Tool
Splunk
12,781 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,781Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Show query
from * metadata _id, _index, _version | where TargetObject like "*Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\lsass.exe*"
Potential Credential Dumping Via LSASS SilentProcessExit Technique
Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process
Show query
TargetObject:*Microsoft\\Windows\ NT\\CurrentVersion\\SilentProcessExit\\lsass.exe*
Potential DCOM InternetExplorer.Application DLL Hijack
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
Show query
any where Image:"System" and TargetFilename:"*\\Internet Explorer\\iertutil.dll"
Potential DCOM InternetExplorer.Application DLL Hijack
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
Show query
from * metadata _id, _index, _version | where Image=="System" and ends_with(TargetFilename, "\\Internet Explorer\\iertutil.dll")
Potential DCOM InternetExplorer.Application DLL Hijack
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network
Show query
Image:System AND TargetFilename:*\\Internet\ Explorer\\iertutil.dll
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Show query
any where Image:"*\\Internet Explorer\\iexplore.exe" and ImageLoaded:"*\\Internet Explorer\\iertutil.dll"
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\Internet Explorer\\iexplore.exe") and ends_with(ImageLoaded, "\\Internet Explorer\\iertutil.dll")
Potential DCOM InternetExplorer.Application DLL Hijack - Image Load
Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class
Show query
Image:*\\Internet\ Explorer\\iexplore.exe AND ImageLoaded:*\\Internet\ Explorer\\iertutil.dll
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Show query
any where ((Image:"*\\svchost.exe" and (CommandLine:"*C:\\Users\\*" and CommandLine:"*\\Desktop\\*")) and (not ParentImage:"C:\\Windows\\System32\\*")) or ((ParentImage:"*\\excel.exe" and Image:"*\\regsvr32.exe" and (CommandLine like~ ("* -s *", "*\\AppData\\Local\\Temp\\*"))) and (not CommandLine:"*.dll*")) or (ParentImage:"*\\svchost.exe" and ((Image:"*\\whoami.exe" and CommandLine:"* /all*") or ((Image like~ ("*\\net.exe", "*\\net1.exe")) and CommandLine:"* view*")))Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Show query
from * metadata _id, _index, _version | where ends_with(Image, "\\svchost.exe") and CommandLine like "*C:\\Users\\*" and CommandLine like "*\\Desktop\\*" and not starts_with(ParentImage, "C:\\Windows\\System32\\") or ends_with(ParentImage, "\\excel.exe") and ends_with(Image, "\\regsvr32.exe") and (CommandLine like "* -s *" or CommandLine like "*\\AppData\\Local\\Temp\\*") and not CommandLine like "*.dll*" or ends_with(ParentImage, "\\svchost.exe") and (ends_with(Image, "\\whoami.exe") and CommandLine like "* /all*" or (ends_with(Image, "\\net.exe") or ends_with(Image, "\\net1.exe")) and CommandLine like "* view*")
Potential Dridex Activity
Detects potential Dridex acitvity via specific process patterns
Show query
((Image:*\\svchost.exe AND (CommandLine:*C\:\\Users\\* AND CommandLine:*\\Desktop\\*)) AND (NOT ParentImage:C\:\\Windows\\System32\\*)) OR ((ParentImage:*\\excel.exe AND Image:*\\regsvr32.exe AND (CommandLine:(*\ \-s\ * OR *\\AppData\\Local\\Temp\\*))) AND (NOT CommandLine:*.dll*)) OR (ParentImage:*\\svchost.exe AND ((Image:*\\whoami.exe AND CommandLine:*\ \/all*) OR ((Image:(*\\net.exe OR *\\net1.exe)) AND CommandLine:*\ view*)))
Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
Show query
any where CommandLine regex~ "ping\s+-n.{6,64}echo EEEE\s?>\s?" or (CommandLine regex~ "ipconfig\s+\/all" and CommandLine:"*\\temp\\res.ip*") or (CommandLine:"*interface ip show config*" and CommandLine:"*\\temp\\netsh.res*")Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
Show query
from * metadata _id, _index, _version | where CommandLine rlike "ping\\s+-n.{6,64}echo EEEE\\s?>\\s?" or CommandLine rlike "ipconfig\\s+/all" and CommandLine like "*\\temp\\res.ip*" or CommandLine like "*interface ip show config*" and CommandLine like "*\\temp\\netsh.res*"Potential Dtrack RAT Activity
Detects potential Dtrack RAT activity via specific process patterns
Show query
CommandLine:/ping\s+-n.{6,64}echo EEEE\s?>\s?/ OR (CommandLine:/ipconfig\s+\/all/ AND CommandLine:*\\temp\\res.ip*) OR (CommandLine:*interface\ ip\ show\ config* AND CommandLine:*\\temp\\netsh.res*)Potential Emotet Rundll32 Execution
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
Show query
any where ((Image:"*\\rundll32.exe" or OriginalFileName:"RUNDLL32.EXE") and (CommandLine like~ ("*,RunDLL", "*,Control_RunDLL"))) and (not ((CommandLine like~ ("*.dll,Control_RunDLL", "*.dll\",Control_RunDLL", "*.dll',Control_RunDLL")) or ParentImage:"*\\tracker.exe"))Potential Emotet Rundll32 Execution
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\rundll32.exe") or OriginalFileName=="RUNDLL32.EXE") and (ends_with(CommandLine, ",RunDLL") or ends_with(CommandLine, ",Control_RunDLL")) and not (ends_with(CommandLine, ".dll,Control_RunDLL") or ends_with(CommandLine, ".dll\",Control_RunDLL") or ends_with(CommandLine, ".dll',Control_RunDLL") or ends_with(ParentImage, "\\tracker.exe"))
Potential Emotet Rundll32 Execution
Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
Show query
((Image:*\\rundll32.exe OR OriginalFileName:RUNDLL32.EXE) AND (CommandLine:(*,RunDLL OR *,Control_RunDLL))) AND (NOT ((CommandLine:(*.dll,Control_RunDLL OR *.dll\",Control_RunDLL OR *.dll',Control_RunDLL)) OR ParentImage:*\\tracker.exe))
Elastic
Original
KQL
critical
T1003, T1003.001, T1003.002, T1003.004, T1003.005, T1003.006, T1555, T1555.004, T1649, T1558, T1550, T1550.002, T1550.003 ↗
Potential Invoke-Mimikatz PowerShell Script
Identifies PowerShell script block content containing Invoke-Mimikatz or Mimikatz commands used to dump credentials,
extract password stores, export certificates, or use alternate authentication material. These patterns can indicate
in-memory credential access and require reconstructed script context and follow-on telemetry to assess impact.
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
Show query
any where (ParentImage:"*\\WINWORD.exe" and Image:"*.tmp") or (Image:"*\\wmic.exe" and ParentImage:"*\\Temp\\*" and CommandLine:"*shadowcopy delete") or (CommandLine:"*shadowcopy delete" and CommandLine:"*\\..\\..\\system32*")
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\WINWORD.exe") and ends_with(Image, ".tmp") or ends_with(Image, "\\wmic.exe") and ParentImage like "*\\Temp\\*" and ends_with(CommandLine, "shadowcopy delete") or ends_with(CommandLine, "shadowcopy delete") and CommandLine like "*\\..\\..\\system32*"
Potential Maze Ransomware Activity
Detects specific process characteristics of Maze ransomware word document droppers
Show query
(ParentImage:*\\WINWORD.exe AND Image:*.tmp) OR (Image:*\\wmic.exe AND ParentImage:*\\Temp\\* AND CommandLine:*shadowcopy\ delete) OR (CommandLine:*shadowcopy\ delete AND CommandLine:*\\..\\..\\system32*)
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
Show query
any where (ParentImage:"*\\WinRAR.exe" and Image:"*\\wscript.exe") or CommandLine:"* /c ping.exe -n 6 127.0.0.1 & type *" or (CommandLine:"*regsvr32.exe*" and CommandLine:"*C:\\ProgramData*" and CommandLine:"*.tmp*")
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\WinRAR.exe") and ends_with(Image, "\\wscript.exe") or CommandLine like "* /c ping.exe -n 6 127.0.0.1 & type *" or CommandLine like "*regsvr32.exe*" and CommandLine like "*C:\\ProgramData*" and CommandLine like "*.tmp*"
Potential QBot Activity
Detects potential QBot activity by looking for process executions used previously by QBot
Show query
(ParentImage:*\\WinRAR.exe AND Image:*\\wscript.exe) OR CommandLine:*\ \/c\ ping.exe\ \-n\ 6\ 127.0.0.1\ \&\ type\ * OR (CommandLine:*regsvr32.exe* AND CommandLine:*C\:\\ProgramData* AND CommandLine:*.tmp*)
Potential Redis Lua Use-After-Free RCE Attempt (CVE-2025-49844 / RediShell)
This rule detects exploitation attempts targeting CVE-2025-49844 (RediShell), a CVSS 10.0 use-after-free
vulnerability in the Redis Lua interpreter. An authenticated attacker sends an EVAL command containing a Lua
script that calls string.rep() to create memory pressure and collectgarbage('collect') to force garbage
collection, exploiting a use-after-free in the Lua parser to achieve remote code execution.
Potential Russian APT Credential Theft Activity
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
Show query
any where (CommandLine:"*xcopy /S /E /C /Q /H \\\\*" and CommandLine:"*\\sysvol\\*") or (CommandLine:"*adexplorer -snapshot \"\" c:\\users\\*" and CommandLine:"*\\downloads\\*" and CommandLine:"*.snp*")
Potential Russian APT Credential Theft Activity
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
Show query
from * metadata _id, _index, _version | where CommandLine like "*xcopy /S /E /C /Q /H \\\\*" and CommandLine like "*\\sysvol\\*" or CommandLine like "*adexplorer -snapshot \"\" c:\\users\\*" and CommandLine like "*\\downloads\\*" and CommandLine like "*.snp*"
Potential Russian APT Credential Theft Activity
Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike
Show query
(CommandLine:*xcopy\ \/S\ \/E\ \/C\ \/Q\ \/H\ \\\\* AND CommandLine:*\\sysvol\\*) OR (CommandLine:*adexplorer\ \-snapshot\ \"\"\ c\:\\users\\* AND CommandLine:*\\downloads\\* AND CommandLine:*.snp*)
Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
Show query
any where ((Image like~ ("*PetitPotam*", "*RottenPotato*", "*HotPotato*", "*JuicyPotato*", "*\\just_dce_*", "*Juicy Potato*", "*\\temp\\rot.exe*", "*\\Potato.exe*", "*\\SpoolSample.exe*", "*\\Responder.exe*", "*\\smbrelayx*", "*\\ntlmrelayx*", "*\\LocalPotato*")) or (CommandLine like~ ("*Invoke-Tater*", "* smbrelay*", "* ntlmrelay*", "*cme smb *", "* /ntlm:NTLMhash *", "*Invoke-PetitPotam*", "*.exe -t * -p *")) or (CommandLine:"*.exe -c \"{*" and CommandLine:"*}\" -z")) and (not (Image like~ ("*HotPotatoes6*", "*HotPotatoes7*", "*HotPotatoes *")))Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
Show query
from * metadata _id, _index, _version | where (Image like "*PetitPotam*" or Image like "*RottenPotato*" or Image like "*HotPotato*" or Image like "*JuicyPotato*" or Image like "*\\just_dce_*" or Image like "*Juicy Potato*" or Image like "*\\temp\\rot.exe*" or Image like "*\\Potato.exe*" or Image like "*\\SpoolSample.exe*" or Image like "*\\Responder.exe*" or Image like "*\\smbrelayx*" or Image like "*\\ntlmrelayx*" or Image like "*\\LocalPotato*" or CommandLine like "*Invoke-Tater*" or CommandLine like "* smbrelay*" or CommandLine like "* ntlmrelay*" or CommandLine like "*cme smb *" or CommandLine like "* /ntlm:NTLMhash *" or CommandLine like "*Invoke-PetitPotam*" or CommandLine like "*.exe -t * -p *" or CommandLine like "*.exe -c \"{*" and ends_with(CommandLine, "}\" -z")) and not (Image like "*HotPotatoes6*" or Image like "*HotPotatoes7*" or Image like "*HotPotatoes *")Potential SMB Relay Attack Tool Execution
Detects different hacktools used for relay attacks on Windows for privilege escalation
Show query
((Image:(*PetitPotam* OR *RottenPotato* OR *HotPotato* OR *JuicyPotato* OR *\\just_dce_* OR *Juicy\ Potato* OR *\\temp\\rot.exe* OR *\\Potato.exe* OR *\\SpoolSample.exe* OR *\\Responder.exe* OR *\\smbrelayx* OR *\\ntlmrelayx* OR *\\LocalPotato*)) OR (CommandLine:(*Invoke\-Tater* OR *\ smbrelay* OR *\ ntlmrelay* OR *cme\ smb\ * OR *\ \/ntlm\:NTLMhash\ * OR *Invoke\-PetitPotam* OR *.exe\ \-t\ *\ \-p\ *)) OR (CommandLine:*.exe\ \-c\ \"\{* AND CommandLine:*\}\"\ \-z)) AND (NOT (Image:(*HotPotatoes6* OR *HotPotatoes7* OR *HotPotatoes\ *)))Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
Show query
any where (TargetFilename like~ ("C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*", "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\*")) and (TargetFilename like~ ("*\\15\\TEMPLATE\\LAYOUTS\\*", "*\\16\\TEMPLATE\\LAYOUTS\\*")) and (TargetFilename like~ ("*\\spinstall.aspx", "*\\spinstall?.aspx", "*\\debug_dev.js"))Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
Show query
from * metadata _id, _index, _version | where (starts_with(TargetFilename, "C:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\") or starts_with(TargetFilename, "C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\Web Server Extensions\\")) and (TargetFilename like "*\\15\\TEMPLATE\\LAYOUTS\\*" or TargetFilename like "*\\16\\TEMPLATE\\LAYOUTS\\*") and (ends_with(TargetFilename, "\\spinstall.aspx") or TargetFilename like "*\\spinstall?.aspx" or ends_with(TargetFilename, "\\debug_dev.js"))
Potential SharePoint ToolShell CVE-2025-53770 Exploitation - File Create
Detects the creation of file such as spinstall0.aspx which may indicate successful exploitation of CVE-2025-53770.
CVE-2025-53770 is a zero-day vulnerability in SharePoint that allows remote code execution.
Show query
(TargetFilename:(C\:\\Program\ Files\\Common\ Files\\Microsoft\ Shared\\Web\ Server\ Extensions\\* OR C\:\\Program\ Files\ \(x86\)\\Common\ Files\\Microsoft\ Shared\\Web\ Server\ Extensions\\*)) AND (TargetFilename:(*\\15\\TEMPLATE\\LAYOUTS\\* OR *\\16\\TEMPLATE\\LAYOUTS\\*)) AND (TargetFilename:(*\\spinstall.aspx OR *\\spinstall?.aspx OR *\\debug_dev.js))
Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
Show query
any where CommandLine like~ ("*printnightmare.gentilkiwi.com*", "* /user:gentilguest *", "*Kiwi Legit Printer*")Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
Show query
from * metadata _id, _index, _version | where CommandLine like "*printnightmare.gentilkiwi.com*" or CommandLine like "* /user:gentilguest *" or CommandLine like "*Kiwi Legit Printer*"
Potential SystemNightmare Exploitation Attempt
Detects an exploitation attempt of SystemNightmare in order to obtain a shell as LOCAL_SYSTEM
Show query
CommandLine:(*printnightmare.gentilkiwi.com* OR *\ \/user\:gentilguest\ * OR *Kiwi\ Legit\ Printer*)
Potential Telnet Authentication Bypass (CVE-2026-24061)
Identifies potential exploitation of a Telnet remote authentication bypass vulnerability (CVE-2026-24061) in GNU Inetutils
telnetd. The vulnerability allows unauthenticated access by supplying a crafted `-f <username>` value via the `USER` environment
variable, resulting in a login process spawned with elevated privileges.
PrinterNightmare Mimikatz Driver Name
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
Show query
any where (TargetObject like~ ("*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\*", "*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz*")) or (TargetObject:"*legitprinter*" and TargetObject:"*\\Control\\Print\\Environments\\Windows*") or ((TargetObject like~ ("*\\Control\\Print\\Environments*", "*\\CurrentVersion\\Print\\Printers*")) and (TargetObject like~ ("*Gentil Kiwi*", "*mimikatz printer*", "*Kiwi Legit Printer*")))PrinterNightmare Mimikatz Driver Name
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
Show query
from * metadata _id, _index, _version | where TargetObject like "*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\QMS 810\\*" or TargetObject like "*\\Control\\Print\\Environments\\Windows x64\\Drivers\\Version-3\\mimikatz*" or TargetObject like "*legitprinter*" and TargetObject like "*\\Control\\Print\\Environments\\Windows*" or (TargetObject like "*\\Control\\Print\\Environments*" or TargetObject like "*\\CurrentVersion\\Print\\Printers*") and (TargetObject like "*Gentil Kiwi*" or TargetObject like "*mimikatz printer*" or TargetObject like "*Kiwi Legit Printer*")
PrinterNightmare Mimikatz Driver Name
Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
Show query
(TargetObject:(*\\Control\\Print\\Environments\\Windows\ x64\\Drivers\\Version\-3\\QMS\ 810\\* OR *\\Control\\Print\\Environments\\Windows\ x64\\Drivers\\Version\-3\\mimikatz*)) OR (TargetObject:*legitprinter* AND TargetObject:*\\Control\\Print\\Environments\\Windows*) OR ((TargetObject:(*\\Control\\Print\\Environments* OR *\\CurrentVersion\\Print\\Printers*)) AND (TargetObject:(*Gentil\ Kiwi* OR *mimikatz\ printer* OR *Kiwi\ Legit\ Printer*)))
ProxyLogon MSExchange OabVirtualDirectory
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
Show query
any where ("OabVirtualDirectory" and " -ExternalUrl ") and ("eval(request" or "http://f/<script" or "\"unsafe\"};" or "function Page_Load()")ProxyLogon MSExchange OabVirtualDirectory
Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
Show query
(*OabVirtualDirectory* AND *\ \-ExternalUrl\ *) AND (*eval\(request* OR *http\:\/\/f\/\<script* OR *\"unsafe\"\};* OR *function\ Page_Load\(\)*)
ProxyLogon Reset Virtual Directories Based On IIS Log
When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
Show query
any where (cs-method:"POST" and sc-status:200 and cs-uri-stem:"/ecp/DDI/DDIService.svc/SetObject" and (cs-uri-query:"*schema=Reset*" and cs-uri-query:"*VirtualDirectory*") and cs-username:"*$") or ("POST" and 200 and "/ecp/DDI/DDIService.svc/SetObject" and "schema=Reset" and "VirtualDirectory" and "$")ProxyLogon Reset Virtual Directories Based On IIS Log
When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
Show query
(cs-method:POST AND sc-status:200 AND cs-uri-stem:\/ecp\/DDI\/DDIService.svc\/SetObject AND (cs-uri-query:*schema\=Reset* AND cs-uri-query:*VirtualDirectory*) AND cs-username:*$) OR (*POST* AND 200 AND *\/ecp\/DDI\/DDIService.svc\/SetObject* AND *schema\=Reset* AND *VirtualDirectory* AND *$*)
Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
Show query
any where cs-uri-query:"*?/dana/html5acc/guacamole/*"
Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
Show query
from * metadata _id, _index, _version | where `cs-uri-query` like "*?/dana/html5acc/guacamole/*"
Pulse Secure Attack CVE-2019-11510
Detects CVE-2019-11510 exploitation attempt - URI contains Guacamole
Show query
cs-uri-query:*?\/dana\/html5acc\/guacamole\/*
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Show query
any where c-uri:"*/pwndrop/*"
PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Show query
from * metadata _id, _index, _version | where `c-uri` like "*/pwndrop/*"
Showing 351-400 of 12,781