Tool
Splunk
12,781 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 12,781PwnDrp Access
Detects downloads from PwnDrp web servers developed for red team testing and most likely also used for criminal activity
Show query
c-uri:*\/pwndrop\/*
Elastic
Converted
EQL
critical
Qakbot Rundll32 Exports Execution
Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
Show query
any where ((ParentImage like~ ("*\\cmd.exe", "*\\cscript.exe", "*\\curl.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe")) and Image:"*\\rundll32.exe" and (CommandLine like~ ("*:\\ProgramData\\*", "*:\\Users\\Public\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*"))) and (CommandLine like~ ("*aslr", "*bind", "*DrawThemeIcon", "*GG10", "*GL70", "*jhbvygftr", "*kjhbhkjvydrt", "*LS88", "*Motd", "*N115", "*next", "*Nikn", "*print", "*qqqb", "*qqqq", "*RS32", "*Test", "*Time", "*Updt", "*vips", "*Wind", "*WW50", "*X555", "*XL55", "*xlAutoOpen", "*XS88"))
Elastic
Converted
ES|QL
critical
Qakbot Rundll32 Exports Execution
Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
Show query
from * metadata _id, _index, _version | where (ends_with(ParentImage, "\\cmd.exe") or ends_with(ParentImage, "\\cscript.exe") or ends_with(ParentImage, "\\curl.exe") or ends_with(ParentImage, "\\mshta.exe") or ends_with(ParentImage, "\\powershell.exe") or ends_with(ParentImage, "\\pwsh.exe") or ends_with(ParentImage, "\\wscript.exe")) and ends_with(Image, "\\rundll32.exe") and (CommandLine like "*:\\ProgramData\\*" or CommandLine like "*:\\Users\\Public\\*" or CommandLine like "*\\AppData\\Local\\Temp\\*" or CommandLine like "*\\AppData\\Roaming\\*") and (ends_with(CommandLine, "aslr") or ends_with(CommandLine, "bind") or ends_with(CommandLine, "DrawThemeIcon") or ends_with(CommandLine, "GG10") or ends_with(CommandLine, "GL70") or ends_with(CommandLine, "jhbvygftr") or ends_with(CommandLine, "kjhbhkjvydrt") or ends_with(CommandLine, "LS88") or ends_with(CommandLine, "Motd") or ends_with(CommandLine, "N115") or ends_with(CommandLine, "next") or ends_with(CommandLine, "Nikn") or ends_with(CommandLine, "print") or ends_with(CommandLine, "qqqb") or ends_with(CommandLine, "qqqq") or ends_with(CommandLine, "RS32") or ends_with(CommandLine, "Test") or ends_with(CommandLine, "Time") or ends_with(CommandLine, "Updt") or ends_with(CommandLine, "vips") or ends_with(CommandLine, "Wind") or ends_with(CommandLine, "WW50") or ends_with(CommandLine, "X555") or ends_with(CommandLine, "XL55") or ends_with(CommandLine, "xlAutoOpen") or ends_with(CommandLine, "XS88"))
Elastic
Converted
Lucene
critical
Qakbot Rundll32 Exports Execution
Detects specific process tree behavior of a "rundll32" execution with exports linked with Qakbot activity.
Show query
((ParentImage:(*\\cmd.exe OR *\\cscript.exe OR *\\curl.exe OR *\\mshta.exe OR *\\powershell.exe OR *\\pwsh.exe OR *\\wscript.exe)) AND Image:*\\rundll32.exe AND (CommandLine:(*\:\\ProgramData\\* OR *\:\\Users\\Public\\* OR *\\AppData\\Local\\Temp\\* OR *\\AppData\\Roaming\\*))) AND (CommandLine:(*aslr OR *bind OR *DrawThemeIcon OR *GG10 OR *GL70 OR *jhbvygftr OR *kjhbhkjvydrt OR *LS88 OR *Motd OR *N115 OR *next OR *Nikn OR *print OR *qqqb OR *qqqq OR *RS32 OR *Test OR *Time OR *Updt OR *vips OR *Wind OR *WW50 OR *X555 OR *XL55 OR *xlAutoOpen OR *XS88))
Elastic
Converted
EQL
critical
Qakbot Rundll32 Fake DLL Extension Execution
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
Show query
any where ((ParentImage like~ ("*\\cmd.exe", "*\\cscript.exe", "*\\curl.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\wscript.exe")) and Image:"*\\rundll32.exe" and (CommandLine like~ ("*:\\ProgramData\\*", "*:\\Users\\Public\\*", "*\\AppData\\Local\\Temp\\*", "*\\AppData\\Roaming\\*"))) and (not CommandLine:"*.dll*")
Elastic
Converted
ES|QL
critical
Qakbot Rundll32 Fake DLL Extension Execution
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
Show query
from * metadata _id, _index, _version | where (ends_with(ParentImage, "\\cmd.exe") or ends_with(ParentImage, "\\cscript.exe") or ends_with(ParentImage, "\\curl.exe") or ends_with(ParentImage, "\\mshta.exe") or ends_with(ParentImage, "\\powershell.exe") or ends_with(ParentImage, "\\pwsh.exe") or ends_with(ParentImage, "\\wscript.exe")) and ends_with(Image, "\\rundll32.exe") and (CommandLine like "*:\\ProgramData\\*" or CommandLine like "*:\\Users\\Public\\*" or CommandLine like "*\\AppData\\Local\\Temp\\*" or CommandLine like "*\\AppData\\Roaming\\*") and not CommandLine like "*.dll*"
Elastic
Converted
Lucene
critical
Qakbot Rundll32 Fake DLL Extension Execution
Detects specific process tree behavior of a "rundll32" execution where the DLL doesn't have the ".dll" extension. This is often linked with potential Qakbot activity.
Show query
((ParentImage:(*\\cmd.exe OR *\\cscript.exe OR *\\curl.exe OR *\\mshta.exe OR *\\powershell.exe OR *\\pwsh.exe OR *\\wscript.exe)) AND Image:*\\rundll32.exe AND (CommandLine:(*\:\\ProgramData\\* OR *\:\\Users\\Public\\* OR *\\AppData\\Local\\Temp\\* OR *\\AppData\\Roaming\\*))) AND (NOT CommandLine:*.dll*)
REvil Kaseya Incident Malware Patterns
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
Show query
any where (CommandLine like~ ("*C:\\Windows\\cert.exe*", "*del /q /f c:\\kworking\\agent.crt*", "*Kaseya VSA Agent Hot-fix*", "*\\AppData\\Local\\Temp\\MsMpEng.exe*", "*rmdir /s /q %SystemDrive%\\inetpub\\logs*", "*del /s /q /f %SystemDrive%\\*.log*", "*c:\\kworking1\\agent.exe*", "*c:\\kworking1\\agent.crt*")) or (Image like~ ("C:\\Windows\\MsMpEng.exe", "C:\\Windows\\cert.exe", "C:\\kworking\\agent.exe", "C:\\kworking1\\agent.exe")) or (CommandLine:"*del /s /q /f*" and CommandLine:"*WebPages\\Errors\\webErrorLog.txt*")REvil Kaseya Incident Malware Patterns
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
Show query
from * metadata _id, _index, _version | where CommandLine like "*C:\\Windows\\cert.exe*" or CommandLine like "*del /q /f c:\\kworking\\agent.crt*" or CommandLine like "*Kaseya VSA Agent Hot-fix*" or CommandLine like "*\\AppData\\Local\\Temp\\MsMpEng.exe*" or CommandLine like "*rmdir /s /q %SystemDrive%\\inetpub\\logs*" or CommandLine like "*del /s /q /f %SystemDrive%\\*.log*" or CommandLine like "*c:\\kworking1\\agent.exe*" or CommandLine like "*c:\\kworking1\\agent.crt*" or Image in ("C:\\Windows\\MsMpEng.exe", "C:\\Windows\\cert.exe", "C:\\kworking\\agent.exe", "C:\\kworking1\\agent.exe") or CommandLine like "*del /s /q /f*" and CommandLine like "*WebPages\\Errors\\webErrorLog.txt*"REvil Kaseya Incident Malware Patterns
Detects process command line patterns and locations used by REvil group in Kaseya incident (can also match on other malware)
Show query
(CommandLine:(*C\:\\Windows\\cert.exe* OR *del\ \/q\ \/f\ c\:\\kworking\\agent.crt* OR *Kaseya\ VSA\ Agent\ Hot\-fix* OR *\\AppData\\Local\\Temp\\MsMpEng.exe* OR *rmdir\ \/s\ \/q\ %SystemDrive%\\inetpub\\logs* OR *del\ \/s\ \/q\ \/f\ %SystemDrive%\\*.log* OR *c\:\\kworking1\\agent.exe* OR *c\:\\kworking1\\agent.crt*)) OR (Image:(C\:\\Windows\\MsMpEng.exe OR C\:\\Windows\\cert.exe OR C\:\\kworking\\agent.exe OR C\:\\kworking1\\agent.exe)) OR (CommandLine:*del\ \/s\ \/q\ \/f* AND CommandLine:*WebPages\\Errors\\webErrorLog.txt*)
Elastic
Original
KQL
critical
Ransomware - Detected - Elastic Endgame
Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the
rule.reference column for additional information.
RedSun - Named Pipe Created
Detects the creation of a named pipe with the hardcoded name "REDSUN".
The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
RedSun creates the pipe as \\??\pipe\REDSUN.
The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
Presence of this pipe name indicates active or recent RedSun execution.
Show query
any where PipeName:"\\REDSUN"
RedSun - Named Pipe Created
Detects the creation of a named pipe with the hardcoded name "REDSUN".
The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
RedSun creates the pipe as \\??\pipe\REDSUN.
The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
Presence of this pipe name indicates active or recent RedSun execution.
Show query
from * metadata _id, _index, _version | where PipeName=="\\REDSUN"
RedSun - Named Pipe Created
Detects the creation of a named pipe with the hardcoded name "REDSUN".
The RedSun exploit tool uses a pipe with this name for synchronisation and command communication between its components during the Cloud Files API + oplock-based AV bypass and privilege escalation chain.
RedSun creates the pipe as \\??\pipe\REDSUN.
The pipe server listens for the token-duplicated elevated process to connect and respond, completing the privilege escalation from user to SYSTEM.
Presence of this pipe name indicates active or recent RedSun execution.
Show query
PipeName:\\REDSUN
RedSun - TieringEngineService.exe Detected as EICAR Test File
Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
AV bypass/privilege escalation tool.
RedSun works as follows:
1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
a Defender scan and remediation attempt
3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
\\?\C:\Windows\System32 to the attacker-controlled temp path
6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
Show query
any where (EventID:1119 and SourceName:"Real-Time Protection") and ((Path:"*\\TieringEngineService.exe" and ThreatName:"*EICAR_Test_File") or ProcessName:"*\\RedSun.exe")
RedSun - TieringEngineService.exe Detected as EICAR Test File
Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
AV bypass/privilege escalation tool.
RedSun works as follows:
1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
a Defender scan and remediation attempt
3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
\\?\C:\Windows\System32 to the attacker-controlled temp path
6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
Show query
from * metadata _id, _index, _version | where EventID==1119 and SourceName=="Real-Time Protection" and (ends_with(Path, "\\TieringEngineService.exe") and ends_with(ThreatName, "EICAR_Test_File") or ends_with(ProcessName, "\\RedSun.exe"))
RedSun - TieringEngineService.exe Detected as EICAR Test File
Detects Windows Defender (EventID 1119 - Remediation Action Failed) flagging TieringEngineService.exe
dropped in a characteristic RS-{GUID} temporary directory, or the RedSun.exe process itself being present.
This covers the staging pattern used by RedSun, a Cloud Files API and opportunistic lock (oplock) based
AV bypass/privilege escalation tool.
RedSun works as follows:
1. Registers a Cloud Files sync root and creates a Cloud Files placeholder for TieringEngineService.exe under %TEMP%\RS-{GUID}\
2. The placeholder file carries EICAR test file content (Virus:DOS/EICAR_Test_File) to reliably trigger
a Defender scan and remediation attempt
3. Requests a batch oplock (FSCTL_REQUEST_BATCH_OPLOCK) on the placeholder file
4. When Defender attempts to scan/quarantine the file, the oplock triggers - holding the file open
5. During the oplock break window, RedSun swaps the mount point (junction) to redirect
\\?\C:\Windows\System32 to the attacker-controlled temp path
6. This races the AV/OS into executing the malicious TieringEngineService.exe with elevated privileges
Show query
(EventID:1119 AND SourceName:Real\-Time\ Protection) AND ((Path:*\\TieringEngineService.exe AND ThreatName:*EICAR_Test_File) OR ProcessName:*\\RedSun.exe)
RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
making the combination of this path prefix and the TieringEngineService.exe filename a highly
specific indicator of RedSun activity.
