Home/Detection rules/T1100
Tool

Vendor-native detections for T1100

2 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
technique T1100 ×

Detections

2 shown of 2
Chronicle (YARA-L) Original YARA-L T1100 ↗
atlassian_confluence_download_attachments_remote_code_executiondirectory_traversal
Detects Atlassian Confluence RCE via Attachment Download. Sample regex added to detect directory traversal, it can be improved. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query 
rule atlassian_confluence_download_attachments_remote_code_executiondirectory_traversal {
 meta:
    author = "Halil Ibrahim Cosgun"
    description = "Detects Atlassian Confluence RCE via Attachment Download. Sample regex added to detect directory traversal, it can be improved.  License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
    reference = "https://tdm.socprime.com/tdm/info/pCBpTAya0HBi"
    version = "0.01"
    created = "2021-03-09"
    product = "proxy"
    mitre = "initial_access, persistence, privilege_escalation, T1190, T1100"

  events:
($selection.network.http.method = "POST" and re.regex($selection.target.url, `/plugins/drag-and-drop/upload\.action\?pageId.*&filename=^\(\?!\..*\\/\.\\/\.\)\.{0,200}$.*&size=.*&mimeType=.*atl_token=.*&name=^\(\?!\..*\\/\.\\/\.\)\.{0,200}$.*`))

  condition:
    $selection
}
Chronicle (YARA-L) Original YARA-L T1064 ↗
turla_backdoor_sysmon
Turla Backdoor Detector. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.
Show query 
rule turla_backdoor_sysmon {
 meta:
    author = "Dmitriy Dyakon, SOC Prime"
    description = "Turla Backdoor Detector.  License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md."
    reference = "https://tdm.socprime.com/tdm/info/vYABlVudO8eM"
    version = "0.01"
    created = "2018/01/02"
    product = "windows"
    service = "sysmon"
    mitre = "T1064, T1100, Command and Control"

  events:
($selection_hashes.metadata.product_event_type = "1" and ($selection_hashes.target.file.md5 = "fd898c5a4cd57c3e9cef41f6fd4f71a7" or $selection_hashes.target.file.md5 = "9dab3dd7b7e7f4980397da908fbc9ff7" or $selection_hashes.target.file.md5 = "3eb5f44492ce1147790450d950954a52"))

  condition:
    $selection_hashes
}
Showing 1-2 of 2
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh