Vendor-native
3,131 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 3,131Trusted Path Bypass via Windows Directory Spoofing
Detects DLLs loading from a spoofed Windows directory path with an extra space (e.g "C:\Windows \System32") which can bypass Windows trusted path verification.
This technique tricks Windows into treating the path as trusted, allowing malicious DLLs to load with high integrity privileges bypassing UAC.
Show query
ImageLoaded IN ("*:\\Windows \\System32\\*", "*:\\Windows \\SysWOW64\\*")UAC Bypass Abusing Winsat Path Parsing - File
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Show query
TargetFilename="C:\\Users\\*" TargetFilename IN ("*\\AppData\\Local\\Temp\\system32\\winsat.exe", "*\\AppData\\Local\\Temp\\system32\\winmm.dll")UAC Bypass Abusing Winsat Path Parsing - Process
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Show query
IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288") ParentImage="*\\AppData\\Local\\Temp\\system32\\winsat.exe" ParentCommandLine="*C:\\Windows \\system32\\winsat.exe*"UAC Bypass Abusing Winsat Path Parsing - Registry
Detects the pattern of UAC Bypass using a path parsing issue in winsat.exe (UACMe 52)
Show query
TargetObject="*\\Root\\InventoryApplicationFile\\winsat.exe|*" TargetObject="*\\LowerCaseLongPath" Details="c:\\users\\*" Details="*\\appdata\\local\\temp\\system32\\winsat.exe"
UAC Bypass Tools Using ComputerDefaults
Detects tools such as UACMe used to bypass UAC with computerdefaults.exe (UACMe 59)
Show query
IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288") Image="C:\\Windows\\System32\\ComputerDefaults.exe" NOT (ParentImage IN ("*:\\Windows\\System32*", "*:\\Program Files*"))UAC Bypass Using .NET Code Profiler on MMC
Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39)
Show query
TargetFilename="C:\\Users\\*" TargetFilename="*\\AppData\\Local\\Temp\\pe386.dll"
UAC Bypass Using ChangePK and SLUI
Detects an UAC bypass that uses changepk.exe and slui.exe (UACMe 61)
Show query
Image="*\\changepk.exe" ParentImage="*\\slui.exe" IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288")UAC Bypass Using Consent and Comctl32 - File
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
Show query
TargetFilename="C:\\Windows\\System32\\consent.exe.@*" TargetFilename="*\\comctl32.dll"
UAC Bypass Using Consent and Comctl32 - Process
Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22)
Show query
ParentImage="*\\consent.exe" Image="*\\werfault.exe" IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288")UAC Bypass Using Disk Cleanup
Detects the pattern of UAC Bypass using scheduled tasks and variable expansion of cleanmgr.exe (UACMe 34)
Show query
CommandLine="*\"\\system32\\cleanmgr.exe /autoclean /d C:" ParentCommandLine="C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule" IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288")UAC Bypass Using DismHost
Detects the pattern of UAC Bypass using DismHost DLL hijacking (UACMe 63)
Show query
ParentImage="*C:\\Users\\*" ParentImage="*\\AppData\\Local\\Temp\\*" ParentImage="*\\DismHost.exe*" IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288")
Splunk
Converted
SPL
high
UAC Bypass Using Event Viewer RecentViews
Detects the pattern of UAC Bypass using Event Viewer RecentViews
Show query
CommandLine IN ("*\\Event Viewer\\RecentViews*", "*\\EventV~1\\RecentViews*") CommandLine="*>*"
Splunk
Converted
SPL
high
UAC Bypass Using EventVwr
Detects the pattern of a UAC bypass using Windows Event Viewer
Show query
TargetFilename IN ("*\\Microsoft\\Event Viewer\\RecentViews", "*\\Microsoft\\EventV~1\\RecentViews") NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*"))UAC Bypass Using IDiagnostic Profile
Detects the "IDiagnosticProfileUAC" UAC bypass technique
Show query
ParentImage="*\\DllHost.exe" ParentCommandLine="* /Processid:{12C21EA7-2EB8-4B55-9249-AC243DA8C666}*" IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288")UAC Bypass Using IDiagnostic Profile - File
Detects the creation of a file by "dllhost.exe" in System32 directory part of "IDiagnosticProfileUAC" UAC bypass technique
Show query
Image="*\\DllHost.exe" TargetFilename="C:\\Windows\\System32\\*" TargetFilename="*.dll"
UAC Bypass Using IEInstal - File
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
Show query
Image="C:\\Program Files\\Internet Explorer\\IEInstal.exe" TargetFilename="C:\\Users\\*" TargetFilename="*\\AppData\\Local\\Temp\\*" TargetFilename="*consent.exe"
UAC Bypass Using IEInstal - Process
Detects the pattern of UAC Bypass using IEInstal.exe (UACMe 64)
Show query
IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288") ParentImage="*\\ieinstal.exe" Image="*\\AppData\\Local\\Temp\\*" Image="*consent.exe"UAC Bypass Using Iscsicpl - ImageLoad
Detects the "iscsicpl.exe" UAC bypass technique that leverages a DLL Search Order hijacking technique to load a custom DLL's from temp or a any user controlled location in the users %PATH%
Show query
Image="C:\\Windows\\SysWOW64\\iscsicpl.exe" ImageLoaded="*\\iscsiexe.dll" NOT (ImageLoaded="*C:\\Windows\\*" ImageLoaded="*iscsiexe.dll*")
UAC Bypass Using MSConfig Token Modification - File
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
Show query
TargetFilename="C:\\Users\\*" TargetFilename="*\\AppData\\Local\\Temp\\pkgmgr.exe"
UAC Bypass Using MSConfig Token Modification - Process
Detects the pattern of UAC Bypass using a msconfig GUI hack (UACMe 55)
Show query
IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288") ParentImage="*\\AppData\\Local\\Temp\\pkgmgr.exe" CommandLine="\"C:\\Windows\\system32\\msconfig.exe\" -5"UAC Bypass Using NTFS Reparse Point - File
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
Show query
TargetFilename="C:\\Users\\*" TargetFilename="*\\AppData\\Local\\Temp\\api-ms-win-core-kernel32-legacy-l1.DLL"
UAC Bypass Using NTFS Reparse Point - Process
Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36)
Show query
(CommandLine="\"C:\\Windows\\system32\\wusa.exe\" /quiet C:\\Users\\*" CommandLine="*\\AppData\\Local\\Temp\\update.msu" IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288")) OR (ParentCommandLine="\"C:\\Windows\\system32\\dism.exe\" /online /quiet /norestart /add-package /packagepath:\"C:\\Windows\\system32\\pe386\" /ignorecheck" IntegrityLevel IN ("High", "System") CommandLine="*C:\\Users\\*" CommandLine="*\\AppData\\Local\\Temp\\*" CommandLine="*\\dismhost.exe {*" Image="*\\DismHost.exe")UAC Bypass Using PkgMgr and DISM
Detects the pattern of UAC Bypass using pkgmgr.exe and dism.exe (UACMe 23)
Show query
ParentImage="*\\pkgmgr.exe" Image="*\\dism.exe" IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288")UAC Bypass Using WOW64 Logger DLL Hijack
Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)
Show query
SourceImage="*:\\Windows\\SysWOW64\\*" GrantedAccess="0x1fffff" CallTrace="UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000)|*"
UAC Bypass Using Windows Media Player - File
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Show query
(TargetFilename="C:\\Users\\*" TargetFilename="*\\AppData\\Local\\Temp\\OskSupport.dll") OR (Image="C:\\Windows\\system32\\DllHost.exe" TargetFilename="C:\\Program Files\\Windows Media Player\\osk.exe")
UAC Bypass Using Windows Media Player - Process
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Show query
Image="C:\\Program Files\\Windows Media Player\\osk.exe" OR (Image="C:\\Windows\\System32\\cmd.exe" ParentCommandLine="\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s") IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288")UAC Bypass Using Windows Media Player - Registry
Detects the pattern of UAC Bypass using Windows Media Player osksupport.dll (UACMe 32)
Show query
TargetObject="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Store\\C:\\Program Files\\Windows Media Player\\osk.exe" Details="Binary Data"
UAC Bypass Via Wsreset
Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry.
Show query
TargetObject="*\\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\\Shell\\open\\command"
UAC Bypass WSReset
Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
Show query
Image="*\\wsreset.exe" IntegrityLevel IN ("High", "System", "S-1-16-16384", "S-1-16-12288")UAC Bypass With Fake DLL
Attempts to load dismcore.dll after dropping it
Show query
Image="*\\dism.exe" ImageLoaded="*\\dismcore.dll" NOT ImageLoaded="C:\\Windows\\System32\\Dism\\dismcore.dll"
UAC Bypass via Event Viewer
Detects UAC bypass method using Windows event viewer
Show query
TargetObject="*\\mscfile\\shell\\open\\command"
UAC Bypass via ICMLuaUtil
Detects the pattern of UAC Bypass using ICMLuaUtil Elevated COM interface
Show query
ParentImage="*\\dllhost.exe" ParentCommandLine IN ("*/Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}*", "*/Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}*") NOT (Image="*\\WerFault.exe" OR OriginalFileName="WerFault.exe")UAC Bypass via Sdclt
Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53)
Show query
TargetObject="*Software\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand"
| rex field=Details "(?<DetailsMatch>-1[0-9]{3}\\\\Software\\\\Classes\\\\)"
| eval DetailsCondition=if(isnotnull(DetailsMatch), "true", "false")
| search OR (TargetObject="*Software\\Classes\\Folder\\shell\\open\\command\\SymbolicLinkValue" DetailsCondition="true")UEFI Persistence Via Wpbbin - FileCreation
Detects creation of a file named "wpbbin" in the "%systemroot%\system32\" directory. Which could be indicative of UEFI based persistence method
Show query
TargetFilename="C:\\Windows\\System32\\wpbbin.exe"
UEFI Persistence Via Wpbbin - ProcessCreation
Detects execution of the binary "wpbbin" which is used as part of the UEFI based persistence method described in the reference section
Show query
Image="C:\\Windows\\System32\\wpbbin.exe"
Uncommon Child Process Of Setres.EXE
Detects uncommon child process of Setres.EXE.
Setres.EXE is a Windows server only process and tool that can be used to set the screen resolution.
It can potentially be abused in order to launch any arbitrary file with a name containing the word "choice" from the current execution path.
Show query
ParentImage="*\\setres.exe" Image="*\\choice*" NOT (Image IN ("*C:\\Windows\\System32\\choice.exe", "*C:\\Windows\\SysWOW64\\choice.exe"))Uncommon Extension In Keyboard Layout IME File Registry Value
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.
Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path.
IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
Show query
TargetObject="*\\Control\\Keyboard Layouts\\*" TargetObject="*Ime File*" NOT Details="*.ime"
Uncommon File Created In Office Startup Folder
Detects the creation of a file with an uncommon extension in an Office application startup folder
Show query
(TargetFilename="*\\Microsoft\\Word\\STARTUP*" OR (TargetFilename="*\\Office*" TargetFilename="*\\Program Files*" TargetFilename="*\\STARTUP*") NOT (TargetFilename IN ("*.docb", "*.docm", "*.docx", "*.dotm", "*.mdb", "*.mdw", "*.pdf", "*.wll", "*.wwl"))) OR (TargetFilename="*\\Microsoft\\Excel\\XLSTART*" OR (TargetFilename="*\\Office*" TargetFilename="*\\Program Files*" TargetFilename="*\\XLSTART*") NOT (TargetFilename IN ("*.xll", "*.xls", "*.xlsm", "*.xlsx", "*.xlt", "*.xltm", "*.xlw"))) NOT ((Image="*:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*" Image="*\\OfficeClickToRun.exe") OR (Image IN ("*:\\Program Files\\Microsoft Office\\*", "*:\\Program Files (x86)\\Microsoft Office\\*") Image IN ("*\\winword.exe", "*\\excel.exe")))Uncommon File Created by Notepad++ Updater Gup.EXE
Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
Show query
Image="*\\gup.exe" NOT (TargetFilename IN ("C:\\Program Files\\Notepad++\\*", "C:\\Program Files (x86)\\Notepad++\\*") OR (TargetFilename="C:\\Users\\*" TargetFilename="*\\AppData\\Local\\Temp\\*" TargetFilename="*npp.*" TargetFilename="*.Installer.*" TargetFilename="*.exe*") OR (TargetFilename="C:\\Users\\*" TargetFilename="*\\AppData\\Local\\Temp\\*" TargetFilename="*.zip*") OR TargetFilename="C:\\$Recycle.Bin\\S-1-5-21*" OR TargetFilename IN ("*\\plugins\\JsonTools\\testfiles\\*", "*\\Notepad++\\plugins\\ComparePlugin\\*") OR (TargetFilename="*npp.*" TargetFilename="*.portable.*" TargetFilename="*\\plugins\\*"))
Splunk
Converted
SPL
high
Uncommon File Creation By Mysql Daemon Process
Detects the creation of files with scripting or executable extensions by Mysql daemon.
Which could be an indicator of "User Defined Functions" abuse to download malware.
Show query
Image IN ("*\\mysqld.exe", "*\\mysqld-nt.exe") TargetFilename IN ("*.bat", "*.dat", "*.dll", "*.exe", "*.ps1", "*.psm1", "*.vbe", "*.vbs")
Splunk
Converted
SPL
high
Uncommon FileSystem Load Attempt By Format.com
Detects the execution of format.com with an uncommon filesystem selection that could indicate a defense evasion activity in which "format.com" is used to load malicious DLL files or other programs.
Show query
Image="*\\format.com" CommandLine="*/fs:*" NOT (CommandLine IN ("*/fs:exFAT*", "*/fs:FAT*", "*/fs:NTFS*", "*/fs:ReFS*", "*/fs:UDF*"))Uncommon Microsoft Office Trusted Location Added
Detects changes to registry keys related to "Trusted Location" of Microsoft Office where the path is set to something uncommon. Attackers might add additional trusted locations to avoid macro security restrictions.
Show query
TargetObject="*Security\\Trusted Locations\\Location*" TargetObject="*\\Path" NOT ((Image="*:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\*" Image="*\\OfficeClickToRun.exe") OR Image IN ("*:\\Program Files\\Microsoft Office\\*", "*:\\Program Files (x86)\\Microsoft Office\\*")) NOT (Details IN ("*%APPDATA%\\Microsoft\\Templates*", "*%%APPDATA%%\\Microsoft\\Templates*", "*%APPDATA%\\Microsoft\\Word\\Startup*", "*%%APPDATA%%\\Microsoft\\Word\\Startup*", "*:\\Program Files (x86)\\Microsoft Office\\root\\Templates\\*", "*:\\Program Files\\Microsoft Office (x86)\\Templates*", "*:\\Program Files\\Microsoft Office\\root\\Templates\\*", "*:\\Program Files\\Microsoft Office\\Templates\\*"))Uncommon Network Connection Initiated By Certutil.EXE
Detects a network connection initiated by the certutil.exe utility.
Attackers can abuse the utility in order to download malware or additional payloads.
Show query
Image="*\\certutil.exe" Initiated="true" DestinationPort IN (80, 135, 443, 445)
Uncommon One Time Only Scheduled Task At 00:00
Detects scheduled task creation events that include suspicious actions, and is run once at 00:00
Show query
Image="*\\schtasks.exe*" OR OriginalFileName="schtasks.exe" CommandLine IN ("*wscript*", "*vbscript*", "*cscript*", "*wmic *", "*wmic.exe*", "*regsvr32.exe*", "*powershell*", "*\\AppData\\*") CommandLine="*once*" CommandLine="*00:00*"Uncommon Svchost Command Line Parameter
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
Show query
Image="*\\svchost.exe"
| rex field=CommandLine "(?<CommandLineMatch>-k\\s\\w{1,64}(?:\\s?(?:-p|-s))?)"
| eval CommandLineCondition=if(isnotnull(CommandLineMatch), "true", "false")
| search NOT (CommandLineCondition="true" OR CommandLine="" OR NOT CommandLine=*) NOT ((ParentImage="*\\MsMpEng.exe" CommandLine="*svchost.exe*") OR (ParentImage="*\\MRT.exe" CommandLine="svchost.exe"))Uncommon Userinit Child Process
Detects uncommon "userinit.exe" child processes, which could be a sign of uncommon shells or login scripts used for persistence.
Show query
ParentImage="*\\userinit.exe" NOT Image="*:\\WINDOWS\\explorer.exe" NOT (CommandLine IN ("*netlogon.bat*", "*UsrLogon.cmd*") OR CommandLine="PowerShell.exe" OR Image IN ("*:\\Windows\\System32\\proquota.exe", "*:\\Windows\\SysWOW64\\proquota.exe") OR Image IN ("*:\\Program Files (x86)\\Citrix\\HDX\\bin\\cmstart.exe", "*:\\Program Files (x86)\\Citrix\\HDX\\bin\\icast.exe", "*:\\Program Files (x86)\\Citrix\\System32\\icast.exe", "*:\\Program Files\\Citrix\\HDX\\bin\\cmstart.exe", "*:\\Program Files\\Citrix\\HDX\\bin\\icast.exe", "*:\\Program Files\\Citrix\\System32\\icast.exe") OR NOT Image=*)Unfamiliar Sign-In Properties
Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
Show query
riskEventType="unfamiliarFeatures"
Uninstall Crowdstrike Falcon Sensor
Adversaries may disable security tools to avoid possible detection of their tools and activities by uninstalling Crowdstrike Falcon
Show query
CommandLine="*\\WindowsSensor.exe*" CommandLine="* /uninstall*" CommandLine="* /quiet*"
Uninstall Sysinternals Sysmon
Detects the removal of Sysmon, which could be a potential attempt at defense evasion
Show query
Image IN ("*\\Sysmon64.exe", "*\\Sysmon.exe") OR Description="System activity monitor" CommandLine="*-u*" OR CommandLine="*/u*" OR CommandLine="*–u*" OR CommandLine="*—u*" OR CommandLine="*―u*"Unsigned Binary Loaded From Suspicious Location
Detects Code Integrity (CI) engine blocking processes from loading unsigned DLLs residing in suspicious locations
Show query
EventID IN (11, 12) ImageName IN ("*\\Users\\Public\\*", "*\\PerfLogs\\*", "*\\Desktop\\*", "*\\Downloads\\*", "*\\AppData\\Local\\Temp\\*", "*C:\\Windows\\TEMP\\*")Showing 1351-1400 of 3,131