Tool
Splunk
12,781 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,781HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Show query
any where TargetFilename:"*dumpert.dmp"
HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Show query
from * metadata _id, _index, _version | where ends_with(TargetFilename, "dumpert.dmp")
HackTool - Dumpert Process Dumper Default File
Detects the creation of the default dump file used by Outflank Dumpert tool. A process dumper, which dumps the lsass process memory
Show query
TargetFilename:*dumpert.dmp
HackTool - Dumpert Process Dumper Execution
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Show query
any where Hashes:"*MD5=09D278F9DE118EF09163C6140255C690*" or CommandLine:"*Dumpert.dll*"
HackTool - Dumpert Process Dumper Execution
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Show query
from * metadata _id, _index, _version | where Hashes like "*MD5=09D278F9DE118EF09163C6140255C690*" or CommandLine like "*Dumpert.dll*"
HackTool - Dumpert Process Dumper Execution
Detects the use of Dumpert process dumper, which dumps the lsass.exe process memory
Show query
Hashes:*MD5\=09D278F9DE118EF09163C6140255C690* OR CommandLine:*Dumpert.dll*
HackTool - Empire PowerShell UAC Bypass
Detects some Empire PowerShell UAC bypass methods
Show query
any where CommandLine like~ ("* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*", "* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*")HackTool - Empire PowerShell UAC Bypass
Detects some Empire PowerShell UAC bypass methods
Show query
from * metadata _id, _index, _version | where CommandLine like "* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*" or CommandLine like "* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*"
HackTool - Empire PowerShell UAC Bypass
Detects some Empire PowerShell UAC bypass methods
Show query
CommandLine:(*\ \-NoP\ \-NonI\ \-w\ Hidden\ \-c\ $x\=$\(\(gp\ HKCU\:Software\\Microsoft\\Windows\ Update\).Update\)* OR *\ \-NoP\ \-NonI\ \-c\ $x\=$\(\(gp\ HKCU\:Software\\Microsoft\\Windows\ Update\).Update\);*)
HackTool - F-Secure C3 Load by Rundll32
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
Show query
any where CommandLine:"*rundll32.exe*" and CommandLine:"*.dll*" and CommandLine:"*StartNodeRelay*"
HackTool - F-Secure C3 Load by Rundll32
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
Show query
from * metadata _id, _index, _version | where CommandLine like "*rundll32.exe*" and CommandLine like "*.dll*" and CommandLine like "*StartNodeRelay*"
HackTool - F-Secure C3 Load by Rundll32
F-Secure C3 produces DLLs with a default exported StartNodeRelay function.
Show query
CommandLine:*rundll32.exe* AND CommandLine:*.dll* AND CommandLine:*StartNodeRelay*
HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
Show query
any where Image:"*\\Inveigh.exe" or (OriginalFileName like~ ("\\Inveigh.exe", "\\Inveigh.dll")) or Description:"Inveigh" or (CommandLine like~ ("* -SpooferIP*", "* -ReplyToIPs *", "* -ReplyToDomains *", "* -ReplyToMACs *", "* -SnifferIP*"))HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\Inveigh.exe") or OriginalFileName in ("\\Inveigh.exe", "\\Inveigh.dll") or Description=="Inveigh" or CommandLine like "* -SpooferIP*" or CommandLine like "* -ReplyToIPs *" or CommandLine like "* -ReplyToDomains *" or CommandLine like "* -ReplyToMACs *" or CommandLine like "* -SnifferIP*"HackTool - Inveigh Execution
Detects the use of Inveigh a cross-platform .NET IPv4/IPv6 machine-in-the-middle tool
Show query
Image:*\\Inveigh.exe OR (OriginalFileName:(\\Inveigh.exe OR \\Inveigh.dll)) OR Description:Inveigh OR (CommandLine:(*\ \-SpooferIP* OR *\ \-ReplyToIPs\ * OR *\ \-ReplyToDomains\ * OR *\ \-ReplyToMACs\ * OR *\ \-SnifferIP*))
HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
Show query
any where TargetFilename like~ ("*\\Inveigh-Log.txt", "*\\Inveigh-Cleartext.txt", "*\\Inveigh-NTLMv1Users.txt", "*\\Inveigh-NTLMv2Users.txt", "*\\Inveigh-NTLMv1.txt", "*\\Inveigh-NTLMv2.txt", "*\\Inveigh-FormInput.txt", "*\\Inveigh.dll", "*\\Inveigh.exe", "*\\Inveigh.ps1", "*\\Inveigh-Relay.ps1")HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
Show query
from * metadata _id, _index, _version | where ends_with(TargetFilename, "\\Inveigh-Log.txt") or ends_with(TargetFilename, "\\Inveigh-Cleartext.txt") or ends_with(TargetFilename, "\\Inveigh-NTLMv1Users.txt") or ends_with(TargetFilename, "\\Inveigh-NTLMv2Users.txt") or ends_with(TargetFilename, "\\Inveigh-NTLMv1.txt") or ends_with(TargetFilename, "\\Inveigh-NTLMv2.txt") or ends_with(TargetFilename, "\\Inveigh-FormInput.txt") or ends_with(TargetFilename, "\\Inveigh.dll") or ends_with(TargetFilename, "\\Inveigh.exe") or ends_with(TargetFilename, "\\Inveigh.ps1") or ends_with(TargetFilename, "\\Inveigh-Relay.ps1")
HackTool - Inveigh Execution Artefacts
Detects the presence and execution of Inveigh via dropped artefacts
Show query
TargetFilename:(*\\Inveigh\-Log.txt OR *\\Inveigh\-Cleartext.txt OR *\\Inveigh\-NTLMv1Users.txt OR *\\Inveigh\-NTLMv2Users.txt OR *\\Inveigh\-NTLMv1.txt OR *\\Inveigh\-NTLMv2.txt OR *\\Inveigh\-FormInput.txt OR *\\Inveigh.dll OR *\\Inveigh.exe OR *\\Inveigh.ps1 OR *\\Inveigh\-Relay.ps1)
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
Show query
any where PipeName like~ ("*\\imposecost*", "*\\imposingcost*")HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
Show query
from * metadata _id, _index, _version | where PipeName like "*\\imposecost*" or PipeName like "*\\imposingcost*"
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
Show query
PipeName:(*\\imposecost* OR *\\imposingcost*)
HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
Show query
any where TargetFilename like~ ("*.kirbi", "*mimilsa.log")HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
Show query
from * metadata _id, _index, _version | where ends_with(TargetFilename, ".kirbi") or ends_with(TargetFilename, "mimilsa.log")
HackTool - Mimikatz Kirbi File Creation
Detects the creation of files created by mimikatz such as ".kirbi", "mimilsa.log", etc.
Show query
TargetFilename:(*.kirbi OR *mimilsa.log)
HackTool - PurpleSharp Execution
Detects the execution of the PurpleSharp adversary simulation tool
Show query
any where (Image:"*\\purplesharp*" or OriginalFileName:"PurpleSharp.exe") or (CommandLine like~ ("*xyz123456.exe*", "*PurpleSharp*"))HackTool - PurpleSharp Execution
Detects the execution of the PurpleSharp adversary simulation tool
Show query
from * metadata _id, _index, _version | where Image like "*\\purplesharp*" or OriginalFileName=="PurpleSharp.exe" or CommandLine like "*xyz123456.exe*" or CommandLine like "*PurpleSharp*"
HackTool - PurpleSharp Execution
Detects the execution of the PurpleSharp adversary simulation tool
Show query
(Image:*\\purplesharp* OR OriginalFileName:PurpleSharp.exe) OR (CommandLine:(*xyz123456.exe* OR *PurpleSharp*))
HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
Show query
any where TargetFilename:"*\\AppData\\Local\\Temp\\SAM-*" and TargetFilename:"*.dmp*"
HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
Show query
from * metadata _id, _index, _version | where TargetFilename like "*\\AppData\\Local\\Temp\\SAM-*" and TargetFilename like "*.dmp*"
HackTool - QuarksPwDump Dump File
Detects a dump file written by QuarksPwDump password dumper
Show query
TargetFilename:*\\AppData\\Local\\Temp\\SAM\-* AND TargetFilename:*.dmp*
HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
Show query
any where Image:"*\\Rubeus.exe" or OriginalFileName:"Rubeus.exe" or Description:"Rubeus" or (CommandLine like~ ("*asreproast *", "*dump /service:krbtgt *", "*dump /luid:0x*", "*kerberoast *", "*createnetonly /program:*", "*ptt /ticket:*", "*/impersonateuser:*", "*renew /ticket:*", "*asktgt /user:*", "*harvest /interval:*", "*s4u /user:*", "*s4u /ticket:*", "*hash /password:*", "*golden /aes256:*", "*silver /user:*"))HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\Rubeus.exe") or OriginalFileName=="Rubeus.exe" or Description=="Rubeus" or CommandLine like "*asreproast *" or CommandLine like "*dump /service:krbtgt *" or CommandLine like "*dump /luid:0x*" or CommandLine like "*kerberoast *" or CommandLine like "*createnetonly /program:*" or CommandLine like "*ptt /ticket:*" or CommandLine like "*/impersonateuser:*" or CommandLine like "*renew /ticket:*" or CommandLine like "*asktgt /user:*" or CommandLine like "*harvest /interval:*" or CommandLine like "*s4u /user:*" or CommandLine like "*s4u /ticket:*" or CommandLine like "*hash /password:*" or CommandLine like "*golden /aes256:*" or CommandLine like "*silver /user:*"
HackTool - Rubeus Execution
Detects the execution of the hacktool Rubeus via PE information of command line parameters
Show query
Image:*\\Rubeus.exe OR OriginalFileName:Rubeus.exe OR Description:Rubeus OR (CommandLine:(*asreproast\ * OR *dump\ \/service\:krbtgt\ * OR *dump\ \/luid\:0x* OR *kerberoast\ * OR *createnetonly\ \/program\:* OR *ptt\ \/ticket\:* OR *\/impersonateuser\:* OR *renew\ \/ticket\:* OR *asktgt\ \/user\:* OR *harvest\ \/interval\:* OR *s4u\ \/user\:* OR *s4u\ \/ticket\:* OR *hash\ \/password\:* OR *golden\ \/aes256\:* OR *silver\ \/user\:*))
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
Show query
any where Image:"*\\SafetyKatz.exe" or OriginalFileName:"SafetyKatz.exe" or Description:"SafetyKatz"
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\SafetyKatz.exe") or OriginalFileName=="SafetyKatz.exe" or Description=="SafetyKatz"
HackTool - SafetyKatz Execution
Detects the execution of the hacktool SafetyKatz via PE information and default Image name
Show query
Image:*\\SafetyKatz.exe OR OriginalFileName:SafetyKatz.exe OR Description:SafetyKatz
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
Show query
any where Company:"SecurityXploded" or Image:"*PasswordDump.exe" or OriginalFileName:"*PasswordDump.exe"
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
Show query
from * metadata _id, _index, _version | where Company=="SecurityXploded" or ends_with(Image, "PasswordDump.exe") or ends_with(OriginalFileName, "PasswordDump.exe")
HackTool - SecurityXploded Execution
Detects the execution of SecurityXploded Tools
Show query
Company:SecurityXploded OR Image:*PasswordDump.exe OR OriginalFileName:*PasswordDump.exe
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
Show query
any where Image:"*\\SharpUp.exe" or Description:"SharpUp" or (CommandLine like~ ("*HijackablePaths*", "*UnquotedServicePath*", "*ProcessDLLHijack*", "*ModifiableServiceBinaries*", "*ModifiableScheduledTask*", "*DomainGPPPassword*", "*CachedGPPPassword*"))HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\SharpUp.exe") or Description=="SharpUp" or CommandLine like "*HijackablePaths*" or CommandLine like "*UnquotedServicePath*" or CommandLine like "*ProcessDLLHijack*" or CommandLine like "*ModifiableServiceBinaries*" or CommandLine like "*ModifiableScheduledTask*" or CommandLine like "*DomainGPPPassword*" or CommandLine like "*CachedGPPPassword*"
HackTool - SharpUp PrivEsc Tool Execution
Detects the use of SharpUp, a tool for local privilege escalation
Show query
Image:*\\SharpUp.exe OR Description:SharpUp OR (CommandLine:(*HijackablePaths* OR *UnquotedServicePath* OR *ProcessDLLHijack* OR *ModifiableServiceBinaries* OR *ModifiableScheduledTask* OR *DomainGPPPassword* OR *CachedGPPPassword*))
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
Show query
any where CommandLine:"*-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*"
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
Show query
from * metadata _id, _index, _version | where CommandLine like "*-NoExit -Command [Console]::OutputEncoding=[Text.UTF8Encoding]::UTF8*"
HackTool - Sliver C2 Implant Activity Pattern
Detects process activity patterns as seen being used by Sliver C2 framework implants
Show query
CommandLine:*\-NoExit\ \-Command\ \[Console\]\:\:OutputEncoding\=\[Text.UTF8Encoding\]\:\:UTF8*
HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
Show query
any where Image:"*\\SysmonEOP.exe" or (Hashes like~ ("*IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5*", "*IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC*"))HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\SysmonEOP.exe") or Hashes like "*IMPHASH=22F4089EB8ABA31E1BB162C6D9BF72E5*" or Hashes like "*IMPHASH=5123FA4C4384D431CD0D893EEB49BBEC*"
HackTool - SysmonEOP Execution
Detects the execution of the PoC that can be used to exploit Sysmon CVE-2022-41120
Show query
Image:*\\SysmonEOP.exe OR (Hashes:(*IMPHASH\=22F4089EB8ABA31E1BB162C6D9BF72E5* OR *IMPHASH\=5123FA4C4384D431CD0D893EEB49BBEC*))
HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
Show query
any where (Image like~ ("*\\WCE.exe", "*\\WCE64.exe")) or (Hashes like~ ("*IMPHASH=136F0A8572C058A96436C82E541E4C41*", "*IMPHASH=589657C64DDE88533186C39F82FA1F50*", "*IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF*", "*IMPHASH=7D490037BF450877E6D0287BDCFF8D2E*", "*IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED*", "*IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F*", "*IMPHASH=BA434A7A729EEC20E136CA4C32D6C740*", "*IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8*", "*IMPHASH=E96A73C7BF33A464C510EDE582318BF2*"))HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\WCE.exe") or ends_with(Image, "\\WCE64.exe") or Hashes like "*IMPHASH=136F0A8572C058A96436C82E541E4C41*" or Hashes like "*IMPHASH=589657C64DDE88533186C39F82FA1F50*" or Hashes like "*IMPHASH=6BFE09EFCB4FFDE061EBDBAFC4DB84CF*" or Hashes like "*IMPHASH=7D490037BF450877E6D0287BDCFF8D2E*" or Hashes like "*IMPHASH=8AB93B061287C79F3088C5BC7E7D97ED*" or Hashes like "*IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F*" or Hashes like "*IMPHASH=BA434A7A729EEC20E136CA4C32D6C740*" or Hashes like "*IMPHASH=BD1D1547DA13C0FCB6C15E86217D5EB8*" or Hashes like "*IMPHASH=E96A73C7BF33A464C510EDE582318BF2*"
Showing 201-250 of 12,781