Show query
any where (TargetFilename:"*\\Temp*" and TargetFilename:"*\\RS-{*") and TargetFilename:"*\\TieringEngineService.exe"RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
making the combination of this path prefix and the TieringEngineService.exe filename a highly
specific indicator of RedSun activity.
Show query
from * metadata _id, _index, _version | where TargetFilename like "*\\Temp*" and TargetFilename like "*\\RS-{*" and ends_with(TargetFilename, "\\TieringEngineService.exe")RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
Detects the creation of a file named TieringEngineService.exe inside a directory whose path contains the RS- prefix characteristic
of RedSun's staging directory (e.g. %TEMP%\RS-{GUID}\TieringEngineService.exe).
RedSun registers a Cloud Files sync root under this RS-prefixed path and drops a masqueraded placeholder there as part of its oplock-based AV bypass and privilege escalation chain.
The RS-{GUID} directory name is generated by RedSun itself and has no legitimate system usage,
making the combination of this path prefix and the TieringEngineService.exe filename a highly
specific indicator of RedSun activity.
Show query
(TargetFilename:*\\Temp* AND TargetFilename:*\\RS\-\{*) AND TargetFilename:*\\TieringEngineService.exeRegistry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
Show query
any where (EventID like~ (12, 13)) and TargetObject:"*SYSTEM\\*" and TargetObject:"*\\services\\localNETService"
Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
Show query
from * metadata _id, _index, _version | where (EventID in (12, 13)) and TargetObject like "*SYSTEM\\*" and ends_with(TargetObject, "\\services\\localNETService")
Registry Entries For Azorult Malware
Detects the presence of a registry key created during Azorult execution
Show query
(EventID:(12 OR 13)) AND TargetObject:*SYSTEM\\* AND TargetObject:*\\services\\localNETService
Renamed Whoami Execution
Detects the execution of whoami that has been renamed to a different name to avoid detection
Show query
any where OriginalFileName:"whoami.exe" and (not Image:"*\\whoami.exe")
Renamed Whoami Execution
Detects the execution of whoami that has been renamed to a different name to avoid detection
Show query
from * metadata _id, _index, _version | where OriginalFileName=="whoami.exe" and not ends_with(Image, "\\whoami.exe")
Renamed Whoami Execution
Detects the execution of whoami that has been renamed to a different name to avoid detection
Show query
OriginalFileName:whoami.exe AND (NOT Image:*\\whoami.exe)
Rorschach Ransomware Execution Activity
Detects Rorschach ransomware execution activity
Show query
any where (Image like~ ("*\\bcdedit.exe", "*\\net.exe", "*\\net1.exe", "*\\netsh.exe", "*\\wevtutil.exe", "*\\vssadmin.exe")) and CommandLine:"*11111111*"Rorschach Ransomware Execution Activity
Detects Rorschach ransomware execution activity
Show query
from * metadata _id, _index, _version | where (ends_with(Image, "\\bcdedit.exe") or ends_with(Image, "\\net.exe") or ends_with(Image, "\\net1.exe") or ends_with(Image, "\\netsh.exe") or ends_with(Image, "\\wevtutil.exe") or ends_with(Image, "\\vssadmin.exe")) and CommandLine like "*11111111*"
Rorschach Ransomware Execution Activity
Detects Rorschach ransomware execution activity
Show query
(Image:(*\\bcdedit.exe OR *\\net.exe OR *\\net1.exe OR *\\netsh.exe OR *\\wevtutil.exe OR *\\vssadmin.exe)) AND CommandLine:*11111111*
Elastic
Converted
EQL
critical
SNAKE Malware Kernel Driver File Indicator
Detects SNAKE malware kernel driver file indicator
Show query
any where TargetFilename:"C:\\Windows\\System32\\Com\\Comadmin.dat"
Elastic
Converted
ES|QL
critical
SNAKE Malware Kernel Driver File Indicator
Detects SNAKE malware kernel driver file indicator
Show query
from * metadata _id, _index, _version | where TargetFilename=="C:\\Windows\\System32\\Com\\Comadmin.dat"
Elastic
Converted
Lucene
critical
SNAKE Malware Kernel Driver File Indicator
Detects SNAKE malware kernel driver file indicator
Show query
TargetFilename:C\:\\Windows\\System32\\Com\\Comadmin.dat
Elastic
Converted
EQL
critical
SNAKE Malware Service Persistence
Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
Show query
any where Provider_Name:"Service Control Manager" and EventID:7045 and ServiceName:"*WerFaultSvc*" and ImagePath:"C:\\Windows\\WinSxS\\*" and ImagePath:"*\\WerFault.exe"
Elastic
Converted
ES|QL
critical
SNAKE Malware Service Persistence
Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
Show query
from * metadata _id, _index, _version | where Provider_Name=="Service Control Manager" and EventID==7045 and ServiceName like "*WerFaultSvc*" and starts_with(ImagePath, "C:\\Windows\\WinSxS\\") and ends_with(ImagePath, "\\WerFault.exe")
Elastic
Converted
Lucene
critical
SNAKE Malware Service Persistence
Detects the creation of a service named "WerFaultSvc" which seems to be used by the SNAKE malware as a persistence mechanism as described by CISA in their report
Show query
Provider_Name:Service\ Control\ Manager AND EventID:7045 AND ServiceName:*WerFaultSvc* AND ImagePath:C\:\\Windows\\WinSxS\\* AND ImagePath:*\\WerFault.exe
Serv-U Exploitation CVE-2021-35211 by DEV-0322
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
Show query
any where CommandLine:"*whoami*" and ((CommandLine like~ ("*./Client/Common/*", "*.\\Client\\Common\\*")) or CommandLine:"*C:\\Windows\\Temp\\Serv-U.bat*")Serv-U Exploitation CVE-2021-35211 by DEV-0322
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
Show query
from * metadata _id, _index, _version | where CommandLine like "*whoami*" and (CommandLine like "*./Client/Common/*" or CommandLine like "*.\\Client\\Common\\*" or CommandLine like "*C:\\Windows\\Temp\\Serv-U.bat*")
Serv-U Exploitation CVE-2021-35211 by DEV-0322
Detects patterns as noticed in exploitation of Serv-U CVE-2021-35211 vulnerability by threat group DEV-0322
Show query
CommandLine:*whoami* AND ((CommandLine:(*.\/Client\/Common\/* OR *.\\Client\\Common\\*)) OR CommandLine:*C\:\\Windows\\Temp\\Serv\-U.bat*)
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
Show query
any where (ScriptBlockText:"*System.Diagnostics.Process*" and ScriptBlockText:"*Stop-Computer*" and ScriptBlockText:"*Restart-Computer*" and ScriptBlockText:"*Exception in execution*" and ScriptBlockText:"*$cmdargs*" and ScriptBlockText:"*Close-Dnscat2Tunnel*") and (ScriptBlockText:"*set type=$LookupType`nserver*" and ScriptBlockText:"*$Command | nslookup 2>&1 | Out-String*" and ScriptBlockText:"*New-RandomDNSField*" and ScriptBlockText:"*[Convert]::ToString($SYNOptions, 16)*" and ScriptBlockText:"*$Session.Dead = $True*" and ScriptBlockText:"*$Session[\"Driver\"] -eq*")
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
Show query
from * metadata _id, _index, _version | where ScriptBlockText like "*System.Diagnostics.Process*" and ScriptBlockText like "*Stop-Computer*" and ScriptBlockText like "*Restart-Computer*" and ScriptBlockText like "*Exception in execution*" and ScriptBlockText like "*$cmdargs*" and ScriptBlockText like "*Close-Dnscat2Tunnel*" and ScriptBlockText like "*set type=$LookupType`nserver*" and ScriptBlockText like "*$Command | nslookup 2>&1 | Out-String*" and ScriptBlockText like "*New-RandomDNSField*" and ScriptBlockText like "*[Convert]::ToString($SYNOptions, 16)*" and ScriptBlockText like "*$Session.Dead = $True*" and ScriptBlockText like "*$Session[\"Driver\"] -eq*"
Silence.EDA Detection
Detects Silence EmpireDNSAgent as described in the Group-IP report
Show query
(ScriptBlockText:*System.Diagnostics.Process* AND ScriptBlockText:*Stop\-Computer* AND ScriptBlockText:*Restart\-Computer* AND ScriptBlockText:*Exception\ in\ execution* AND ScriptBlockText:*$cmdargs* AND ScriptBlockText:*Close\-Dnscat2Tunnel*) AND (ScriptBlockText:*set\ type\=$LookupType`nserver* AND ScriptBlockText:*$Command\ \|\ nslookup\ 2\>\&1\ \|\ Out\-String* AND ScriptBlockText:*New\-RandomDNSField* AND ScriptBlockText:*\[Convert\]\:\:ToString\($SYNOptions,\ 16\)* AND ScriptBlockText:*$Session.Dead\ \=\ $True* AND ScriptBlockText:*$Session\[\"Driver\"\]\ \-eq*)
Elastic
Converted
EQL
critical
Small Sieve Malware Potential C2 Communication
Detects potential C2 communication related to Small Sieve malware
Show query
any where cs-method:"GET" and cs-host:"api.telegram.org" and (cs-uri:"*chat_id=2090761833*" and cs-uri:"*text=com/*")
Elastic
Converted
ES|QL
critical
Small Sieve Malware Potential C2 Communication
Detects potential C2 communication related to Small Sieve malware
Show query
from * metadata _id, _index, _version | where `cs-method`=="GET" and `cs-host`=="api.telegram.org" and `cs-uri` like "*chat_id=2090761833*" and `cs-uri` like "*text=com/*"
Elastic
Converted
Lucene
critical
Small Sieve Malware Potential C2 Communication
Detects potential C2 communication related to Small Sieve malware
Show query
cs-method:GET AND cs-host:api.telegram.org AND (cs-uri:*chat_id\=2090761833* AND cs-uri:*text\=com\/*)
Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report
Show query
any where (cs-uri-query:"*logoimagehandler.ashx*" and cs-uri-query:"*clazz*") or (cs-uri-query:"*logoimagehandler.ashx*" and sc-status:500)
Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report
Show query
from * metadata _id, _index, _version | where `cs-uri-query` like "*logoimagehandler.ashx*" and `cs-uri-query` like "*clazz*" or `cs-uri-query` like "*logoimagehandler.ashx*" and `sc-status`==500
Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report
Show query
(cs-uri-query:*logoimagehandler.ashx* AND cs-uri-query:*clazz*) OR (cs-uri-query:*logoimagehandler.ashx* AND sc-status:500)
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Show query
any where ParentImage:"*\\winlogon.exe" and (Image like~ ("*\\cmd.exe", "*\\cscript.exe", "*\\mshta.exe", "*\\powershell.exe", "*\\pwsh.exe", "*\\regsvr32.exe", "*\\rundll32.exe", "*\\wscript.exe", "*\\wt.exe")) and (CommandLine like~ ("*sethc.exe*", "*utilman.exe*", "*osk.exe*", "*Magnify.exe*", "*Narrator.exe*", "*DisplaySwitch.exe*"))Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Show query
from * metadata _id, _index, _version | where ends_with(ParentImage, "\\winlogon.exe") and (ends_with(Image, "\\cmd.exe") or ends_with(Image, "\\cscript.exe") or ends_with(Image, "\\mshta.exe") or ends_with(Image, "\\powershell.exe") or ends_with(Image, "\\pwsh.exe") or ends_with(Image, "\\regsvr32.exe") or ends_with(Image, "\\rundll32.exe") or ends_with(Image, "\\wscript.exe") or ends_with(Image, "\\wt.exe")) and (CommandLine like "*sethc.exe*" or CommandLine like "*utilman.exe*" or CommandLine like "*osk.exe*" or CommandLine like "*Magnify.exe*" or CommandLine like "*Narrator.exe*" or CommandLine like "*DisplaySwitch.exe*")
Sticky Key Like Backdoor Execution
Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen
Show query
ParentImage:*\\winlogon.exe AND (Image:(*\\cmd.exe OR *\\cscript.exe OR *\\mshta.exe OR *\\powershell.exe OR *\\pwsh.exe OR *\\regsvr32.exe OR *\\rundll32.exe OR *\\wscript.exe OR *\\wt.exe)) AND (CommandLine:(*sethc.exe* OR *utilman.exe* OR *osk.exe* OR *Magnify.exe* OR *Narrator.exe* OR *DisplaySwitch.exe*))
Showing 401-450 of 12,781