Home/Detection rules

Deployable detection rules

5 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
All sources Splunk ESCU · 2,088 Elastic · 1,678 Microsoft Sentinel · 633
technique T1071.001 ×

Detections

5 shown of 5
Splunk ESCU SPL T1071.001 ↗
HTTP C2 Framework User Agent
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of c2 frameworks. This activity can signify malicious actors attempting to interact with hosts on the network using known default configurations of command and control tools.
Show query 
| tstats  `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
  WHERE Web.http_user_agent != null
  BY Web.http_user_agent Web.http_method, Web.url,
     Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup suspicious_c2_user_agents c2_user_agent AS http_user_agent OUTPUT tool, description
| where isnotnull(tool)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen
  BY tool url http_user_agent
     src dest description
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_c2_framework_user_agent_filter`
Splunk ESCU SPL T1071.001 ↗
HTTP Malware User Agent
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of malware. This activity can signify possible compromised hosts on the network.
Show query 
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
  WHERE Web.http_user_agent != null
  BY Web.http_user_agent Web.http_method, Web.url,
     Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup malware_user_agents malware_user_agent AS http_user_agent OUTPUT malware
| where isnotnull(malware)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen
  BY malware url http_user_agent
     src dest
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_malware_user_agent_filter`
Splunk ESCU SPL T1071.001 ↗
HTTP PUA User Agent
This Splunk query analyzes web logs to identify and categorize user agents, detecting various types of unwanted applications. This activity can signify possible compromised hosts on the network.
Show query 
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
  WHERE Web.http_user_agent != null
  BY Web.http_user_agent Web.http_method, Web.url,
     Web.url_length Web.src, Web.dest
| `drop_dm_object_name("Web")`
| lookup pua_user_agents pua_user_agent AS http_user_agent OUTPUT tool
| where isnotnull(tool)
| stats count min(firstTime) as first_seen max(lastTime) as last_seen
  BY tool url http_user_agent
     src dest
| `security_content_ctime(first_seen)`
| `security_content_ctime(last_seen)`
| `http_pua_user_agent_filter`
Splunk ESCU SPL T1071.001 ↗
HTTP Possible Request Smuggling
HTTP request smuggling is a technique for interfering with the way a web site processes sequences of HTTP requests that are received from one or more users. Request smuggling vulnerabilities are often critical in nature, allowing an attacker to bypass security controls, gain unauthorized access to sensitive data, and directly compromise other application users. This detection identifies a common request smuggling technique of using both Content-Length and Transfer-Encoding headers to cause a parsing confusion between the frontend and backend.
Show query 
`suricata` (http.request_headers{}.name="*Content-Length*" http.request_headers{}.name="*Transfer-Encoding*") OR (http.request_headers{}.name="*Content-Length*" http.request_headers{}.value="*Transfer-Encoding*") OR (http.request_headers{}.value="*Content-Length*" http.request_headers{}.name="*Transfer-Encoding*") OR (http.request_headers{}.name="*Content-Length*" http.request_headers{}.value="0")
  | rename dest_ip as dest
  | rex field=_raw "request_headers.:\[(?<headers>.*)\]"
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest, dest_port, src_ip,
       http.url, http.http_method, http.http_user_agent,
       http.protocol, http.status, headers
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `http_possible_request_smuggling_filter`
Splunk ESCU SPL T1071.001 ↗
HTTP Scripting Tool User Agent
This Splunk query analyzes web access logs to identify and categorize non-browser user agents, detecting various types of security tools, scripting languages, automation frameworks, and suspicious patterns. This activity can signify malicious actors attempting to interact with web endpoints in non-standard ways.
Show query 
`nginx_access_logs`
  | eval http_user_agent = lower(http_user_agent)
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `drop_dm_object_name(Web)`
  | lookup scripting_tools_user_agents tool_user_agent AS http_user_agent OUTPUT tool
  | where isnotnull(tool)
  | rename dest_ip as dest
  | stats count min(firstTime) as first_seen max(lastTime) as last_seen values(tool) as tool
    BY http_user_agent dest src_ip
       status
  | `http_scripting_tool_user_agent_filter`
Showing 1-5 of 5
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh