Deployable detection rules
4,399 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 4,399Potential Remote Credential Access via Registry
Identifies remote access to the registry to potentially dump credential data from the Security Account Manager (SAM)
registry hive in preparation for credential access and privileges elevation.
Show query
file where host.os.type == "windows" and
event.action == "creation" and process.name : "svchost.exe" and
file.Ext.header_bytes : "72656766*" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and file.size >= 30000 and
file.path : ("?:\\Windows\\system32\\*.tmp", "?:\\WINDOWS\\Temp\\*.tmp")
Potential Remote Desktop Shadowing Activity
Identifies the modification of the Remote Desktop Protocol (RDP) Shadow registry or the execution of processes
indicative of an active RDP shadowing session. An adversary may abuse the RDP Shadowing feature to spy on or control
other users active RDP sessions.
Show query
/* Identifies the modification of RDP Shadow registry or
the execution of processes indicative of active shadow RDP session */
any where host.os.type == "windows" and
(
(event.category == "registry" and event.type == "change" and
registry.value : "Shadow" and
registry.path : (
"*\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow"
) and
registry.data.strings : ("1", "0x00000001", "2", "0x00000002", "3", "0x00000003", "4", "0x00000004")
) or
(event.category == "process" and event.type == "start" and
(
(process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or
(?process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*")
)
)
)
Potential Remote Desktop Tunneling Detected
Identifies potential use of an SSH utility to establish RDP over an SSH Tunnel. This can be used by attackers to enable
routing of network packets that would otherwise not reach their intended destination.
Show query
process where host.os.type == "windows" and event.type == "start" and
/* RDP port with SSH local or reverse port-forwarding flags */
process.args : "*:3389" and process.args : ("-L", "-R")
Potential Remote Install via MsiExec
Identifies attempts to install a file from a remote server using MsiExec. Adversaries may abuse Windows Installers
for initial access and delivery of malware.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : "msiexec.exe" and process.args : ("-i*", "/i*", "-p*", "/p*") and
process.command_line : ("*http:*", "*https:*") and
process.args : ("/qn", "-qn", "-q", "/q", "/quiet") and
process.parent.name : (
"sihost.exe", "explorer.exe", "cmd.exe", "wscript.exe", "mshta.exe",
"powershell.exe", "wmiprvse.exe", "pcalua.exe", "forfiles.exe", "conhost.exe"
) and
not process.command_line : (
"*--set-server=*", "*UPGRADEADD=*" , "*--url=*", "*USESERVERCONFIG=*", "*RCTENTERPRISESERVER=*",
"*app.ninjarmm.com*", "*zoom.us/client*", "*SUPPORTSERVERSTSURI=*", "*START_URL=*", "*AUTOCONFIG=*",
"*awscli.amazonaws.com*", "*/i \"C:*", "*/i C:\\*"
)
Potential Reverse Shell
This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This
activity consists of a parent-child relationship where a network event is followed by the creation of a shell process.
An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.
Show query
sequence by host.id with maxspan=5s
[network where event.type == "start" and host.os.type == "linux" and
event.action in ("connection_attempted", "connection_accepted") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and destination.ip != null and
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")] by process.entity_id
[process where event.type == "start" and host.os.type == "linux" and event.action in ("exec", "fork") and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
(process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*")
)] by process.parent.entity_id
Potential Reverse Shell Activity via Terminal
Identifies the execution of a shell process with suspicious arguments which may be indicative of reverse shell activity.
Show query
process where event.type in ("start", "process_started") and
process.name in ("sh", "bash", "zsh", "dash", "zmodload") and
process.args : ("*/dev/tcp/*", "*/dev/udp/*", "*zsh/net/tcp*", "*zsh/net/udp*") and
/* noisy FPs */
not (process.parent.name : "timeout" and process.executable : "/var/lib/docker/overlay*") and
not process.command_line : (
"*/dev/tcp/sirh_db/*", "*/dev/tcp/remoteiot.com/*", "*dev/tcp/elk.stag.one/*", "*dev/tcp/kafka/*",
"*/dev/tcp/$0/$1*", "*/dev/tcp/127.*", "*/dev/udp/127.*", "*/dev/tcp/localhost/*", "*/dev/tcp/itom-vault/*") and
not process.parent.command_line : "runc init"
Potential Reverse Shell via Background Process
Monitors for the execution of background processes with process arguments capable of opening a socket in the /dev/tcp
channel. This may indicate the creation of a backdoor reverse connection, and should be investigated further.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2") and
process.name in ("setsid", "nohup") and process.args : "*/dev/tcp/*0>&1*" and
process.parent.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")
Potential Reverse Shell via Child
This detection rule identifies suspicious network traffic patterns associated with TCP reverse shell activity. This
activity consists of a network event that is followed by the creation of a shell process with suspicious command line
arguments. An attacker may establish a Linux TCP reverse shell to gain remote access to a target system.
Show query
sequence by host.id, process.entity_id with maxspan=5s
[network where event.type == "start" and host.os.type == "linux" and
event.action in ("connection_attempted", "connection_accepted") and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "socat") and destination.ip != null and
not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
[process where event.type == "start" and host.os.type == "linux" and event.action == "exec" and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and (
(process.args : ("-i", "-l")) or (process.parent.name == "socat" and process.parent.args : "*exec*")
)]
Potential Reverse Shell via Suspicious Binary
This detection rule detects the creation of a shell through a chain consisting of the execution of a suspicious binary
(located in a commonly abused location or executed manually) followed by a network event and ending with a shell being
spawned. Stageless reverse tcp shells display this behaviour. Attackers may spawn reverse shells to establish
persistence onto a target system.
Show query
sequence by host.id, process.entity_id with maxspan=1s
[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.executable : (
"./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
"/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*",
"/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local"
) and
process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not
process.name : ("curl", "wget", "ping", "apt", "dpkg", "yum", "rpm", "dnf", "dockerd") ]
[ network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
process.executable : (
"./*", "/tmp/*", "/var/tmp/*", "/var/www/*", "/dev/shm/*", "/etc/init.d/*", "/etc/rc*.d/*",
"/etc/crontab", "/etc/cron.*", "/etc/update-motd.d/*", "/usr/lib/update-notifier/*",
"/boot/*", "/srv/*", "/run/*", "/root/*", "/etc/rc.local"
) and destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" ]
[ process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
process.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.parent.name : ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") ]
Potential Reverse Shell via Suspicious Child Process
This detection rule detects the creation of a shell through a suspicious process chain. Any reverse shells spawned by
the specified utilities that are initialized from a single process followed by a network connection attempt will be
captured through this rule. Attackers may spawn reverse shells to establish persistence onto a target system.
Show query
sequence by host.id, process.entity_id with maxspan=1s
[process where host.os.type == "linux" and event.type == "start" and event.action in ("exec", "fork") and (
(process.name : "python*" and process.args : "-c" and process.args : (
"*import*pty*spawn*", "*import*subprocess*call*"
)) or
(process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : (
"*exec*", "*system*"
)) or
(process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : (
"*TCPSocket.new*", "*TCPSocket.open*"
)) or
(process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : (
"*io.popen*", "*os.execute*"
)) or
(process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or
(process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
(process.name : ("nc", "ncat", "netcat") and process.args == "-e" and process.args_count >= 3 and
not process.args == "-z")
) and process.parent.name : (
"bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "python*", "php*", "perl", "ruby", "lua*",
"nc", "netcat", "ncat", "awk", "gawk", "mawk", "nawk")]
[network where host.os.type == "linux" and event.type == "start" and event.action in ("connection_attempted", "connection_accepted") and
process.name : ("python*", "php*", "perl", "ruby", "lua*", "nc", "netcat", "ncat", "awk", "gawk", "mawk", "nawk") and
destination.ip != null and not cidrmatch(destination.ip, "127.0.0.0/8", "169.254.0.0/16", "224.0.0.0/4", "::1")]
Potential Root Effective Shell from Non-Standard Path via Auditd
Identifies process execution events where the effective user is root while the real user is not, the process arguments
include the privileged shell flag commonly associated with setuid-capable shells, and the executable path is outside
standard system binary directories. That combination is consistent with abuse of setuid shells or similar helpers
copied or linked into writable locations, a pattern used to regain a root context after local exploitation.
Show query
host.os.type:linux and event.category:process and event.action:(exec or executed) and user.id:(* and not 0) and process.executable:(* and not (/bin/* or /nix/store/*/bin/sudo or /run/wrappers/wrappers*/sudo or /sbin/* or /usr/bin/* or /usr/sbin/*)) and user.effective.id:0 and process.args:-p
Elastic
EQL
high
T1059, T1059.001, T1059.003, T1059.004, T1059.006, T1059.007, T1203, T1190, T1505, T1505.003 ↗
Potential SAP NetWeaver Exploitation
Identifies suspicious processes spawned from the SAP NetWeaver application. This may indicate an attempt to execute commands via webshell.
Show query
process where event.type == "start" and host.os.type in ("linux", "windows") and
process.name : ("sh",
"bash",
"dash",
"ksh",
"tcsh",
"zsh",
"curl",
"perl*",
"python*",
"ruby*",
"php*",
"wget",
"cmd.exe",
"powershell.exe",
"rundll32.exe",
"msbuild.exe",
"curl.exe",
"certutil.exe") and
(
process.working_directory : ("/*/sap.com*/servlet_jsp/irj/*", "*\\sap.com*\\servlet_jsp\\irj\\*") or
process.command_line : ("*/sap.com*/servlet_jsp/irj/*", "*\\sap.com*\\servlet_jsp\\irj\\*") or
process.parent.command_line : ("*/sap.com*/servlet_jsp/irj/*", "*\\sap.com*\\servlet_jsp\\irj\\*")
)
Potential SAP NetWeaver WebShell Creation
Identifies suspicious Java file creation in the IRJ directory of the SAP NetWeaver application. This may indicate an attempt to deploy a webshell.
Show query
file where host.os.type in ("linux", "windows") and event.action == "creation" and
file.extension : ("jsp", "java", "class") and
file.path : ("/*/sap.com/*/servlet_jsp/irj/root/*",
"/*/sap.com/*/servlet_jsp/irj/work/*",
"?:\\*\\sap.com\\*\\servlet_jsp\\irj\\root\\*",
"?:\\*\\sap.com\\*\\servlet_jsp\\irj\\work\\*")
Potential SSH Brute Force Detected on Privileged Account
Identifies multiple consecutive login failures targeting a root user account from the same source address and within a
short time interval. Adversaries will often brute force login attempts on privileged accounts with a common or known
password, in an attempt to gain privileged access to systems.
Show query
sequence by host.id, source.ip with maxspan=10s
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and
source.ip != "::" and user.name : ("*root*" , "*admin*")] with runs=3
Potential SharpRDP Behavior
Identifies potential behavior of SharpRDP, which is a tool that can be used to perform authenticated command execution
against a remote target via Remote Desktop Protocol (RDP) for the purposes of lateral movement.
Show query
/* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */
sequence by host.id with maxspan=1m
[network where host.os.type == "windows" and event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and
network.direction : ("incoming", "ingress") and network.transport == "tcp" and
source.ip != "127.0.0.1" and source.ip != "::1"
]
[registry where host.os.type == "windows" and event.type == "change" and process.name : "explorer.exe" and
registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and
registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*")
]
[process where host.os.type == "windows" and event.type == "start" and
(process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and
not process.name : "conhost.exe"
]
Potential Successful SSH Brute Force Attack
Identifies multiple SSH login failures followed by a successful one from the same source address. Adversaries can
attempt to login into multiple users with a common or known password to gain access to accounts.
Show query
sequence by host.id, source.ip, user.name with maxspan=15s
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
event.outcome == "failure" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ] with runs=25
[authentication where host.os.type == "linux" and event.action in ("ssh_login", "user_login") and
event.outcome == "success" and source.ip != null and source.ip != "0.0.0.0" and source.ip != "::" ]
Potential Sudo Privilege Escalation via CVE-2019-14287
This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate
privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID
that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u
representing the root user. This exploit may work for sudo versions prior to v1.28.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "sudo" and process.args == "-u#-1"
Potential System Tampering via File Modification
Identifies attempts to delete or modify critical files used during the boot process to prevent the system from booting.
This may indicate a destructive attack behavior.
Show query
file where host.os.type == "windows" and event.type in ("change", "deletion") and
file.name : ("winload.exe", "winload.efi", "ntoskrnl.exe", "bootmgr") and
file.path : ("?:\\Windows\\*", "\\Device\\HarddiskVolume*\\Windows\\*") and
not process.executable : (
"?:\\Windows\\System32\\poqexec.exe",
"?:\\Windows\\System32\\wbengine.exe",
"?:\\Windows\\WinSxS\\???64_microsoft-windows-servicingstack_*\\tiworker.exe"
) and
not file.path : (
"?:\\Windows\\WinSxS\\Temp\\InFlight\\*",
"?:\\Windows\\SoftwareDistribution\\Download*",
"?:\\Windows\\WinSxS\\amd64_microsoft-windows*",
"?:\\Windows\\SystemTemp\\*",
"?:\\Windows\\Temp\\????????.???\\*",
"?:\\Windows\\Temp\\*\\amd64_microsoft-windows-*",
"\\Device\\HarddiskVolume*\\Windows\\SoftwareDistribution\\Download*",
"?:\\Windows\\Temp\\BootImages\\{*}\\mount\\Windows\\*"
)
Potential THC Tool Downloaded
Identifies processes that are capable of downloading files with command line arguments containing URLs to SSH-IT's
autonomous SSH worm. This worm intercepts outgoing SSH connections every time a user uses ssh.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name in ("curl", "wget") and process.args : (
"https://github.com/hackerschoice/*", "https://thc.org/*", "http://nossl.segfault.net/*", "https://gsocket.io/*"
)
Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation
Identifies successful exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2 file
upload functionality. This high-fidelity rule detects a specific attack sequence where a malicious multipart/form-data
POST request with WebKitFormBoundary is made to a Struts .action upload endpoint, immediately followed by the creation
of a JSP web shell file by a Java process in Tomcat's webapps directories. This correlated activity indicates active
exploitation resulting in remote code execution capability through unauthorized file upload and web shell deployment.
Show query
sequence by agent.id with maxspan=10s
[network where data_stream.dataset == "network_traffic.http" and
http.request.method == "POST" and
http.request.body.content like "*WebKitFormBoundary*" and
url.path like~ "*upload*.action"]
[file where data_stream.dataset == "endpoint.events.file" and
host.os.type == "linux" and
event.action == "creation" and
process.name == "java" and
file.extension == "jsp" and
file.path like "*/webapps/*" and
not file.path like "*/WEB-INF/*" and
not file.path like "*/META-INF/*"
]
Potential Widespread Malware Infection Across Multiple Hosts
This rule uses alert data to determine when a malware signature is triggered in multiple hosts. Analysts can use this to
prioritize triage and response, as this can potentially indicate a widespread malware infection.
Show query
from logs-endpoint.alerts-*
| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null
| keep host.id, rule.name, event.code
| stats Esql.host_id_count_distinct = count_distinct(host.id) by rule.name, event.code
| where Esql.host_id_count_distinct >= 3
Potential cPanel WHM CRLF Authentication Bypass (CVE-2026-41940)
Identifies the network signature of CVE-2026-41940, a pre-auth root-level authentication bypass in cPanel and WebHost
Manager (WHM) caused by a CRLF injection in the session writer. The exploit-inherent shape on the wire is a `GET /`
request to a cPanel/WHM admin port (typically TCP/2087, 2086, 2083, 2082, 2095, 2096) carrying an
`Authorization: Basic` header whose base64-decoded value contains CRLF-injected session fields, which causes cpsrvd
to respond with a 3xx redirect whose `Location` header leaks a `/cpsessNNNNNNNNNN` token granting the attacker a
privileged session. This is the network-layer equivalent of the cPanel `access_log` artifact identified by Unfold and
watchTowr as the first bulletproof detection for this CVE: a `GET /` recorded with `auth_method=b` (HTTP Basic).
Legitimate access to `GET /` on a WHM admin port returns 200 with the login screen and never includes HTTP Basic
credentials, so this combination is not produced by normal use.
Show query
(
(
(data_stream.dataset:network_traffic.http OR (event.category:network_traffic AND network.protocol:http)) AND
http.response.status_code:[300 TO 399] AND
http.request.headers.authorization:Basic* AND
http.response.headers.location:\/cpsess*
)
OR
(
data_stream.dataset:zeek.http AND
zeek.http.client_header_names:AUTHORIZATION AND
zeek.http.server_header_names:LOCATION
)
) AND
http.request.method:GET AND
url.path:"/" AND
destination.port:(2087 OR 2086 OR 2083 OR 2082 OR 2095 OR 2096)
Potential privilege escalation via CVE-2022-38028
Identifies a potential privilege escalation attempt via CVE-2022-38028 through modification of the protected Print to PDF
MPDW constraints script.
Show query
file where host.os.type == "windows" and event.type != "deletion" and
file.name : "MPDW-constraints.js" and
file.path : (
"?:\\*\\Windows\\system32\\DriverStore\\FileRepository\\*\\MPDW-constraints.js",
"?:\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js",
"\\Device\\HarddiskVolume*\\*\\Windows\\system32\\DriverStore\\FileRepository\\*\\MPDW-constraints.js",
"\\Device\\HarddiskVolume*\\*\\Windows\\WinSxS\\amd64_microsoft-windows-printing-printtopdf_*\\MPDW-constraints.js"
) and
not process.executable : (
"?:\\$WINDOWS.~BT\\Sources\\SetupHost.exe",
"?:\\Windows\\System32\\taskhostw.exe"
) and
not file.path : (
"?:\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js",
"\\Device\\HarddiskVolume*\\$WINDOWS.~BT\\NewOS\\Windows\\WinSxS\\*\\MPDW-constraints.js"
)
Potential snap-confine Privilege Escalation via CVE-2026-3888
This rule detects non-root file creation within "/tmp/.snap" or its host backing path
"/tmp/snap-private-tmp/*/tmp/.snap", which may indicate exploitation attempts related to CVE-2026-3888.
In vulnerable Ubuntu systems, the snap-confine utility normally creates the "/tmp/.snap" directory as
root when initializing a snap sandbox. The vulnerability arises when systemd-tmpfiles deletes this
directory after it becomes stale, allowing an unprivileged user to recreate it and populate
attacker-controlled files. During subsequent snap sandbox initialization, snap-confine may bind-mount
or trust these attacker-controlled paths, enabling manipulation of libraries or configuration files
that can lead to local privilege escalation to root. Because legitimate creation of ".snap" directories
should only be performed by root, non-root file activity in these locations is highly suspicious. This
detection helps identify early stages of the exploit before privilege escalation is completed.
Show query
file where host.os.type == "linux" and event.action == "creation" and
file.path like ("/tmp/.snap*", "/tmp/snap-private-tmp/*/tmp/.snap*") and
user.id != "0"
Potentially Successful Okta MFA Bombing via Push Notifications
Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the
user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured
for an organization to obtain unauthorized access.
Show query
sequence by okta.actor.id with maxspan=10m
[ any
where data_stream.dataset == "okta.system"
and (
okta.event_type == "user.mfa.okta_verify.deny_push"
or (
okta.event_type == "user.authentication.auth_via_mfa"
and okta.debug_context.debug_data.factor == "OKTA_VERIFY_PUSH"
and okta.outcome.reason == "INVALID_CREDENTIALS"
)
)
] with runs=5
[ any
where data_stream.dataset == "okta.system"
and okta.event_type in (
"user.authentication.sso",
"user.authentication.auth_via_mfa",
"user.authentication.verify",
"user.session.start"
)
and okta.outcome.result == "SUCCESS"
]
PowerShell Invoke-NinjaCopy script
Detects PowerShell script block content containing Invoke-NinjaCopy or related Stealth* functions used for direct volume
file access. Attackers use NinjaCopy to read locked system files such as NTDS.dit or registry hives for credential
dumping.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"StealthReadFile" or
"StealthReadFileAddr" or
"StealthCloseFileDelegate" or
"StealthOpenFile" or
"StealthCloseFile" or
"Invoke-NinjaCopy"
) and
not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
PowerShell Kerberos Ticket Dump
Detects PowerShell script block content that references LSA Kerberos authentication-package access patterns, including
explicit Kerberos ticket message types or dynamic Kerberos package lookup. These patterns are consistent with tooling
that enumerates, retrieves, or exports Kerberos tickets from memory for credential reuse or lateral movement.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"LsaCallAuthenticationPackage" and
(
"KerbRetrieveEncodedTicketMessage" or
"KerbQueryTicketCacheMessage" or
"KerbQueryTicketCacheExMessage" or
"KerbQueryTicketCacheEx2Message" or
"KerbRetrieveTicketMessage" or
"KerbDecryptDataMessage" or
("LsaLookupAuthenticationPackage" and "kerberos" and "KERB_RETRIEVE_TKT_REQUEST")
)
)
PowerShell Kerberos Ticket Request
Detects PowerShell script content that references KerberosRequestorSecurityToken, which can request Kerberos service
tickets. Attackers request service tickets to perform Kerberoasting for offline password cracking of service accounts.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_text : "KerberosRequestorSecurityToken" and
not powershell.file.script_block_text : (
("sentinelbreakpoints" and ("Set-PSBreakpoint" or "Set-HookFunctionTabs")) or
("function global" and "\\windows\\sentinel\\4")
)
PowerShell Keylogging Script
Detects PowerShell script block content that references Win32 keylogging primitives such as key state polling or
low-level input hooks. Adversaries use keylogging to capture credentials and other sensitive user input.
Show query
event.category:process and host.os.type:windows and
(
powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or
powershell.file.script_block_text : (
(SetWindowsHookEx or SetWindowsHookExA or SetWindowsHookExW or NtUserSetWindowsHookEx) and
(
GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL" or "WH_MOUSE_LL" or
"WH_KEYBOARD_LL" or "LowLevelKeyboardProc" or "CallNextHookEx"
)
)
) and not user.id : "S-1-5-18" and
not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint"
)
PowerShell MiniDump Script
Detects PowerShell scripts referencing MiniDumpWriteDump or full-memory minidump types, which can capture
process memory. Attackers use this technique to dump credential-bearing processes like LSASS for credential theft and
lateral movement.
Show query
event.category:process and host.os.type:windows and powershell.file.script_block_text:(MiniDumpWriteDump or MiniDumpWithFullMemory or pmuDetirWpmuDiniM)
PowerShell PSReflect Script
Detects PowerShell script block content containing PSReflect-style helper indicators, such as Add-Win32Type,
New-InMemoryModule, or DllImport patterns, that may support dynamic Win32 API invocation from PowerShell.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_text:(
"New-InMemoryModule" or
"Add-Win32Type" or
psenum or
DefineDynamicAssembly or
DefineDynamicModule or
"Reflection.TypeAttributes" or
"Reflection.Emit.OpCodes" or
"Reflection.Emit.CustomAttributeBuilder" or
"Runtime.InteropServices.DllImportAttribute"
) and
not user.id : "S-1-5-18"
PowerShell Share Enumeration Script
Detects PowerShell scripts that use ShareFinder functions (Invoke-ShareFinder/Invoke-ShareFinderThreaded) or Windows
share enumeration APIs (shi1_netname/shi1_remark with NetShareEnum/NetApiBufferFree). Attackers use share enumeration to
map accessible network shares for collection, lateral movement, or ransomware targeting.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_text:(
"Invoke-ShareFinder" or
"Invoke-ShareFinderThreaded" or
(
"shi1_netname" and
"shi1_remark"
) or
(
"NetShareEnum" and
"NetApiBufferFree"
)
) and not user.id : "S-1-5-18"
PowerShell Suspicious Payload Encoded and Compressed
Identifies PowerShell script block content that combines Base64 decoding with .NET decompression (Deflate/GZip).
Attackers use this pattern to deobfuscate and reconstruct payloads in memory to evade defenses.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_entropy_bits >= 4.5 and
powershell.file.script_block_text : (
(
"System.IO.Compression.DeflateStream" or
"System.IO.Compression.GzipStream" or
"IO.Compression.DeflateStream" or
"IO.Compression.GzipStream"
) and
FromBase64String
) and
not user.id : "S-1-5-18"
PowerShell Suspicious Script with Audio Capture Capabilities
Detects PowerShell script block content that invokes microphone capture routines or WinMM audio APIs.
Adversaries may use audio recording to surveil users or capture sensitive conversations for theft or extortion.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
"Get-MicrophoneAudio" or
("Get-AudioDevice" and "Recording" and "Set-AudioDevice") or
"WindowsAudioDevice-Powershell-Cmdlet" or
(
"winmm.dll" and
(
"waveInGetNumDevs" or "waveInOpen" or "waveInStart" or
"mciSendString" or "mciSendStringA" or "mciSendStringW"
)
)
) and
not powershell.file.script_block_text : (
"sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators"
)
PowerShell Suspicious Script with Screenshot Capabilities
Detects PowerShell script block content that uses CopyFromScreen with .NET bitmap classes to capture screenshots.
Attackers use screen capture to collect on-screen information and credentials.
Show query
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
CopyFromScreen and
("System.Drawing.Bitmap" or "Drawing.Bitmap")
) and not user.id : "S-1-5-18"
Printer User (lp) Shell Execution
This detection rule addresses multiple vulnerabilities in the CUPS printing system, including CVE-2024-47176,
CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177. Specifically, this rule detects shell executions from the foomatic-rip
parent process through the default printer user (lp). These flaws impact components like cups-browsed, libcupsfilters,
libppd, and foomatic-rip, allowing remote unauthenticated attackers to manipulate IPP URLs or inject malicious data
through crafted UDP packets or network spoofing. This can result in arbitrary command execution when a print job is
initiated.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "ProcessRollup2", "ProcessRollup2") and user.name == "lp" and
process.parent.name in ("cupsd", "foomatic-rip", "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and not (
process.command_line like (
"*/tmp/foomatic-*", "*-sDEVICE=ps2write*", "*printf*", "/bin/sh -e -c cat", "/bin/bash -c cat",
"/bin/bash -e -c cat"
) or
process.args like ("gs*", "/usr/bin/lsb_release", "/usr/lib/cups/filter/gstopdf")
)
Private Key Searching Activity
This rule detects private key searching activity on Linux systems. Searching for private keys can be an indication of an
attacker attempting to escalate privileges or exfiltrate sensitive information.
Show query
process where host.os.type == "linux" and event.type == "start" and
event.action in ("exec", "exec_event", "start", "ProcessRollup2", "process_started", "executed") and
process.name == "find" and
process.command_line like ("*id_dsa*", "*id_rsa*", "*id_ed*", "*id_ecdsa*", "*id_xmss*", "*id_dh*") and
process.command_line like ("*/home/*", "*/etc/ssh*", "*/root/*", "/")
Privilege Escalation via Named Pipe Impersonation
Identifies a privilege escalation attempt via named pipe impersonation. An adversary may abuse this technique by
utilizing a framework such as Metasploit's meterpreter getsystem command.
Show query
process where host.os.type == "windows" and event.type == "start" and
(process.name : ("Cmd.Exe", "PowerShell.EXE") or ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE")) and
process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*"
Privilege Escalation via Rogue Named Pipe Impersonation
Identifies a privilege escalation attempt via rogue named pipe impersonation. An adversary may abuse this technique by
masquerading as a known named pipe and manipulating a privileged process to connect to it.
Show query
file where host.os.type == "windows" and event.provider == "Microsoft-Windows-Sysmon" and /* Named Pipe Creation */ event.code == "17" and /* Sysmon truncates the "Pipe" keyword in normal named pipe creation events */ file.name : "\\*\\Pipe\\*"
Privilege Escalation via Root Crontab File Modification
Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root
privileges by exploiting privileged file write or move related vulnerabilities.
Show query
file where host.os.type == "macos" and event.action == "modification" and file.path like "/private/var/at/tabs/root" and not process.executable like "/usr/bin/crontab"
Privilege Escalation via Windir Environment Variable
Identifies a privilege escalation attempt via a rogue Windows directory (Windir) environment variable. This is a known
primitive that is often combined with other vulnerabilities to elevate privileges.
Show query
registry where host.os.type == "windows" and event.type == "change" and
registry.value : ("windir", "systemroot") and registry.data.strings != null and
registry.path : (
"*\\Environment\\windir",
"*\\Environment\\systemroot"
) and
not registry.data.strings : ("C:\\windows", "%SystemRoot%")
Privileged Container Creation with Host Directory Mount
This rule detects the creation of privileged containers that mount host directories into the container's filesystem.
Such configurations can be exploited by attackers to escape the container isolation and gain access to the host system,
potentially leading to privilege escalation and lateral movement within the environment.
Show query
process where event.type == "start" and event.action in ("exec", "exec_event", "start", "ProcessRollup2", "executed", "process_started") and
process.name == "docker" and process.args == "--privileged" and process.args == "run" and
process.args == "-v" and process.args like "/:/*" and
not (
(process.args == "aktosecurity/mirror-api-logging:k8s_ebpf" and process.args == "akto-api-security-traffic-collector") or
(process.args like "goharbor/prepare:*" and process.args in ("/:/hostfs", "/:/hostfs/"))
)
Privileges Elevation via Parent Process PID Spoofing
Identifies parent process spoofing used to create an elevated child process. Adversaries may spoof the parent process
identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.
Show query
/* This rule is compatible with Elastic Endpoint only */
process where host.os.type == "windows" and event.action == "start" and
/* process creation via seclogon */
process.parent.Ext.real.pid > 0 and
/* PrivEsc to SYSTEM */
user.id : "S-1-5-18" and
/* Common FPs - evasion via hollowing is possible, should be covered by code injection */
not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\System32\\WerFaultSecure.exe",
"?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
"?:\\Windows\\System32\\Wermgr.exe",
"?:\\Windows\\SysWOW64\\Wermgr.exe",
"?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
/* Logon Utilities */
not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
process.executable : ("?:\\Windows\\System32\\osk.exe",
"?:\\Windows\\System32\\Narrator.exe",
"?:\\Windows\\System32\\Magnify.exe",
"?:\\Windows\\System32\\VoiceAccess.exe")) and
not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and
not (process.code_signature.subject_name in
("philandro Software GmbH", "Freedom Scientific Inc.", "TeamViewer Germany GmbH", "Projector.is, Inc.",
"TeamViewer GmbH", "Cisco WebEx LLC", "Dell Inc") and process.code_signature.trusted == true) and
/* AM_Delta_Patch Windows Update */
not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and
process.parent.executable : ("?:\\Windows\\System32\\wuauclt.exe",
"?:\\Windows\\SysWOW64\\wuauclt.exe",
"?:\\Windows\\UUS\\Packages\\Preview\\*\\wuaucltcore.exe",
"?:\\Windows\\UUS\\amd64\\wuauclt.exe",
"?:\\Windows\\UUS\\amd64\\wuaucltcore.exe",
"?:\\ProgramData\\Microsoft\\Windows\\UUS\\*\\wuaucltcore.exe")) and
not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and process.parent.executable == null) and
/* Other third party SW */
not process.parent.executable :
("?:\\Program Files (x86)\\HEAT Software\\HEAT Remote\\HEATRemoteServer.exe",
"?:\\Program Files (x86)\\VisualCron\\VisualCronService.exe",
"?:\\Program Files\\BinaryDefense\\Vision\\Agent\\bds-vision-agent-app.exe",
"?:\\Program Files\\Tablet\\Wacom\\WacomHost.exe",
"?:\\Program Files (x86)\\LogMeIn\\x64\\LogMeIn.exe",
"?:\\Program Files (x86)\\EMC Captiva\\Captiva Cloud Runtime\\Emc.Captiva.WebCaptureRunner.exe",
"?:\\Program Files\\Freedom Scientific\\*.exe",
"?:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*\\remoting_host.exe",
"?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe") and
not (
process.code_signature.trusted == true and process.code_signature.subject_name == "Netwrix Corporation" and
process.name : "adcrcpy.exe" and process.parent.name : (
"Netwrix.ADA.EventCollector.exe",
"Netwrix.ADA.Analyzer.exe"
)
)
Process Created with an Elevated Token
Identifies the creation of a process running as SYSTEM while impersonating the token context of a Windows core binary.
Adversaries may create a new process with a different token to escalate privileges and bypass access controls.
Show query
process where host.os.type == "windows" and event.action == "start" and
/* CreateProcessWithToken and effective parent is a privileged MS native binary used as a target for token theft */
user.id == "S-1-5-18" and process.parent.executable != null and
/* Token Theft target process usually running as service are located in one of the following paths */
process.Ext.effective_parent.executable : "?:\\Windows\\*.exe" and
/* Ignores Utility Manager in Windows running in debug mode */
not (process.Ext.effective_parent.executable : "?:\\Windows\\System32\\Utilman.exe" and
process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and process.parent.args : "/debug") and
/* Ignores Windows print spooler service with correlation to Access Intelligent Form */
not (process.parent.executable : ("?:\\Windows\\System32\\spoolsv.exe", "?:\\Windows\\System32\\PrintIsolationHost.exe") and
process.executable: ("?:\\Program Files\\*.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Windows\\System32\\spool\\drivers\\*.exe",
"?:\\Windows\\System32\\ROUTE.EXE")) and
/* Ignores Windows error reporting executables */
not process.executable : ("?:\\Windows\\System32\\WerFault.exe",
"?:\\Windows\\SysWOW64\\WerFault.exe",
"?:\\Windows\\System32\\WerFaultSecure.exe",
"?:\\Windows\\SysWOW64\\WerFaultSecure.exe",
"?:\\windows\\system32\\WerMgr.exe",
"?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and
/* Ignores Windows updates from TiWorker.exe that runs with elevated privileges */
not (process.parent.executable : "?:\\Windows\\WinSxS\\*\\TiWorker.exe" and
process.executable : ("?:\\Windows\\Microsoft.NET\\Framework*.exe",
"?:\\Windows\\WinSxS\\*.exe",
"?:\\Windows\\System32\\inetsrv\\iissetup.exe",
"?:\\Windows\\SysWOW64\\inetsrv\\iissetup.exe",
"?:\\Windows\\System32\\inetsrv\\aspnetca.exe",
"?:\\Windows\\SysWOW64\\inetsrv\\aspnetca.exe",
"?:\\Windows\\System32\\lodctr.exe",
"?:\\Windows\\SysWOW64\\lodctr.exe",
"?:\\Windows\\System32\\netcfg.exe",
"?:\\Windows\\Microsoft.NET\\Framework*\\*\\ngen.exe",
"?:\\Windows\\Microsoft.NET\\Framework*\\*\\aspnet_regiis.exe")) and
/* Ignores additional parent executables that run with elevated privileges */
not process.parent.executable :
("?:\\Windows\\System32\\AtBroker.exe",
"?:\\Windows\\system32\\svchost.exe",
"?:\\Program Files (x86)\\*.exe",
"?:\\Program Files\\*.exe",
"?:\\Windows\\System32\\msiexec.exe",
"?:\\Windows\\System32\\DriverStore\\*",
"?:\\Windows\\LTSvc\\*\\Update.exe") and
/* Ignores Windows binaries with a trusted signature and specific signature name */
not (process.code_signature.trusted == true and
process.code_signature.subject_name :
("philandro Software GmbH",
"Freedom Scientific Inc.",
"TeamViewer Germany GmbH",
"Projector.is, Inc.",
"TeamViewer GmbH",
"Cisco WebEx LLC",
"Dell Inc",
"Sophos Ltd",
"Sophos Limited",
"Brother Industries, Ltd.",
"MILVUS INOVACOES EM SOFTWARE LTDA",
"Chocolatey Software, Inc")) and
not (process.Ext.effective_parent.executable : "?:\\Windows\\servicing\\TrustedInstaller.exe" and
process.executable : "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_*\\TiWorker.exe") and
not process.Ext.effective_parent.executable : "?:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\ServicePortalAgent\\current\\emulator\\MmrAgent.NetFxEmulator.exe"
Process Injection - Detected - Elastic Endgame
Elastic Endgame detected Process Injection. Click the Elastic Endgame icon in the event.module column or the link in the
rule.reference column for additional information.
Show query
event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event)
Process Spawned from Message-of-the-Day (MOTD)
Message of the day (MOTD) is the message that is presented to the user when a user connects to a Linux server via SSH or
a serial connection. Linux systems contain several default MOTD files located in the "/etc/update-motd.d/" directory.
These scripts run as the root user every time a user connects over SSH or a serial connection. Adversaries may create
malicious MOTD files that grant them persistence onto the target every time a user connects to the system by executing a
backdoor script or command. This rule detects the execution of potentially malicious processes through the MOTD utility.
Show query
process where event.type == "start" and host.os.type == "linux" and event.action in ("exec", "exec_event", "start") and
process.parent.executable like "/etc/update-motd.d/*" and
(
(
process.name in ("bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish") and
(
process.args : ("-i", "-l") or
(process.parent.name == "socat" and process.parent.args : "*exec*")
)
) or
(
process.name : ("nc", "ncat", "netcat", "nc.openbsd") and process.args_count >= 3 and
not process.args : ("-*z*", "-*l*")
) or
(
process.name : "python*" and process.args : "-c" and process.args : (
"*import*pty*spawn*", "*import*subprocess*call*"
)
) or
(
process.name : "perl*" and process.args : "-e" and process.args : "*socket*" and process.args : (
"*exec*", "*system*"
)
) or
(
process.name : "ruby*" and process.args : ("-e", "-rsocket") and process.args : (
"*TCPSocket.new*", "*TCPSocket.open*"
)
) or
(
process.name : "lua*" and process.args : "-e" and process.args : "*socket.tcp*" and process.args : (
"*io.popen*", "*os.execute*"
)
) or
(process.name : "php*" and process.args : "-r" and process.args : "*fsockopen*" and process.args : "*/bin/*sh*") or
(process.name : ("awk", "gawk", "mawk", "nawk") and process.args : "*/inet/tcp/*") or
(process.name in ("openssl", "telnet")) or
(
process.args : (
"./*", "/boot/*", "/dev/shm/*", "/etc/cron.*/*", "/etc/init.d/*", "/etc/update-motd.d/*", "/run/*", "/srv/*",
"/tmp/*", "/var/tmp/*", "/var/log/*", "/opt/*"
) and process.args_count == 1
)
) and
not (
process.parent.args == "--force" or
process.args in ("/usr/games/lolcat", "/usr/bin/screenfetch") or
process.parent.name == "system-crash-notification"
)
Process Started from Process ID (PID) File
Identifies a new process starting from a process ID (PID), lock or reboot file within the temporary file storage
paradigm (tmpfs) directory /var/run directory. On Linux, the PID files typically hold the process ID to track previous
copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables
and other tasks, disguising itself or these files as legitimate PID files.
Show query
process where host.os.type == "linux" and event.type == "start" and user.id == "0" and process.executable regex~ """/var/run/\w+\.(pid|lock|reboot) """
Prompt for Credentials with Osascript
Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for
credentials.
Show query
process where event.action == "exec" and host.os.type == "macos" and
process.name == "osascript" and process.args == "-e" and process.command_line like~ ("*osascript*display*dialog*password*", "*osascript*display*dialog*passphrase*", "*osascript*display*dialog*authenticate*", "*pass*display*dialog*") and
not (process.parent.executable == "/usr/bin/sudo" and process.command_line like~ "*Encryption Key Escrow*") and
not (process.command_line like~ "*-e with timeout of 3600 seconds*" and user.id like "0" and process.parent.executable == "/bin/bash") and
not process.parent.command_line like "sudo*" and
not process.Ext.effective_parent.executable like~
("/usr/local/jamf/*",
"/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon",
"/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM",
"/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent",
"/Applications/Karabiner-Elements.app/Contents/MacOS/Karabiner-Elements",
"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon",
"/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService")
Proxy Execution via Console Window Host
Identifies abuse of the Console Window Host (conhost.exe) to execute commands via proxy. This behavior is used as a defense
evasion technique to blend-in malicious activity with legitimate Windows software.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : "conhost.exe" and process.args : "--headless" and
process.command_line : (
"*powershell*", "*cmd *", "*cmd.exe *", "*script*", "*mshta*", "*curl *", "*curl.exe *", "*^*^*^*",
"*.bat*", "*.cmd*", "*schtasks*", "*@SSL*", "*http*", "* \\\\*", "*.vbs*", "*.js*", "*mhsta*"
) and
not (
/* Winget-AutoUpdate via ServiceUI */
process.parent.executable : "?:\\Program Files\\winget-autoupdate*\\serviceui.exe" or
/* Winget-AutoUpdate notification via Task Scheduler */
(
process.parent.executable : "?:\\Windows\\System32\\svchost.exe" and process.parent.args : "-s" and
process.parent.args : "Schedule" and process.command_line : "*WAU-Notify.ps1*"
) or
/* Windows OpenSSH console host — SSH-specific detection handled by 8cd49fbc-a35a-4418-8688-133cc3a1e548 */
process.parent.executable : (
"?:\\Windows\\System32\\OpenSSH\\sshd.exe",
"?:\\Windows\\System32\\OpenSSH\\sshd-session.exe",
"?:\\Program Files\\OpenSSH*\\sshd.exe",
"?:\\Program Files\\OpenSSH*\\sshd-session.exe"
)
)
Proxy Execution via Windows OpenSSH
Identifies attempts to execute commands via proxy using the Windows OpenSSH client. This may indicate an attempt
to bypass application control via trusted Windows binaries.
Show query
process where host.os.type == "windows" and event.type == "start" and process.name : ("ssh.exe", "sftp.exe") and
process.command_line : (
"*Command=*powershell*", "*schtasks*", "*Command=*@echo off*", "*Command=*http*",
"*Command=*mshta*", "*Command=*msiexec*", "*Command=*cmd /c*", "*Command=*cmd.exe*",
"*Command=\"cmd /c*", "*LocalCommand=scp*&&*", "*LocalCommand=?scp*&&*", "*Command=*script*"
)
Showing 301-350 of 4,399