Home/Detection rules

Deployable detection rules

4 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
All sources Splunk ESCU · 2,088 Elastic · 1,678 Microsoft Sentinel · 633
technique T1572 ×

Detections

4 shown of 4
Elastic KQL high T1572 ↗
Deprecated - Potential DNS Tunneling via Iodine
Iodine is a tool for tunneling Internet protocol version 4 (IPV4) traffic over the DNS protocol to circumvent firewalls, network security groups, and network access lists while evading detection.
Show query 
event.category:process and host.os.type:linux and event.type:(start or process_started) and process.name:(iodine or iodined)
Elastic EQL medium T1572 ↗
Deprecated - Potential Protocol Tunneling via Chisel Server
This rule monitors for common command line flags leveraged by the Chisel server utility followed by a received connection within a timespan of 1 minute. Chisel is a command-line utility used for creating and managing TCP and UDP tunnels, enabling port forwarding and secure communication between machines. Attackers can abuse the Chisel utility to establish covert communication channels, bypass network restrictions, and carry out malicious activities by creating tunnels that allow unauthorized access to internal systems.
Show query 
sequence by host.id, process.entity_id with maxspan=1m
  [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 
   process.args == "server" and process.args in ("--port", "-p", "--reverse", "--backend", "--socks5") and 
   process.args_count >= 3 and process.parent.name in ("bash", "dash", "ash", "sh", "tcsh", "csh", "zsh", "ksh", "fish")]
  [network where host.os.type == "linux" and event.type == "start" and event.action == "connection_accepted" and 
   destination.ip != null and destination.ip != "127.0.0.1" and destination.ip != "::1" and 
   not process.name : (
     "python*", "php*", "perl", "ruby", "lua*", "openssl", "nc", "netcat", "ncat", "telnet", "awk", "java", "telnet",
     "ftp", "socat", "curl", "wget", "dpkg", "docker", "dockerd", "yum", "apt", "rpm", "dnf", "ssh", "sshd", "hugo")]
Splunk ESCU SPL T1572 ↗
Windows Potential Cloudflared Network Connection
This analytic detects network connection events possibly associated with the Cloudflared tool, a tool used to create tunnels via Cloudflare. Cloudflared is functionally very similar to ngrok, an ingress-as-a-service tool. It reaches out to the Cloudflare Edge Servers, creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel's controller makes services or private networks accessible.
Show query 
| tstats `security_content_summariesonly`
   count min(_time) as firstTime
         max(_time) as lastTime
         values(All_Traffic.src_port) as src_port

from datamodel=Network_Traffic.All_Traffic where

All_Traffic.dest_port=7844

BY All_Traffic.action All_Traffic.app All_Traffic.dest
   All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.direction
   All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
   All_Traffic.src All_Traffic.src_ip All_Traffic.transport
   All_Traffic.user All_Traffic.vendor_product

| `drop_dm_object_name(All_Traffic)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_potential_cloudflared_network_connection_filter`
Splunk ESCU SPL T1572 ↗
Windows Potential Cloudflared Tunnel Execution
This analytic detects command-line arguments associated with the cloudflared client used to create Cloudflare tunnels. Cloudflared is functionally very similar to ngrok, an ingress-as-a-service tool. Cloudflared reaches out to the Cloudflare Edge Servers, creating an outbound connection over HTTPS(HTTP2/QUIC), where the tunnel's controller makes services or private networks accessible.
Show query 
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process="*tunnel*"
(
    (
        Processes.process="*run*"
        Processes.process="*token*"
    )
    OR
    (
        Processes.process="*--url*"
        Processes.process="*localhost*"
    )
)

by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
   Processes.parent_process_name Processes.parent_process_exec Processes.action
   Processes.dest Processes.process_current_directory Processes.process_path
   Processes.process_integrity_level Processes.original_file_name Processes.parent_process
   Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id
   Processes.process_guid Processes.process_id Processes.user Processes.process_name

| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_potential_cloudflared_tunnel_execution_filter`
Showing 1-4 of 4
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh