Tool
Splunk ESCU
2,101 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,101Detect Remote Access Software Usage DNS
The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Network_Resolution where
DNS.query=*
NOT DNS.query IN ("-", "unknown")
by DNS.answer DNS.answer_count DNS.query
DNS.query_count DNS.reply_code_id DNS.src
DNS.vendor_product
| `drop_dm_object_name("DNS")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature,
comment_reference as desc, category
| eval dest = query
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_dns_filter`
Detect Remote Access Software Usage File
The following analytic detects the writing of files from known remote access software to disk within the environment.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information.
This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access.
If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems.
It is best to update both the remote_access_software_usage_exception.csv lookup and the remote_access_software lookup with any known or approved remote access software to reduce false positives and increase coverage.
In order to enhance performance, the detection filters for specific file names extensions / names that are used in the remote_access_software lookup.
If add additional entries, consider updating the search filters to include those file names / extensions as well, if not alread covered.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime,
max(_time) as lastTime
values(Filesystem.file_path) as file_path
from datamodel=Endpoint.Filesystem
where Filesystem.file_name IN (
"*.app",
"*.exe",
"*.msi",
"*.pkg",
"*echoware.dll",
"*Idrive.*",
"*rdp2tcp.py"
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash
Filesystem.file_modify_time Filesystem.file_name
Filesystem.file_path Filesystem.file_acl Filesystem.file_size
Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Filesystem)`
| lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = TRUE
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_file_filter`
Detect Remote Access Software Usage FileInfo
The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.
Show query
`sysmon` EventCode=1
| stats count min(_time) as firstTime max(_time) as lastTime, values(Company) as Company values(Product) as Product
BY action dest original_file_name
parent_process parent_process_exec parent_process_guid
parent_process_id parent_process_name parent_process_path
process process_exec process_guid
process_hash process_id process_integrity_level
process_name process_path user
user_id vendor_product
| lookup remote_access_software remote_utility_fileinfo AS Product OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_fileinfo_filter`Detect Remote Access Software Usage Process
The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. We then compare with with a list of known remote access software shipped as a lookup file - remote_access_software. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where [| inputlookup remote_access_software where isutility=TRUE | rename remote_utility AS Processes.process_name | fields Processes.process_name] AND Processes.dest!="unknown" AND Processes.user!="unknown" by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility description AS signature comment_reference AS desc category | search isutility = TRUE | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter`
Detect Remote Access Software Usage Registry
The following analytic detects when a known remote access software is added to common persistence locations on a device within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.
Show query
| tstats `security_content_summariesonly` latest(Registry.process_guid) as process_guid count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*\\Microsoft\\Windows\\CurrentVersion\\Run*" OR (Registry.registry_path="*\\SYSTEM\\CurrentControlSet\\Services\\*" AND Registry.registry_value_name="ImagePath")) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rex field=registry_value_data "(\")?.+\\\(?<file_name_1>[^\"=]+\.[^\" ]{1,5})(\")?" | rex field=registry_value_data "(?<file_name_2>[^\.]+\.[^\" ]{1,5}$)" | eval file_name = coalesce(file_name_1,file_name_2) | lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category | search isutility = TRUE | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_registry_filter`Detect Remote Access Software Usage Traffic
The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer.
It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments.
If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
values(All_Traffic.dest_port) as dest_port
latest(All_Traffic.user) as user
from datamodel=Network_Traffic where
All_Traffic.app=*
NOT All_Traffic.app IN ("-", "unknown")
by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in
All_Traffic.bytes_out All_Traffic.dest All_Traffic.dest_ip
All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip
All_Traffic.src_port All_Traffic.transport All_Traffic.user
All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_traffic_filter`
Detect Remote Access Software Usage URL
The following analytic detects the execution of known remote access software within the environment.
It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer.
This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
latest(Web.http_method) as http_method
latest(Web.http_user_agent) as http_user_agent
latest(Web.url) as url
latest(Web.user) as user
latest(Web.dest) as dest
from datamodel=Web where
Web.url_domain=*
NOT Web.url_domain IN (
"-",
"unknown"
)
by Web.action Web.src Web.category
Web.url_domain Web.url_length
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("Web")`
| lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference
as desc, category
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_url_filter`
Detect Renamed 7-Zip
The following analytic detects the usage of a renamed 7-Zip executable using Sysmon data. It leverages the OriginalFileName field to identify instances where the 7-Zip process has been renamed. This activity is significant as attackers often rename legitimate tools to evade detection while staging or exfiltrating data. If confirmed malicious, this behavior could indicate data exfiltration attempts or other unauthorized data manipulation, potentially leading to significant data breaches or loss of sensitive information. Analysts should validate the legitimacy of the 7-Zip executable and investigate parallel processes for further suspicious activities.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.original_file_name=7z*.exe
AND
Processes.process_name!=7z*.exe
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_renamed_7_zip_filter`Detect Renamed PSExec
The following analytic identifies instances where `PsExec.exe` has been renamed and executed on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names. This activity is significant because renaming `PsExec.exe` is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name!=psexec.exe
AND
Processes.process_name!=psexec64.exe
)
AND Processes.original_file_name=psexec.c
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_renamed_psexec_filter`Detect Renamed RClone
The following analytic detects the execution of a renamed `rclone.exe` process, which is commonly used for data exfiltration to remote destinations. This detection leverages Endpoint Detection and Response (EDR) telemetry, focusing on process names and original file names that do not match. This activity is significant because ransomware groups often use RClone to exfiltrate sensitive data. If confirmed malicious, this behavior could indicate an ongoing data exfiltration attempt, potentially leading to significant data loss and further compromise of the affected systems.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.original_file_name=rclone.exe
AND
Processes.process_name!=rclone.exe
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_renamed_rclone_filter`Detect Renamed WinRAR
The following analytic identifies instances where `WinRAR.exe` has been renamed and executed. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and original file names within the Endpoint data model. This activity is significant because renaming executables is a common tactic used by attackers to evade detection. If confirmed malicious, this could indicate an attempt to bypass security controls, potentially leading to unauthorized data extraction or further system compromise.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.original_file_name=WinRAR.exe (Processes.process_name!=rar.exe
AND
Processes.process_name!=winrar.exe)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_renamed_winrar_filter`Detect Rogue DHCP Server
The following analytic identifies the presence of unauthorized DHCP servers on the network. It leverages logs from Cisco network devices with DHCP Snooping enabled, specifically looking for events where DHCP leases are issued from untrusted ports. This activity is significant because rogue DHCP servers can facilitate Man-in-the-Middle attacks, leading to potential data interception and network disruption. If confirmed malicious, this could allow attackers to redirect network traffic, capture sensitive information, and compromise the integrity of the network.
Show query
`cisco_networks` facility="DHCP_SNOOPING" mnemonic="DHCP_SNOOPING_UNTRUSTED_PORT"
| stats min(_time) AS firstTime max(_time) AS lastTime count values(message_type) AS message_type values(src_mac) AS src_mac
BY host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_rogue_dhcp_server_filter`Detect Rundll32 Inline HTA Execution
The following analytic detects the execution of "rundll32.exe" with inline protocol handlers such as "JavaScript", "VBScript", and "About". This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on command-line arguments. This activity is significant as it is often associated with fileless malware or application whitelisting bypass techniques. If confirmed malicious, this could allow an attacker to execute arbitrary code, bypass security controls, and maintain persistence within the environment.
Show query
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_rundll32` (Processes.process=*vbscript*
OR
Processes.process=*javascript*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_rundll32_inline_hta_execution_filter`Detect S3 access from a new IP
The following analytic identifies access to an S3 bucket from a new or previously unseen remote IP address. It leverages S3 bucket-access logs, specifically focusing on successful access events (http_status=200). This activity is significant because access from unfamiliar IP addresses could indicate unauthorized access or potential data exfiltration attempts. If confirmed malicious, this activity could lead to unauthorized data access, data theft, or further exploitation of the compromised S3 bucket, posing a significant risk to sensitive information stored within the bucket.
Show query
`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200
| stats earliest(_time) as firstTime latest(_time) as lastTime
BY bucket_name remote_ip
| inputlookup append=t previously_seen_S3_access_from_remote_ip
| stats min(firstTime) as firstTime, max(lastTime) as lastTime
BY bucket_name remote_ip
| outputlookup previously_seen_S3_access_from_remote_ip
| eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0)
| where newIP=1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table bucket_name remote_ip]
| iplocation remote_ip
| rename remote_ip as src_ip
| table _time bucket_name src_ip City Country operation request_uri
| `detect_s3_access_from_a_new_ip_filter`Detect SNICat SNI Exfiltration
The following analytic identifies the use of SNICat tool commands within the TLS SNI field, indicating potential data exfiltration attempts. It leverages Zeek SSL data to detect specific SNICat commands such as LIST, LS, SIZE, LD, CB, EX, ALIVE, EXIT, WHERE, and finito in the server_name field. This activity is significant as SNICat is a known tool for covert data exfiltration using TLS. If confirmed malicious, this could allow attackers to exfiltrate sensitive data undetected, posing a severe threat to data confidentiality and integrity.
Show query
`zeek_ssl`
| rex field=server_name "(?<snicat>(LIST|LS|SIZE|LD|CB|CD|EX|ALIVE|EXIT|WHERE|finito)-[A-Za-z0-9]{16}\.)"
| stats count BY src_ip dest_ip server_name snicat
| where count>0
| table src_ip dest_ip server_name snicat
| `detect_snicat_sni_exfiltration_filter`Detect SharpHound Command-Line Arguments
The following analytic detects the execution of SharpHound command-line arguments, specifically `-collectionMethod` and `invoke-bloodhound`. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as SharpHound is commonly used for Active Directory enumeration, which can be a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially compromising sensitive information and critical systems.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_sharphound_command_line_arguments_filter`Detect SharpHound File Modifications
The following analytic detects the creation of files typically associated with SharpHound, a reconnaissance tool used for gathering domain and trust data. It leverages file modification events from the Endpoint.Filesystem data model, focusing on default file naming patterns like `*_BloodHound.zip` and various JSON files. This activity is significant as it indicates potential domain enumeration, which is a precursor to more targeted attacks. If confirmed malicious, an attacker could gain detailed insights into the domain structure, facilitating lateral movement and privilege escalation.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
WHERE Filesystem.file_name IN ("*bloodhound.zip", "*_computers.json", "*_gpos.json", "*_domains.json", "*_users.json", "*_groups.json", "*_ous.json", "*_containers.json")
BY Filesystem.action Filesystem.dest Filesystem.file_access_time
Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time
Filesystem.file_name Filesystem.file_path Filesystem.file_acl
Filesystem.file_size Filesystem.process_guid Filesystem.process_id
Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_sharphound_file_modifications_filter`Detect SharpHound Usage
The following analytic detects the usage of the SharpHound binary by identifying its original filename, `SharpHound.exe`, and the process name. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process metadata and command-line executions. SharpHound is a tool used for Active Directory enumeration, often by attackers during the reconnaissance phase. If confirmed malicious, this activity could allow an attacker to map out the network, identify high-value targets, and plan further attacks, potentially leading to privilege escalation and lateral movement within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=sharphound.exe
OR
Processes.original_file_name=SharpHound.exe
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_sharphound_usage_filter`Detect Software Download To Network Device
The following analytic identifies unauthorized software downloads to network devices via TFTP, FTP, or SSH/SCP. It detects this activity by analyzing network traffic events on specific ports (69, 21, 22) from devices categorized as network, router, or switch. This activity is significant because adversaries may exploit netbooting to load unauthorized operating systems, potentially compromising network integrity. If confirmed malicious, this could lead to unauthorized control over network devices, enabling further attacks, data exfiltration, or persistent access within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Network_Traffic
WHERE (
All_Traffic.transport=udp
AND
All_Traffic.dest_port=69
)
OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=21) OR (All_Traffic.transport=tcp AND All_Traffic.dest_port=22) AND All_Traffic.dest_category!=common_software_repo_destination AND All_Traffic.src_category=network OR All_Traffic.src_category=router OR All_Traffic.src_category=switch
BY All_Traffic.src All_Traffic.dest All_Traffic.dest_port
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_software_download_to_network_device_filter`
Splunk ESCU
SPL
Detect Spike in AWS Security Hub Alerts for EC2 Instance
The following analytic identifies a spike in the number of AWS Security Hub alerts for an EC2 instance within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect anomalies. This activity is significant for a SOC as a sudden increase in alerts may indicate potential security incidents or misconfigurations requiring immediate attention. If confirmed malicious, this could signify an ongoing attack, leading to unauthorized access, data exfiltration, or disruption of services on the affected EC2 instance.
Show query
`aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance
| bucket span=4h _time
| stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity
BY _time dest
| eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev
| eval threshold_value = 3
| eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0)
| search isOutlier=1
| table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg
| `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`
Splunk ESCU
SPL
Detect Spike in AWS Security Hub Alerts for User
The following analytic identifies a spike in the number of AWS Security Hub alerts for an AWS IAM User within a 4-hour interval. It leverages AWS Security Hub findings data, calculating the average and standard deviation of alerts to detect significant deviations. This activity is significant as a sudden increase in alerts for a specific user may indicate suspicious behavior or a potential security incident. If confirmed malicious, this could signify an ongoing attack, unauthorized access, or misuse of IAM credentials, potentially leading to data breaches or further exploitation.
Show query
`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser
| rename findings{}.Resources{}.Id as user
| bucket span=4h _time
| stats count AS alerts
BY _time user
| eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev
| eval threshold_value = 2
| eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0)
| search isOutlier=1
| table _time user alerts
| `detect_spike_in_aws_security_hub_alerts_for_user_filter`Detect Spike in S3 Bucket deletion
The following analytic identifies a spike in API activity related to the deletion of S3 buckets in your AWS environment. It leverages AWS CloudTrail logs to detect anomalies by comparing current deletion activity against a historical baseline. This activity is significant as unusual spikes in S3 bucket deletions could indicate malicious actions such as data exfiltration or unauthorized data destruction. If confirmed malicious, this could lead to significant data loss, disruption of services, and potential exposure of sensitive information. Immediate investigation is required to determine the legitimacy of the activity.
Show query
`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket
| spath output=arn path=userIdentity.arn
| stats count as apiCalls
BY arn
| inputlookup s3_deletion_baseline append=t
| fields - latestCount
| stats values(*) as *
BY arn
| rename apiCalls as latestCount
| eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720
| eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720))
| eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1)
| table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls
| outputlookup s3_deletion_baseline
| eval dataPointThreshold = 15, deviationThreshold = 3
| eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0)
| where isSpike=1
| rename arn as userIdentity.arn
| table userIdentity.arn]
| spath output=user userIdentity.arn
| spath output=bucketName path=requestParameters.bucketName
| stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled
BY user
| `detect_spike_in_s3_bucket_deletion_filter`
Splunk ESCU
SPL
Detect Spike in blocked Outbound Traffic from your AWS
The following analytic identifies spikes in blocked outbound network connections originating from within your AWS environment. It leverages VPC Flow Logs data from CloudWatch, focusing on blocked actions from internal IP ranges to external destinations. This detection is significant as it can indicate potential exfiltration attempts or misconfigurations leading to data leakage. If confirmed malicious, such activity could allow attackers to bypass network defenses, leading to unauthorized data transfer or communication with malicious external entities.
Show query
`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16)
| stats count as numberOfBlockedConnections
BY src_ip
| inputlookup baseline_blocked_outbound_connections append=t
| fields - latestCount
| stats values(*) as *
BY src_ip
| rename numberOfBlockedConnections as latestCount
| eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720
| eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720))
| eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1)
| table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections
| outputlookup baseline_blocked_outbound_connections
| eval dataPointThreshold = 5, deviationThreshold = 3
| eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0)
| where isSpike=1
| table src_ip]
| stats values(dest_ip) as dest_ip, values(interface_id) as "resourceId" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections
BY src_ip
| `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`Detect Traffic Mirroring
The following analytic detects the initiation of traffic mirroring sessions on Cisco network devices. It leverages logs with specific mnemonics and facilities related to traffic mirroring, such as "ETH_SPAN_SESSION_UP" and "PKTCAP_START." This activity is significant because adversaries may use traffic mirroring to exfiltrate data by duplicating and forwarding network traffic to an external destination. If confirmed malicious, this could allow attackers to capture sensitive information, monitor network communications, and potentially compromise the integrity and confidentiality of the network.
Show query
`cisco_networks` (facility="MIRROR" mnemonic="ETH_SPAN_SESSION_UP") OR (facility="SPAN" mnemonic="SESSION_UP") OR (facility="SPAN" mnemonic="PKTCAP_START") OR (mnemonic="CFGLOG_LOGGEDCMD" command="monitor session*")
| stats min(_time) AS firstTime max(_time) AS lastTime count
BY host facility mnemonic
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_traffic_mirroring_filter`
Splunk ESCU
SPL
Detect Unauthorized Assets by MAC address
The following analytic identifies unauthorized devices attempting to connect to the organization's network by inspecting DHCP request packets. It detects this activity by comparing the MAC addresses in DHCP requests against a list of known authorized devices stored in the assets_by_str.csv file. This activity is significant for a SOC because unauthorized devices can pose security risks, including potential data breaches or network disruptions. If confirmed malicious, this activity could allow an attacker to gain unauthorized network access, potentially leading to further exploitation or data exfiltration.
Show query
| tstats `security_content_summariesonly` count FROM datamodel=Network_Sessions
WHERE nodename=All_Sessions.DHCP All_Sessions.tag=dhcp
BY All_Sessions.dest_ip All_Sessions.dest_mac
| dedup All_Sessions.dest_mac
| `drop_dm_object_name("Network_Sessions")`
| `drop_dm_object_name("All_Sessions")`
| search NOT [
| inputlookup asset_lookup_by_str
| rename mac as dest_mac
| fields + dest_mac]
| `detect_unauthorized_assets_by_mac_address_filter`Detect Use of cmd exe to Launch Script Interpreters
The following detects the execution of cscript.exe or wscript.exe processes spawned by cmd.exe, leveraging Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, with additional contextual filtering to improve fidelity and reduce false positives.
It focuses on executions originating from user-writable directories such as Users, AppData, Temp, and Downloads, which are commonly abused by attackers to stage and execute malicious scripts, while excluding trusted system paths like C:\Windows\System32\ and C:\Program Files\ that are typically associated with legitimate activity.
The detection also filters out service accounts (e.g., accounts ending with $ or known naming conventions) to minimize noise from automated processes and incorporates command-line context to better assess script execution patterns and identify potentially suspicious behavior.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Processes WHERE
Processes.parent_process_name="cmd.exe"
(
Processes.process_name IN ("cscript.exe", "wscript.exe")
OR
Processes.original_file_name IN ("cscript.exe", "wscript.exe")
)
NOT Processes.process IN (
"* \"C:\\Program Files (x86)\\*",
"* \"C:\\Program Files\\*",
"* \"C:\\Windows\\System32\\*",
"* \"C:\\Windows\\SysWOW64\\*",
"* C:\\Program Files (x86)\\*",
"* C:\\Program Files\\*",
"* C:\\Windows\\System32\\*",
"* C:\\Windows\\SysWOW64\\*"
)
NOT Processes.user="*$"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`Detect WMI Event Subscription Persistence
The following analytic identifies the creation of WMI Event Subscriptions, which can be used to establish persistence or perform privilege escalation. It detects EventID 19 (EventFilter creation), EventID 20 (EventConsumer creation), and EventID 21 (FilterToConsumerBinding creation) from Sysmon logs. This activity is significant because WMI Event Subscriptions can execute code with elevated SYSTEM privileges, making it a powerful persistence mechanism. If confirmed malicious, an attacker could maintain long-term access, escalate privileges, and execute arbitrary code, posing a severe threat to the environment.
Show query
`sysmon` EventID=20
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest dvc object
object_category object_path signature
signature_id src status
user user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_wmi_event_subscription_persistence_filter`Detect Web Access to Decommissioned S3 Bucket
This detection identifies web requests to domains that match previously decommissioned S3 buckets through web proxy logs. This activity is significant because attackers may attempt to access or recreate deleted S3 buckets that were previously public to hijack them for malicious purposes. If successful, this could allow attackers to host malicious content or exfiltrate data through compromised bucket names that may still be referenced by legitimate applications.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_method) as http_method values(Web.http_user_agent) as http_user_agent values(Web.url) as url values(Web.user) as user FROM datamodel=Web
WHERE Web.url_domain!=""
BY Web.src Web.url_domain
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval bucket_domain = lower(url_domain)
| lookup decommissioned_buckets bucketName as bucket_domain OUTPUT bucketName as match
| where isnotnull(match)
| `detect_web_access_to_decommissioned_s3_bucket_filter`Detect Windows DNS SIGRed via Splunk Stream
The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.
Show query
`stream_dns`
| spath "query_type{}"
| search "query_type{}" IN (SIG,KEY)
| spath protocol_stack
| search protocol_stack="ip:tcp:dns"
| append [search `stream_tcp` bytes_out>65000]
| stats count by flow_id
| where count>1
| fields - count
| `detect_windows_dns_sigred_via_splunk_stream_filter`
Detect Windows DNS SIGRed via Zeek
The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.
Show query
| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [ | tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id ] | stats count by flow_id | where count>1 | fields - count' | `detect_windows_dns_sigred_via_zeek_filter`
Detect Zerologon via Zeek
The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.
Show query
`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3)
| bin span=5m _time
| stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) as passcount count as totalcount
BY _time,src_ip,dest_ip
| search opscount=3 authcount>4 passcount>0
| search `detect_zerologon_via_zeek_filter`Detect attackers scanning for vulnerable JBoss servers
The following analytic identifies specific GET or HEAD requests to web servers that indicate reconnaissance attempts to find vulnerable JBoss servers. It leverages data from the Web data model, focusing on HTTP methods and URLs associated with JBoss management interfaces. This activity is significant because it often precedes exploitation attempts using tools like JexBoss, which can compromise the server. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or escalate privileges, leading to potential data breaches and system compromise.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE (
Web.http_method="GET"
OR
Web.http_method="HEAD"
)
AND (Web.url="*/web-console/ServerInfo.jsp*" OR Web.url="*web-console*" OR Web.url="*jmx-console*" OR Web.url = "*invoker*")
BY Web.http_method, Web.url, Web.src,
Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_attackers_scanning_for_vulnerable_jboss_servers_filter`Detect hosts connecting to dynamic domain providers
The following analytic identifies DNS queries from internal hosts to dynamic domain providers. It leverages DNS query logs from the `Network_Resolution` data model and cross-references them with a lookup file containing known dynamic DNS providers. This activity is significant because attackers often use dynamic DNS services to host malicious payloads or command-and-control servers, making it crucial for security teams to monitor. If confirmed malicious, this activity could allow attackers to bypass firewall blocks, evade detection, and maintain persistent access to the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime
from datamodel=Network_Resolution where
DNS.query=*
NOT DNS.query IN ("-", "unknown")
by DNS.answer DNS.answer_count DNS.query DNS.query_count
DNS.reply_code_id DNS.src DNS.vendor_product
| `drop_dm_object_name("DNS")`
| `security_content_ctime(firstTime)`
| lookup update=true dynamic_dns_providers_default dynamic_dns_domains as query OUTPUTNEW isDynDNS_default
| lookup update=true dynamic_dns_providers_local dynamic_dns_domains as query OUTPUTNEW isDynDNS_local
| eval isDynDNS = coalesce(isDynDNS_local,isDynDNS_default)
|fields - isDynDNS_default, isDynDNS_local| search isDynDNS=True
| `detect_hosts_connecting_to_dynamic_domain_providers_filter`
Splunk ESCU
SPL
Detect malicious requests to exploit JBoss servers
The following analytic identifies malicious HTTP requests targeting the jmx-console in JBoss servers. It detects unusually long URLs, indicative of embedded payloads, by analyzing web server logs for GET or HEAD requests with specific URL patterns and lengths. This activity is significant as it may indicate an attempt to exploit JBoss vulnerabilities, potentially leading to unauthorized remote code execution. If confirmed malicious, attackers could gain control over the server, escalate privileges, and compromise sensitive data, posing a severe threat to the organization's security.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE (
Web.http_method="GET"
OR
Web.http_method="HEAD"
)
BY Web.http_method, Web.url,Web.url_length Web.src,
Web.dest
| search Web.url="*jmx-console/HtmlAdaptor?action=invokeOpByName&name=jboss.admin*import*" AND Web.url_length > 200
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table src, dest_ip, http_method, url, firstTime, lastTime
| `detect_malicious_requests_to_exploit_jboss_servers_filter`Detect mshta inline hta execution
The following analytic detects the execution of "mshta.exe" with inline protocol handlers such as "JavaScript", "VBScript", and "About". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line arguments and process details. This activity is significant because mshta.exe can be exploited to execute malicious scripts, potentially leading to unauthorized code execution. If confirmed malicious, this could allow an attacker to execute arbitrary code, escalate privileges, or establish persistence within the environment, posing a severe security risk.
Show query
| tstats `security_content_summariesonly` count values(Processes.process)
as process values(Processes.parent_process) as parent_process min(_time) as firstTime
max(_time) as lastTime from datamodel=Endpoint.Processes where
`process_mshta`
Processes.process IN ("*vbscript*", "*javascript*", "*about*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash
Processes.process_id Processes.process_integrity_level Processes.process_name
Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_mshta_inline_hta_execution_filter`
Detect mshta renamed
The following analytic identifies instances where mshta.exe has been renamed and executed. It leverages Endpoint Detection and Response (EDR) data, specifically focusing on the original file name field to detect discrepancies. This activity is significant because renaming mshta.exe is a common tactic used by attackers to evade detection and execute malicious scripts. If confirmed malicious, this could allow an attacker to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name!=mshta.exe
AND
Processes.original_file_name=MSHTA.EXE
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_mshta_renamed_filter`Detection of tools built by NirSoft
The following analytic identifies the execution of tools built by NirSoft by detecting specific command-line arguments such as "/stext" and "/scomma". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because NirSoft tools, while legitimate, can be exploited by attackers for malicious purposes such as credential theft or system reconnaissance. If confirmed malicious, this activity could lead to unauthorized access, data exfiltration, or further compromise of the affected system.
Show query
| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process="* /stext *"
OR
Processes.process="* /scomma *"
)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detection_of_tools_built_by_nirsoft_filter`Disable AMSI Through Registry
The following analytic detects modifications to the Windows registry that disable the Antimalware Scan Interface (AMSI) by setting the "AmsiEnable" value to "0x00000000". This detection leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable". Disabling AMSI is significant as it is a common technique used by ransomware, Remote Access Trojans (RATs), and Advanced Persistent Threats (APTs) to evade detection and impair defenses. If confirmed malicious, this activity could allow attackers to execute payloads with minimal alerts, leading to potential system compromise and data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows Script\\Settings\\AmsiEnable" Registry.registry_value_data = "0x00000000") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_amsi_through_registry_filter`
Disable Defender AntiVirus Registry
The following analytic detects the modification of Windows Defender registry settings to disable antivirus and antispyware protections. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with Windows Defender policies. This activity is significant because disabling antivirus protections is a common tactic used by adversaries to evade detection and maintain persistence on compromised systems. If confirmed malicious, this action could allow attackers to execute further malicious activities undetected, leading to potential data breaches, system compromise, and further propagation of malware within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender*" Registry.registry_value_name IN ("DisableAntiSpyware","DisableAntiVirus") Registry.registry_value_data = 0x00000001) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_antivirus_registry_filter`Disable Defender BlockAtFirstSeen Feature
The following analytic detects the modification of the Windows registry to disable the Windows Defender BlockAtFirstSeen feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the DisableBlockAtFirstSeen value. This activity is significant because disabling this feature can allow malicious files to bypass initial detection by Windows Defender, increasing the risk of malware infection. If confirmed malicious, this action could enable attackers to execute malicious code undetected, leading to potential system compromise and data breaches.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = DisableBlockAtFirstSeen Registry.registry_value_data = 0x00000001) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_blockatfirstseen_feature_filter`
Disable Defender Enhanced Notification
The following analytic detects the modification of the registry to disable Windows Defender's Enhanced Notification feature. It leverages data from Endpoint Detection and Response (EDR) agents, specifically monitoring changes to the registry path associated with Windows Defender reporting. This activity is significant because disabling Enhanced Notifications can prevent users and administrators from receiving critical security alerts, potentially allowing malicious activities to go unnoticed. If confirmed malicious, this action could enable an attacker to bypass detection mechanisms, maintain persistence, and escalate their activities without triggering alerts.
Show query
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*Microsoft\\Windows Defender\\Reporting*" Registry.registry_value_name = DisableEnhancedNotifications Registry.registry_value_data = 0x00000001) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_enhanced_notification_filter`
Disable Defender MpEngine Registry
The following analytic detects the modification of the Windows Defender MpEngine registry value, specifically setting MpEnablePus to 0x00000000. This detection leverages endpoint registry logs, focusing on changes within the path "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*". This activity is significant as it indicates an attempt to disable key Windows Defender features, potentially allowing malware to evade detection. If confirmed malicious, this could lead to undetected malware execution, persistence, and further system compromise. Immediate investigation and endpoint isolation are recommended.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Policies\\Microsoft\\Windows Defender\\MpEngine*" Registry.registry_value_name = MpEnablePus Registry.registry_value_data = 0x00000000) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_mpengine_registry_filter`
Disable Defender Spynet Reporting
The following analytic detects the modification of the registry to disable Windows Defender SpyNet reporting. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet settings. This activity is significant because disabling SpyNet reporting can prevent Windows Defender from sending telemetry data, potentially allowing malicious activities to go undetected. If confirmed malicious, this action could enable an attacker to evade detection, maintain persistence, and carry out further attacks without being flagged by Windows Defender.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SpynetReporting Registry.registry_value_data = 0x00000000) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_spynet_reporting_filter`
Disable Defender Submit Samples Consent Feature
The following analytic detects the modification of the Windows registry to disable the Windows Defender Submit Samples Consent feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path associated with Windows Defender SpyNet and the SubmitSamplesConsent value set to 0x00000000. This activity is significant as it indicates an attempt to bypass or evade detection by preventing Windows Defender from submitting samples for further analysis. If confirmed malicious, this could allow an attacker to execute malicious code without being detected by Windows Defender, leading to potential system compromise.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path = "*\\Microsoft\\Windows Defender\\SpyNet*" Registry.registry_value_name = SubmitSamplesConsent Registry.registry_value_data = 0x00000000) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_defender_submit_samples_consent_feature_filter`
Disable ETW Through Registry
The following analytic detects modifications to the registry that disable the Event Tracing for Windows (ETW) feature. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" with a value set to "0x00000000". This activity is significant because disabling ETW can allow attackers to evade detection mechanisms, making it harder for security tools to monitor malicious activities. If confirmed malicious, this could enable attackers to execute payloads with minimal alerts, impairing defenses and potentially leading to further compromise of the system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\.NETFramework\\ETWEnabled" Registry.registry_value_data = "0x00000000") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_etw_through_registry_filter`
Disable Logs Using WevtUtil
The following analytic detects the execution of "wevtutil.exe" with parameters to disable event logs. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because disabling event logs is a common tactic used by ransomware to evade detection and hinder forensic investigations. If confirmed malicious, this action could allow attackers to operate undetected, making it difficult to trace their activities and respond effectively to the incident.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = "wevtutil.exe"
AND
(Processes.process = "*sl*"
OR
Processes.process = "*set-log*" ) Processes.process IN ("*/e:false*", "*/enabled:false*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `disable_logs_using_wevtutil_filter`Disable Registry Tool
The following analytic detects modifications to the Windows registry aimed at disabling the Registry Editor (regedit). It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the registry path "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" with a value of "0x00000001". This activity is significant because malware, such as RATs or trojans, often disable registry tools to prevent the removal of their entries, aiding in persistence and defense evasion. If confirmed malicious, this could hinder incident response efforts and allow the attacker to maintain control over the compromised system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" Registry.registry_value_data = "0x00000001") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)`| where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_registry_tool_filter`
Disable Schedule Task
The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=schtasks.exe Processes.process=*/change* Processes.process=*/disable*
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `disable_schedule_task_filter`Disable Security Logs Using MiniNt Registry
The following analytic detects a suspicious registry modification aimed at disabling security audit logs by adding a specific registry entry. It leverages data from the Endpoint.Registry data model, focusing on changes to the "Control\\MiniNt" registry path. This activity is significant because it can prevent Windows from logging any events to the Security Log, effectively blinding security monitoring efforts. If confirmed malicious, this technique could allow an attacker to operate undetected, making it difficult to trace their actions and compromising the integrity of security audits.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path="*\\Control\\MiniNt\\*") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_security_logs_using_minint_registry_filter`
Disable Show Hidden Files
The following analytic detects modifications to the Windows registry that disable the display of hidden files. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to registry paths associated with hidden file settings. This activity is significant because malware, such as worms and trojan spyware, often use hidden files to evade detection. If confirmed malicious, this behavior could allow an attacker to conceal malicious files on the system, making it harder for security tools and analysts to identify and remove the threat.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_data = "0x00000001") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" Registry.registry_value_data = "0x00000000" )) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`
Showing 401-450 of 2,101