Home/Detection rules

Deployable detection rules

5 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
All sources Splunk ESCU · 2,088 Elastic · 1,678 Microsoft Sentinel · 633
technique T1021.004 ×

Detections

5 shown of 5
Splunk ESCU SPL T1021.004 ↗
Cisco Secure Firewall - SSH Connection to Non-Standard Port
This analytic detects inbound SSH connections to non-standard ports on network devices using Cisco Secure Firewall Intrusion Events. APT actors have been observed enabling SSH servers on high, non-default TCP ports to maintain encrypted remote access to compromised network infrastructure. This detection leverages Snort signature 65369 to identify SSH protocol traffic on unusual ports, which may indicate persistence mechanisms or backdoor access established by threat actors.
Show query 
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65369
| fillnull
| stats dc(signature_id) as unique_signature_count
        values(signature_id) as signature_id
        values(signature) as signature
        values(class_desc) as class_desc
        values(MitreAttackGroups) as MitreAttackGroups
        values(InlineResult) as InlineResult
        values(InlineResultReason) as InlineResultReason
        values(src) as src
        values(dest_port) as dest_port
        values(rule) as rule
        values(transport) as transport
        values(app) as app
        min(_time) as firstTime
        max(_time) as lastTime
        by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___ssh_connection_to_non_standard_port_filter`
Splunk ESCU SPL T1021.004 ↗
Cisco Secure Firewall - SSH Connection to sshd_operns
This analytic detects inbound SSH connections to the sshd_operns service on network devices using Cisco Secure Firewall Intrusion Events. APT actors have been observed enabling sshd_operns and opening it on non-standard ports to maintain encrypted remote access to compromised network infrastructure. This detection leverages Snort signature 65368 to identify connections to this service, which when combined with other indicators may signal persistent access mechanisms established by threat actors.
Show query 
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65368
| fillnull
| stats dc(signature_id) as unique_signature_count
        values(signature_id) as signature_id
        values(signature) as signature
        values(class_desc) as class_desc
        values(MitreAttackGroups) as MitreAttackGroups
        values(InlineResult) as InlineResult
        values(InlineResultReason) as InlineResultReason
        values(src) as src
        values(dest_port) as dest_port
        values(rule) as rule
        values(transport) as transport
        values(app) as app
        min(_time) as firstTime
        max(_time) as lastTime
        by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___ssh_connection_to_sshd_operns_filter`
Splunk ESCU SPL T1021.004 ↗
ESXi SSH Enabled
This detection identifies SSH being enabled on ESXi hosts, which can be an early indicator of malicious activity. Threat actors often use SSH to gain persistent remote access after compromising credentials or exploiting vulnerabilities.
Show query 
`esxi_syslog` Message="*SSH access has been enabled" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_ssh_enabled_filter`
Splunk ESCU SPL T1021.004 ↗
Linux SSH Remote Services Script Execute
The following analytic detects the use of SSH to move laterally and execute a script or file on a remote host. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific SSH command-line parameters and URLs. This activity is significant as it may indicate an attacker attempting to execute remote commands or scripts, potentially leading to unauthorized access or control over additional systems. If confirmed malicious, this could result in lateral movement, privilege escalation, or the execution of malicious payloads, compromising the security of the network.
Show query 
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE Processes.process_name=ssh Processes.process IN ("*oStrictHostKeyChecking*", "*oConnectTimeout*", "*oBatchMode*")
    AND
    Processes.process IN ("*http:*","*https:*")
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_ssh_remote_services_script_execute_filter`
Splunk ESCU SPL T1021.004 ↗
Windows PuTTY Suite Utility Execution
This analytic detects the execution of programs associated with the PuTTY SSH client suite, including putty.exe, pscp.exe, plink.exe, psftp.exe, and puttygen.exe. This activity is significant because these tools can be used to establish unauthorized remote connections, transfer files, or execute commands on remote systems. If identified in an unusual context, such as non-administrative accounts or unexpected systems, it may indicate attempts to bypass security controls, perform lateral movement, or exfiltrate data, which could lead to further network compromise.
Show query 
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

(
    Processes.process_name IN (
        "putty.exe",
        "pscp.exe",
        "plink.exe",
        "psftp.exe",
        "puttygen.exe"
    )
    OR
    Processes.original_file_name IN (
        "PuTTY",
        "PSCP",
        "Plink",
        "PSFTP",
        "PuTTYgen"
    )
)

by Processes.process Processes.vendor_product Processes.user_id
   Processes.process_hash Processes.parent_process_name
   Processes.parent_process_exec Processes.action Processes.dest
   Processes.process_current_directory Processes.process_path
   Processes.process_integrity_level Processes.original_file_name
   Processes.parent_process Processes.parent_process_path
   Processes.parent_process_guid Processes.parent_process_id
   Processes.process_guid Processes.process_id
   Processes.user Processes.process_name

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_putty_suite_utility_execution_filter`
Showing 1-5 of 5
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh