Tool
Splunk
12,781 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,781NotPetya Ransomware Activity
Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil
Show query
(CommandLine:(*wevtutil\ cl\ Application\ \&\ fsutil\ usn\ deletejournal\ \/D\ C\:* OR *dllhost.dat\ %WINDIR%\\ransoms*)) OR (Image:*\\rundll32.exe AND (CommandLine:(*.dat,#1 OR *.dat\ #1 OR *.zip.dll\",#1))) OR *\\perfc.dat*
OWASSRF Exploitation Attempt Using Public POC - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Show query
any where c-useragent:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36" and cs-method:"POST" and sc-status:200 and (c-uri:"*/owa/mastermailbox*" and c-uri:"*/powershell*")
OWASSRF Exploitation Attempt Using Public POC - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Show query
from * metadata _id, _index, _version | where `c-useragent`=="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36" and `cs-method`=="POST" and `sc-status`==200 and `c-uri` like "*/owa/mastermailbox*" and `c-uri` like "*/powershell*"
OWASSRF Exploitation Attempt Using Public POC - Proxy
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Show query
c-useragent:Mozilla\/5.0\ \(Windows\ NT\ 10.0;\ Win64;\ x64\)\ AppleWebKit\/537.36\ \(KHTML,\ like\ Gecko\)\ Chrome\/105.0.5195.54\ Safari\/537.36 AND cs-method:POST AND sc-status:200 AND (c-uri:*\/owa\/mastermailbox* AND c-uri:*\/powershell*)
OWASSRF Exploitation Attempt Using Public POC - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Show query
any where cs-user-agent:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36" and cs-method:"POST" and sc-status:200 and (cs-uri-query:"*/owa/mastermailbox*" and cs-uri-query:"*/powershell*")
OWASSRF Exploitation Attempt Using Public POC - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Show query
from * metadata _id, _index, _version | where `cs-user-agent`=="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36" and `cs-method`=="POST" and `sc-status`==200 and `cs-uri-query` like "*/owa/mastermailbox*" and `cs-uri-query` like "*/powershell*"
OWASSRF Exploitation Attempt Using Public POC - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Show query
cs-user-agent:Mozilla\/5.0\ \(Windows\ NT\ 10.0;\ Win64;\ x64\)\ AppleWebKit\/537.36\ \(KHTML,\ like\ Gecko\)\ Chrome\/105.0.5195.54\ Safari\/537.36 AND cs-method:POST AND sc-status:200 AND (cs-uri-query:*\/owa\/mastermailbox* AND cs-uri-query:*\/powershell*)
OceanLotus Registry Activity
Detects registry keys created in OceanLotus (also known as APT32) attacks
Show query
any where TargetObject:"*\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model*" or (TargetObject like~ ("*Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*", "*Classes\\AppX3bbba44c6cae4d9695755183472171e2\\*", "*Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*", "*Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model*")) or (TargetObject:"*\\SOFTWARE\\App\\*" and ((TargetObject like~ ("*AppXbf13d4ea2945444d8b13e2121cb6b663\\*", "*AppX70162486c7554f7f80f481985d67586d\\*", "*AppX37cc7fdccd644b4f85f4b22d5a3f105a\\*")) and (TargetObject like~ ("*Application", "*DefaultIcon"))))OceanLotus Registry Activity
Detects registry keys created in OceanLotus (also known as APT32) attacks
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\SOFTWARE\\Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model*" or TargetObject like "*Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*" or TargetObject like "*Classes\\AppX3bbba44c6cae4d9695755183472171e2\\*" or TargetObject like "*Classes\\CLSID\\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*" or TargetObject like "*Classes\\CLSID\\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\\Model*" or TargetObject like "*\\SOFTWARE\\App\\*" and (TargetObject like "*AppXbf13d4ea2945444d8b13e2121cb6b663\\*" or TargetObject like "*AppX70162486c7554f7f80f481985d67586d\\*" or TargetObject like "*AppX37cc7fdccd644b4f85f4b22d5a3f105a\\*") and (ends_with(TargetObject, "Application") or ends_with(TargetObject, "DefaultIcon"))OceanLotus Registry Activity
Detects registry keys created in OceanLotus (also known as APT32) attacks
Show query
TargetObject:*\\SOFTWARE\\Classes\\CLSID\\\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\Model* OR (TargetObject:(*Classes\\AppXc52346ec40fb4061ad96be0e6cb7d16a\\* OR *Classes\\AppX3bbba44c6cae4d9695755183472171e2\\* OR *Classes\\CLSID\\\{E3517E26\-8E93\-458D\-A6DF\-8030BC80528B\}\\* OR *Classes\\CLSID\\\{E08A0F4B\-1F65\-4D4D\-9A09\-BD4625B9C5A1\}\\Model*)) OR (TargetObject:*\\SOFTWARE\\App\\* AND ((TargetObject:(*AppXbf13d4ea2945444d8b13e2121cb6b663\\* OR *AppX70162486c7554f7f80f481985d67586d\\* OR *AppX37cc7fdccd644b4f85f4b22d5a3f105a\\*)) AND (TargetObject:(*Application OR *DefaultIcon))))OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
Show query
any where (CommandLine:"*SC Scheduled Scan*" and CommandLine:"*\\microsoft\\Taskbar\\autoit3.exe*") or (Image:"*\\Windows\\Temp\\DB\\*" and Image:"*.exe") or (Image:"C:\\Windows\\system32\\Service.exe" and (CommandLine like~ ("*i*", "*u*"))) or (ParentImage:"*\\local\\microsoft\\Taskbar\\autoit3.exe" and (CommandLine:"*nslookup.exe*" and CommandLine:"*-q=TXT*"))OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
Show query
from * metadata _id, _index, _version | where CommandLine like "*SC Scheduled Scan*" and CommandLine like "*\\microsoft\\Taskbar\\autoit3.exe*" or Image like "*\\Windows\\Temp\\DB\\*" and ends_with(Image, ".exe") or Image=="C:\\Windows\\system32\\Service.exe" and (CommandLine like "*i*" or CommandLine like "*u*") or ends_with(ParentImage, "\\local\\microsoft\\Taskbar\\autoit3.exe") and CommandLine like "*nslookup.exe*" and CommandLine like "*-q=TXT*"
OilRig APT Activity
Detects OilRig activity as reported by Nyotron in their March 2018 report
Show query
(CommandLine:*SC\ Scheduled\ Scan* AND CommandLine:*\\microsoft\\Taskbar\\autoit3.exe*) OR (Image:*\\Windows\\Temp\\DB\\* AND Image:*.exe) OR (Image:C\:\\Windows\\system32\\Service.exe AND (CommandLine:(*i* OR *u*))) OR (ParentImage:*\\local\\microsoft\\Taskbar\\autoit3.exe AND (CommandLine:*nslookup.exe* AND CommandLine:*\-q\=TXT*))
OilRig APT Registry Persistence
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
Show query
any where TargetObject like~ ("*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe", "*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT")OilRig APT Registry Persistence
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
Show query
from * metadata _id, _index, _version | where ends_with(TargetObject, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe") or ends_with(TargetObject, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT")
OilRig APT Registry Persistence
Detects OilRig registry persistence as reported by Nyotron in their March 2018 report
Show query
TargetObject:(*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UMe OR *SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UT)
OilRig APT Schedule Task Persistence - Security
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Show query
any where EventID:4698 and (TaskName like~ ("SC Scheduled Scan", "UpdatMachine"))OilRig APT Schedule Task Persistence - Security
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Show query
from * metadata _id, _index, _version | where EventID==4698 and (TaskName in ("SC Scheduled Scan", "UpdatMachine"))OilRig APT Schedule Task Persistence - Security
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Show query
EventID:4698 AND (TaskName:(SC\ Scheduled\ Scan OR UpdatMachine))
OilRig APT Schedule Task Persistence - System
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Show query
any where Provider_Name:"Service Control Manager" and EventID:7045 and (ServiceName like~ ("SC Scheduled Scan", "UpdatMachine"))OilRig APT Schedule Task Persistence - System
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Show query
from * metadata _id, _index, _version | where Provider_Name=="Service Control Manager" and EventID==7045 and (ServiceName in ("SC Scheduled Scan", "UpdatMachine"))OilRig APT Schedule Task Persistence - System
Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
Show query
Provider_Name:Service\ Control\ Manager AND EventID:7045 AND (ServiceName:(SC\ Scheduled\ Scan OR UpdatMachine))
Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server
Show query
any where cs-uri-query:"*/config/keystore/*.js*"
Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server
Show query
from * metadata _id, _index, _version | where `cs-uri-query` like "*/config/keystore/*.js*"
Oracle WebLogic Exploit
Detects access to a webshell dropped into a keystore folder on the WebLogic server
Show query
cs-uri-query:*\/config\/keystore\/*.js*
Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
Show query
any where cs-method:"GET" and (cs-uri-query:"*com.bea.console.handles.JndiBindingHandle*" and cs-uri-query:"*ldap://*" and cs-uri-query:"*AdminServer*")
Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
Show query
from * metadata _id, _index, _version | where `cs-method`=="GET" and `cs-uri-query` like "*com.bea.console.handles.JndiBindingHandle*" and `cs-uri-query` like "*ldap://*" and `cs-uri-query` like "*AdminServer*"
Oracle WebLogic Exploit CVE-2021-2109
Detects the exploitation of the WebLogic server vulnerability described in CVE-2021-2109
Show query
cs-method:GET AND (cs-uri-query:*com.bea.console.handles.JndiBindingHandle* AND cs-uri-query:*ldap\:\/\/* AND cs-uri-query:*AdminServer*)
Pandemic Registry Key
Detects Pandemic Windows Implant
Show query
any where TargetObject:"*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*"
Pandemic Registry Key
Detects Pandemic Windows Implant
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*"
Pandemic Registry Key
Detects Pandemic Windows Implant
Show query
TargetObject:*\\SYSTEM\\CurrentControlSet\\services\\null\\Instance*
Persistence Via Sticky Key Backdoor
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
Show query
any where CommandLine:"*copy *" and CommandLine:"*/y *" and CommandLine:"*C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe*"
Persistence Via Sticky Key Backdoor
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
Show query
from * metadata _id, _index, _version | where CommandLine like "*copy *" and CommandLine like "*/y *" and CommandLine like "*C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe*"
Persistence Via Sticky Key Backdoor
By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system.
When the sticky keys are "activated" the privilleged shell is launched.
Show query
CommandLine:*copy\ * AND CommandLine:*\/y\ * AND CommandLine:*C\:\\windows\\system32\\cmd.exe\ C\:\\windows\\system32\\sethc.exe*
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
Show query
any where a1:"--cpu-priority*" or a2:"--cpu-priority*" or a3:"--cpu-priority*" or a4:"--cpu-priority*" or a5:"--cpu-priority*" or a6:"--cpu-priority*" or a7:"--cpu-priority*"
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
Show query
from * metadata _id, _index, _version | where starts_with(a1, "--cpu-priority") or starts_with(a2, "--cpu-priority") or starts_with(a3, "--cpu-priority") or starts_with(a4, "--cpu-priority") or starts_with(a5, "--cpu-priority") or starts_with(a6, "--cpu-priority") or starts_with(a7, "--cpu-priority")
Possible Coin Miner CPU Priority Param
Detects command line parameter very often used with coin miners
Show query
a1:\-\-cpu\-priority* OR a2:\-\-cpu\-priority* OR a3:\-\-cpu\-priority* OR a4:\-\-cpu\-priority* OR a5:\-\-cpu\-priority* OR a6:\-\-cpu\-priority* OR a7:\-\-cpu\-priority*
Potential CVE-2021-41379 Exploitation Attempt
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
Show query
any where ((Image like~ ("*\\cmd.exe", "*\\powershell.exe", "*\\pwsh.exe")) or (OriginalFileName like~ ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll"))) and (ParentImage:"*\\elevation_service.exe" and (IntegrityLevel like~ ("System", "S-1-16-16384")))Potential CVE-2021-41379 Exploitation Attempt
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\cmd.exe") or ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\pwsh.exe") or OriginalFileName in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll")) and ends_with(ParentImage, "\\elevation_service.exe") and (IntegrityLevel in ("System", "S-1-16-16384"))Potential CVE-2021-41379 Exploitation Attempt
Detects potential exploitation attempts of CVE-2021-41379 (InstallerFileTakeOver), a local privilege escalation (LPE) vulnerability where the attacker spawns a "cmd.exe" process as a child of Microsoft Edge elevation service "elevation_service" with "LOCAL_SYSTEM" rights
Show query
((Image:(*\\cmd.exe OR *\\powershell.exe OR *\\pwsh.exe)) OR (OriginalFileName:(Cmd.Exe OR PowerShell.EXE OR pwsh.dll))) AND (ParentImage:*\\elevation_service.exe AND (IntegrityLevel:(System OR S\-1\-16\-16384)))
Elastic
Converted
EQL
critical
Potential CVE-2023-36884 Exploitation Pattern
Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
Show query
any where cs-method:"GET" and c-uri:"*/MSHTML_C7/*" and c-uri regex~ "\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
Elastic
Converted
ES|QL
critical
Potential CVE-2023-36884 Exploitation Pattern
Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
Show query
from * metadata _id, _index, _version | where `cs-method`=="GET" and `c-uri` like "*/MSHTML_C7/*" and `c-uri` rlike "\\?d=[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}"
Elastic
Converted
Lucene
critical
Potential CVE-2023-36884 Exploitation Pattern
Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
Show query
cs-method:GET AND c-uri:*\/MSHTML_C7\/* AND c-uri:/\?d=[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
Show query
any where CommandLine:"*-m *" and CommandLine:"*-net *" and CommandLine:"*-size *" and CommandLine:"*-nomutex *" and CommandLine:"*-p \\\\*" and CommandLine:"*$*"
Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
Show query
from * metadata _id, _index, _version | where CommandLine like "*-m *" and CommandLine like "*-net *" and CommandLine like "*-size *" and CommandLine like "*-nomutex *" and CommandLine like "*-p \\\\*" and CommandLine like "*$*"
Potential Conti Ransomware Activity
Detects a specific command used by the Conti ransomware group
Show query
CommandLine:*\-m\ * AND CommandLine:*\-net\ * AND CommandLine:*\-size\ * AND CommandLine:*\-nomutex\ * AND CommandLine:*\-p\ \\\\* AND CommandLine:*$*
Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
Show query
any where ParentImage:"*\\Windows\\System32\\lsass.exe" and Image:"*\\Windows\\System32\\lsass.exe"
Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\Windows\\System32\\lsass.exe") and ends_with(Image, "\\Windows\\System32\\lsass.exe")
Potential Credential Dumping Via LSASS Process Clone
Detects a suspicious LSASS process process clone that could be a sign of credential dumping activity
Show query
ParentImage:*\\Windows\\System32\\lsass.exe AND Image:*\\Windows\\System32\\lsass.exe
Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Show query
any where TargetObject:"*Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe*"
Showing 301-350 of 12,781