Home/Detection rules

Deployable detection rules

2 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
All sources Splunk ESCU · 2,088 Elastic · 1,678 Microsoft Sentinel · 633
technique T1140 ×

Detections

2 shown of 2
Splunk ESCU SPL T1140 ↗
CertUtil With Decode Argument
The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration.
Show query 
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
  WHERE `process_certutil` Processes.process=*decode*
  BY Processes.action Processes.dest Processes.original_file_name
     Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
     Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
     Processes.process Processes.process_exec Processes.process_guid
     Processes.process_hash Processes.process_id Processes.process_integrity_level
     Processes.process_name Processes.process_path Processes.user
     Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `certutil_with_decode_argument_filter`
Splunk ESCU SPL T1140 ↗
Linux Auditd Base64 Decode Files
The following analytic detects suspicious Base64 decode operations that may indicate malicious activity, such as data exfiltration or execution of encoded commands. Base64 is commonly used to encode data for safe transmission, but attackers may abuse it to conceal malicious payloads. This detection focuses on identifying unusual or unexpected Base64 decoding processes, particularly when associated with critical files or directories. By monitoring these activities, the analytic helps uncover potential threats, enabling security teams to respond promptly and mitigate risks associated with encoded malware or unauthorized data access.
Show query 
`linux_auditd` execve_command = "*base64*" AND execve_command IN ("*-d*", "* --d*")
  | rename host as dest
  | rename comm as process_name
  | rename exe as process
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY argc execve_command dest
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `linux_auditd_base64_decode_files_filter`
Showing 1-2 of 2
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh