$SQLEXPRESS*", "*MSOLAP$SQL_2008*", "*MSOLAP$SYSTEM_BGC*", "*MSOLAP$TPS*", "*MSOLAP$TPSAMA*", "*MSOLAPSTPS*", "*MSOLAPSTPSAMA*", "*mssecflt*", "*MSSQ!I.SPROFXENGAGEMEHT*", "*MSSQ0SHAREPOINT*", "*MSSQ0SOPHOS*", "*MSSQL*", "*MSSQLFDLauncher$*", "*MySQL*", "*NanoServiceMain*", "*NetMsmqActivator*", "*NetPipeActivator*", "*netprofm*", "*NetTcpActivator*", "*NetTcpPortSharing*", "*ntrtscan*", "*nvspwmi*", "*ofcservice*", "*Online Protection System*", "*OracleClientCache80*", "*OracleDBConsole*", "*OracleMTSRecoveryService*", "*OracleOraDb11g_home1*", "*OracleService*", "*OracleVssWriter*", "*osppsvc*", "*PandaAetherAgent*", "*PccNTUpd*", "*PDVFSService*", "*POP3Svc*", "*postgresql-x64-9.4*", "*POVFSService*", "*PSUAService*", "*Quick Update Service*", "*RepairService*", "*ReportServer*", "*ReportServer$*", "*RESvc*", "*RpcEptMapper*", "*sacsvr*", "*SamSs*", "*SAVAdminService*", "*SAVService*", "*ScSecSvc*", "*SDRSVC*", "*SearchExchangeTracing*", "*sense*", "*SentinelAgent*", "*SentinelHelperService*", "*SepMasterService*", "*ShMonitor*", "*Smcinst*", "*SmcService*", "*SMTPSvc*", "*SNAC*", "*SntpService*", "*Sophos*", "*SQ1SafeOLRService*", "*SQL Backups*", "*SQL Server*", "*SQLAgent*", "*SQLANYs_Sage_FAS_Fixed_Assets*", "*SQLBrowser*", "*SQLsafe*", "*SQLSERVERAGENT*", "*SQLTELEMETRY*", "*SQLWriter*", "*SSISTELEMETRY130*", "*SstpSvc*", "*storflt*", "*svcGenericHost*", "*swc_service*", "*swi_filter*", "*swi_service*", "*swi_update*", "*Symantec*", "*sysmon*", "*TeamViewer*", "*Telemetryserver*", "*ThreatLockerService*", "*TMBMServer*", "*TmCCSF*", "*TmFilter*", "*TMiCRCScanService*", "*tmlisten*", "*TMLWCSService*", "*TmPfw*", "*TmPreFilter*", "*TmProxy*", "*TMSmartRelayService*", "*tmusa*", "*Tomcat*", "*Trend Micro Deep Security Manager*", "*TrueKey*", "*UFNet*", "*UI0Detect*", "*UniFi*", "*UTODetect*", "*vds*", "*Veeam*", "*VeeamDeploySvc*", "*Veritas System Recovery*", "*vmic*", "*VMTools*", "*vmvss*", "*VSApiNt*", "*VSS*", "*W3Svc*", "*wbengine*", "*WdNisSvc*", "*WeanClOudSve*", "*Weems JY*", "*WinDefend*", "*wmms*", "*wozyprobackup*", "*WPFFontCache_v0400*", "*WRSVC*", "*wsbexchange*", "*WSearch*", "*wscsvc*", "*Zoolz 2 Service*")Suspicious Windows Strings In URI
Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
Show query
"cs-uri-query" IN ("*=C:/Users*", "*=C:/Program%20Files*", "*=C:/Windows*", "*=C%3A%5CUsers*", "*=C%3A%5CProgram%20Files*", "*=C%3A%5CWindows*")Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
Show query
Image="*\\logman.exe" OR OriginalFileName="Logman.exe" CommandLine IN ("*stop *", "*delete *") CommandLine IN ("*Circular Kernel Context Logger*", "*EventLog-*", "*SYSMON TRACE*", "*SysmonDnsEtwSession*")Suspicious Windows Update Agent Empty Cmdline
Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags
Show query
Image="*\\Wuauclt.exe" OR OriginalFileName="Wuauclt.exe" CommandLine IN ("*Wuauclt", "*Wuauclt.exe")Suspicious WmiPrvSE Child Process
Detects suspicious and uncommon child processes of WmiPrvSE
Show query
ParentImage="*\\wbem\\WmiPrvSE.exe" Image IN ("*\\certutil.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\msiexec.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\verclsid.exe", "*\\wscript.exe") OR (Image="*\\cmd.exe" CommandLine IN ("*cscript*", "*mshta*", "*powershell*", "*pwsh*", "*regsvr32*", "*rundll32*", "*wscript*")) NOT (Image="*\\WerFault.exe" OR Image="*\\WmiPrvSE.exe" OR (Image="*\\msiexec.exe" CommandLine="*/i *"))Symlink Etc Passwd
Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
Show query
"ln -s -f /etc/passwd" OR "ln -s /etc/passwd"
SysKey Registry Keys Access
Detects handle requests and access operations to specific registry keys to calculate the SysKey
Show query
EventID IN (4656, 4663) ObjectType="key" ObjectName IN ("*lsa\\JD", "*lsa\\GBG", "*lsa\\Skew1", "*lsa\\Data")Sysinternals PsSuspend Suspicious Execution
Detects suspicious execution of Sysinternals PsSuspend, where the utility is used to suspend critical processes such as AV or EDR to bypass defenses
Show query
OriginalFileName="pssuspend.exe" OR Image IN ("*\\pssuspend.exe", "*\\pssuspend64.exe") CommandLine="*msmpeng.exe*"Syslog Clearing or Removal Via System Utilities
Detects specific commands commonly used to remove or empty the syslog. Which is a technique often used by attacker as a method to hide their tracks
Show query
(CommandLine="*/var/log/syslog*" (Image="*/rm" CommandLine IN ("* -r *", "* -f *", "* -rf *", "*/var/log/syslog*")) OR Image="*/unlink" OR Image="*/mv" OR (Image="*/truncate" CommandLine="*0 *" CommandLine="*/var/log/syslog*" CommandLine IN ("*-s *", "*-c *", "*--size*")) OR (Image="*/ln" CommandLine="*/dev/null *" CommandLine="*/var/log/syslog*" CommandLine IN ("*-sf *", "*-sfn *", "*-sfT *")) OR (Image="*/cp" CommandLine="*/dev/null*") OR (Image="*/shred" CommandLine="*-u *")) OR CommandLine IN ("* > /var/log/syslog*", "* >/var/log/syslog*", "* >| /var/log/syslog*", "*: > /var/log/syslog*", "*:> /var/log/syslog*", "*:>/var/log/syslog*", "*>|/var/log/syslog*") OR CommandLine IN ("*journalctl --vacuum*", "*journalctl --rotate*")Sysmon Application Crashed
Detects application popup reporting a failure of the Sysmon service
Show query
Provider_Name="Application Popup" EventID=26 Caption IN ("sysmon64.exe - Application Error", "sysmon.exe - Application Error")
Splunk
Converted
SPL
high
Sysmon Blocked Executable
Triggers on any Sysmon "FileBlockExecutable" event, which indicates a violation of the configured block policy
Show query
EventID=27
Splunk
Converted
SPL
high
Sysmon Blocked File Shredding
Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
Show query
EventID=28
Sysmon Channel Reference Deletion
Potential threat actor tampering with Sysmon manifest and eventually disabling it
Show query
(EventID=4657 ObjectName IN ("*WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}*", "*WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational*") ObjectValueName="Enabled" NewValue=0) OR (EventID=4663 ObjectName IN ("*WINEVT\\Publishers\\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}*", "*WINEVT\\Channels\\Microsoft-Windows-Sysmon/Operational*") AccessMask="0x10000")Sysmon Configuration Error
Detects when an adversary is trying to hide it's action from Sysmon logging based on error messages
Show query
Description IN ("*Failed to open service configuration with error*", "*Failed to connect to the driver to update configuration*") NOT ((Description="*Failed to open service configuration with error*" Description="*Last error: The media is write protected.*") OR Description IN ("*Failed to open service configuration with error 19*", "*Failed to open service configuration with error 93*"))Sysmon Configuration Modification
Detects when an attacker tries to hide from Sysmon by disabling or stopping it
Show query
State="Stopped" OR "Sysmon config state changed" NOT State="Started"
Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
Detects usage of "findstr" with the argument "385201". Which could indicate potential discovery of an installed Sysinternals Sysmon service using the default driver altitude (even if the name is changed).
Show query
Image IN ("*\\find.exe", "*\\findstr.exe") OR OriginalFileName IN ("FIND.EXE", "FINDSTR.EXE") CommandLine="* 385201*"Sysmon Driver Altitude Change
Detects changes in Sysmon driver altitude value.
If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
Show query
TargetObject="*\\Services\\*" TargetObject="*\\Instances\\Sysmon Instance\\Altitude"
Sysmon Driver Unloaded Via Fltmc.EXE
Detects possible Sysmon filter driver unloaded via fltmc.exe
Show query
Image="*\\fltMC.exe" OR OriginalFileName="fltMC.exe" CommandLine="*unload*" CommandLine="*sysmon*"
System Control Panel Item Loaded From Uncommon Location
Detects image load events of system control panel items (.cpl) from uncommon or non-system locations that may indicate DLL sideloading or other abuse techniques.
Show query
ImageLoaded IN ("*\\appwiz.cpl", "*\\bthprops.cpl", "*\\hdwwiz.cpl") NOT (ImageLoaded IN ("C:\\Windows\\Prefetch\\*", "C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\WinSxS\\*"))System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Show query
Image IN ("*\\atbroker.exe", "*\\audiodg.exe", "*\\bcdedit.exe", "*\\bitsadmin.exe", "*\\certreq.exe", "*\\certutil.exe", "*\\cmstp.exe", "*\\conhost.exe", "*\\consent.exe", "*\\cscript.exe", "*\\csrss.exe", "*\\dashost.exe", "*\\defrag.exe", "*\\dfrgui.exe", "*\\dism.exe", "*\\dllhost.exe", "*\\dllhst3g.exe", "*\\dwm.exe", "*\\eventvwr.exe", "*\\fsquirt.exe", "*\\finger.exe", "*\\logonui.exe", "*\\LsaIso.exe", "*\\lsass.exe", "*\\lsm.exe", "*\\msiexec.exe", "*\\ntoskrnl.exe", "*\\powershell_ise.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\runonce.exe", "*\\RuntimeBroker.exe", "*\\schtasks.exe", "*\\services.exe", "*\\sihost.exe", "*\\smartscreen.exe", "*\\smss.exe", "*\\spoolsv.exe", "*\\svchost.exe", "*\\taskhost.exe", "*\\taskhostw.exe", "*\\Taskmgr.exe", "*\\userinit.exe", "*\\werfault.exe", "*\\werfaultsecure.exe", "*\\wininit.exe", "*\\winlogon.exe", "*\\winver.exe", "*\\wlanext.exe", "*\\wscript.exe", "*\\wsl.exe", "*\\wsmprovhost.exe") NOT (Image IN ("C:\\$WINDOWS.~BT\\*", "C:\\$WinREAgent\\*", "C:\\Windows\\SoftwareDistribution\\*", "C:\\Windows\\System32\\*", "C:\\Windows\\SystemTemp\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Windows\\uus\\*", "C:\\Windows\\WinSxS\\*") OR (Image IN ("*C:\\Program Files\\PowerShell\\7\\*", "*C:\\Program Files\\PowerShell\\7-preview\\*", "*C:\\Program Files\\WindowsApps\\Microsoft.PowerShellPreview*", "*\\AppData\\Local\\Microsoft\\WindowsApps\\Microsoft.PowerShellPreview*") Image="*\\pwsh.exe") OR (Image IN ("C:\\Program Files\\WindowsApps\\MicrosoftCorporationII.WindowsSubsystemForLinux*", "C:\\Program Files\\WSL\\*") Image="*\\wsl.exe") OR (Image="C:\\Users\\'*" Image="*\\AppData\\Local\\Microsoft\\WindowsApps\\*" Image="*\\wsl.exe")) NOT Image="*\\SystemRoot\\System32\\*"System Restore Registry Modification via CommandLine
Detects system restore registry modification via command line, which can be used by adversaries to disable system restore on the computer.
Show query
Image IN ("*\\powershell.exe", "*\\pwsh.exe", "*\\reg.exe") OR OriginalFileName IN ("powershell.exe", "pwsh.dll", "reg.exe") CommandLine IN ("* add *", "*Set-ItemProperty*", "*New-ItemProperty*") CommandLine IN ("*\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore*", "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore*") CommandLine IN ("*DisableConfig*", "*DisableSR*")T1047 Wmiprvse Wbemcomn DLL Hijack
Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario.
Show query
EventID=5145 RelativeTargetName="*\\wbem\\wbemcomn.dll" NOT SubjectUserName="*$"
Tamper Windows Defender - PSClassic
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Show query
Data="*Set-MpPreference*" Data IN ("*-dbaf $true*", "*-dbaf 1*", "*-dbm $true*", "*-dbm 1*", "*-dips $true*", "*-dips 1*", "*-DisableArchiveScanning $true*", "*-DisableArchiveScanning 1*", "*-DisableBehaviorMonitoring $true*", "*-DisableBehaviorMonitoring 1*", "*-DisableBlockAtFirstSeen $true*", "*-DisableBlockAtFirstSeen 1*", "*-DisableCatchupFullScan $true*", "*-DisableCatchupFullScan 1*", "*-DisableCatchupQuickScan $true*", "*-DisableCatchupQuickScan 1*", "*-DisableIntrusionPreventionSystem $true*", "*-DisableIntrusionPreventionSystem 1*", "*-DisableIOAVProtection $true*", "*-DisableIOAVProtection 1*", "*-DisableRealtimeMonitoring $true*", "*-DisableRealtimeMonitoring 1*", "*-DisableRemovableDriveScanning $true*", "*-DisableRemovableDriveScanning 1*", "*-DisableScanningMappedNetworkDrivesForFullScan $true*", "*-DisableScanningMappedNetworkDrivesForFullScan 1*", "*-DisableScanningNetworkFiles $true*", "*-DisableScanningNetworkFiles 1*", "*-DisableScriptScanning $true*", "*-DisableScriptScanning 1*", "*-MAPSReporting $false*", "*-MAPSReporting 0*", "*-drdsc $true*", "*-drdsc 1*", "*-drtm $true*", "*-drtm 1*", "*-dscrptsc $true*", "*-dscrptsc 1*", "*-dsmndf $true*", "*-dsmndf 1*", "*-dsnf $true*", "*-dsnf 1*", "*-dss $true*", "*-dss 1*") OR Data IN ("*HighThreatDefaultAction Allow*", "*htdefac Allow*", "*LowThreatDefaultAction Allow*", "*ltdefac Allow*", "*ModerateThreatDefaultAction Allow*", "*mtdefac Allow*", "*SevereThreatDefaultAction Allow*", "*stdefac Allow*")Tamper Windows Defender - ScriptBlockLogging
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Show query
(ScriptBlockText="*Set-MpPreference*" ScriptBlockText IN ("*-dbaf $true*", "*-dbaf 1*", "*-dbm $true*", "*-dbm 1*", "*-dips $true*", "*-dips 1*", "*-DisableArchiveScanning $true*", "*-DisableArchiveScanning 1*", "*-DisableBehaviorMonitoring $true*", "*-DisableBehaviorMonitoring 1*", "*-DisableBlockAtFirstSeen $true*", "*-DisableBlockAtFirstSeen 1*", "*-DisableCatchupFullScan $true*", "*-DisableCatchupFullScan 1*", "*-DisableCatchupQuickScan $true*", "*-DisableCatchupQuickScan 1*", "*-DisableIntrusionPreventionSystem $true*", "*-DisableIntrusionPreventionSystem 1*", "*-DisableIOAVProtection $true*", "*-DisableIOAVProtection 1*", "*-DisableRealtimeMonitoring $true*", "*-DisableRealtimeMonitoring 1*", "*-DisableRemovableDriveScanning $true*", "*-DisableRemovableDriveScanning 1*", "*-DisableScanningMappedNetworkDrivesForFullScan $true*", "*-DisableScanningMappedNetworkDrivesForFullScan 1*", "*-DisableScanningNetworkFiles $true*", "*-DisableScanningNetworkFiles 1*", "*-DisableScriptScanning $true*", "*-DisableScriptScanning 1*", "*-MAPSReporting $false*", "*-MAPSReporting 0*", "*-drdsc $true*", "*-drdsc 1*", "*-drtm $true*", "*-drtm 1*", "*-dscrptsc $true*", "*-dscrptsc 1*", "*-dsmndf $true*", "*-dsmndf 1*", "*-dsnf $true*", "*-dsnf 1*", "*-dss $true*", "*-dss 1*")) OR (ScriptBlockText="*Set-MpPreference*" ScriptBlockText IN ("*HighThreatDefaultAction Allow*", "*htdefac Allow*", "*LowThreatDefaultAction Allow*", "*ltdefac Allow*", "*ModerateThreatDefaultAction Allow*", "*mtdefac Allow*", "*SevereThreatDefaultAction Allow*", "*stdefac Allow*"))Tamper Windows Defender Remove-MpPreference
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
Show query
CommandLine="*Remove-MpPreference*" CommandLine IN ("*-ControlledFolderAccessProtectedFolders *", "*-AttackSurfaceReductionRules_Ids *", "*-AttackSurfaceReductionRules_Actions *", "*-CheckForSignaturesBeforeRunningScan *")Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
Show query
ScriptBlockText="*Remove-MpPreference*" ScriptBlockText IN ("*-ControlledFolderAccessProtectedFolders *", "*-AttackSurfaceReductionRules_Ids *", "*-AttackSurfaceReductionRules_Actions *", "*-CheckForSignaturesBeforeRunningScan *")Tamper With Sophos AV Registry Keys
Detects tamper attempts to sophos av functionality via registry key modification
Show query
TargetObject IN ("*\\Sophos Endpoint Defense\\TamperProtection\\Config\\SAVEnabled*", "*\\Sophos Endpoint Defense\\TamperProtection\\Config\\SEDEnabled*", "*\\Sophos\\SAVService\\TamperProtection\\Enabled*") Details="DWORD (0x00000000)"Taskkill Symantec Endpoint Protection
Detects one of the possible scenarios for disabling Symantec Endpoint Protection.
Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism.
As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service.
Show query
CommandLine="*taskkill*" CommandLine="* /F *" CommandLine="* /IM *" CommandLine="*ccSvcHst.exe*"
Taskmgr as LOCAL_SYSTEM
Detects the creation of taskmgr.exe process in context of LOCAL_SYSTEM
Show query
User IN ("*AUTHORI*", "*AUTORI*") Image="*\\taskmgr.exe"Tasks Folder Evasion
The Tasks folder in system32 and syswow64 are globally writable paths.
Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application
in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr
Show query
CommandLine IN ("*echo *", "*copy *", "*type *", "*file createnew*") CommandLine IN ("* C:\\Windows\\System32\\Tasks\\*", "* C:\\Windows\\SysWow64\\Tasks\\*")Temporary Access Pass Added To An Account
Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
Show query
properties.message="Admin registered security info" Status="Admin registered temporary access pass method for user"
Terminal Server Client Connection History Cleared - Registry
Detects the deletion of registry keys containing the MSTSC connection history
Show query
(EventType="DeleteValue" TargetObject="*\\Microsoft\\Terminal Server Client\\Default\\MRU*") OR (EventType="DeleteKey" TargetObject="*\\Microsoft\\Terminal Server Client\\Servers\\*")
Terminal Service Process Spawn
Detects a process spawned by the terminal service server process (this could be an indicator for an exploitation of CVE-2019-0708)
Show query
ParentCommandLine="*\\svchost.exe*" ParentCommandLine="*termsvcs*" NOT (Image IN ("*\\rdpclip.exe", "*:\\Windows\\System32\\csrss.exe", "*:\\Windows\\System32\\wininit.exe", "*:\\Windows\\System32\\winlogon.exe") OR NOT Image=*)Time Travel Debugging Utility Usage
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Show query
ParentImage="*\\tttracer.exe"
Time Travel Debugging Utility Usage - Image
Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe.
Show query
ImageLoaded IN ("*\\ttdrecord.dll", "*\\ttdwriter.dll", "*\\ttdloader.dll")Too Many Global Admins
Identifies an event where there are there are too many accounts assigned the Global Administrator role.
Show query
riskEventType="tooManyGlobalAdminsAssignedToTenantAlertIncident"
Tor Client/Browser Execution
Detects the use of Tor or Tor-Browser to connect to onion routing networks
Show query
Description="Tor Browser" OR Product="Tor Browser" OR Image IN ("*\\tor.exe", "*\\Tor Browser\\Browser\\firefox.exe")
Splunk
Converted
SPL
high
Triple Cross eBPF Rootkit Default LockFile
Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
Show query
TargetFilename="/tmp/rootlog"
Triple Cross eBPF Rootkit Default Persistence
Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
Show query
TargetFilename="*ebpfbackdoor"
Splunk
Converted
SPL
high
Triple Cross eBPF Rootkit Execve Hijack
Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges
Show query
Image="*/sudo" CommandLine="*execve_hijack*"
Triple Cross eBPF Rootkit Install Commands
Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script
Show query
Image="*/sudo" CommandLine="* tc *" CommandLine="* enp0s3 *" CommandLine IN ("* qdisc *", "* filter *")Trust Access Disable For VBApplications
Detects registry changes to Microsoft Office "AccessVBOM" to a value of "1" which disables trust access for VBA on the victim machine and lets attackers execute malicious macros without any Microsoft Office warnings.
Show query
TargetObject="*\\Security\\AccessVBOM" Details="DWORD (0x00000001)"
Showing 1301-1350 of 3,131