You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “odbcconf.exe” AND ((resourcecustomfield1 CONTAINS ” -f ” AND resourcecustomfield1 CONTAINS “.rsp”) OR (resourcecustomfield1 CONTAINS ” /F ” AND resourcecustomfield1 CONTAINS “.rsp”) OR (resourcecustomfield1 CONTAINS ” /A ” AND resourcecustomfield1 CONTAINS “REGSVR”) OR (resourcecustomfield1 CONTAINS ” -a ” AND resourcecustomfield1 CONTAINS “REGSVR”))
Vsingle Malware
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" OR rg_functionality = "OSQuery") AND (destinationusername CONTAINS "apache" OR destinationusername CONTAINS "apache2" OR destinationusername CONTAINS "www-data" OR destinationusername CONTAINS "nginx") AND resourcecustomfield2 contains "sh -c "wget"
Orbit Malware
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" OR rg_functionality = "OSQuery") AND resourcecustomfield2 contains "/bin/escalator"
YamaBot malware
Next Generation Firewall
rg_functionality = "Next Generation Firewall" AND method = POST AND (cookie contains "captcha_session" OR cookies contains "captcha_session" OR cscookie contains "captcha_session")
Web Proxy
rg_functionality = "Web Proxy" AND method = POST AND (cookie contains "captcha_session" OR cookies contains "captcha_session" OR cscookie contains "captcha_session")
Web Server
rg_functionality = "Web Server" AND method = POST AND (cookie contains "captcha_session" OR cookies contains "captcha_session" OR cscookie contains "captcha_session")
Lighting Framework Malware
Unix / Linux / AIX
rg_functionality = "Unix / Linux / AIX" AND resourcecustomfield5 CONTAINS "/usr/lib64/seahorses/" AND (resourcecustomfield5 CONTAINS "kbioset" OR resourcecustomfield5 CONTAINS "cpc" OR resourcecustomfield5 CONTAINS "kkdmflush" OR resourcecustomfield5 CONTAINS "soss" OR resourcecustomfield5 CONTAINS "sshod" OR resourcecustomfield5 CONTAINS "nethoogs" OR resourcecustomfield5 CONTAINS "iftoop" OR resourcecustomfield5 CONTAINS "iptraof")
SmokeLoader malware
Amadey Installation Path
Microsoft Windows
rg_functionality = "Microsoft Windows" AND (filename ends with "bguuwe.exe" or filepath ends with "9487d68b99\bguuwe.exe")
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND (filename ends with "bguuwe.exe" or filepath ends with "9487d68b99\bguuwe.exe")
Antivirus / Malware / EDR
rg_functionality = "Antivirus / Malware / EDR" AND (filename ends with "bguuwe.exe" or filepath ends with "9487d68b99\bguuwe.exe")
Cloud Antivirus / Malware / EDR
rg_functionality = "Cloud Antivirus / Malware / EDR" AND (filename ends with "bguuwe.exe" or filepath ends with "9487d68b99\bguuwe.exe")
Command registered to Task Scheduler
Microsoft Windows
rg_functionality = "Microsoft Windows" AND baseeventid = 4698 AND (resourcecustomfield1 contains "/Create" AND resourcecustomfield1 contains "/SC" AND resourcecustomfield1 contains "bguuwe.exe")
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and destinationprocessname ends with "schtasks.exe" AND (resourcecustomfield1 contains "/Create" AND resourcecustomfield1 contains "/SC" AND resourcecustomfield1 contains "bguuwe.exe")
rg_functionality = "Endpoint Management Systems" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and sourceprocessname ends with "schtasks.exe" AND (resourcecustomfield2 contains "/Create" AND resourcecustomfield2 contains "/SC" AND resourcecustomfield2 contains "bguuwe.exe")
Antivirus / Malware / EDR
rg_functionality = "Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and destinationprocessname ends with "schtasks.exe" AND (resourcecustomfield1 contains "/Create" AND resourcecustomfield1 contains "/SC" AND resourcecustomfield1 contains "bguuwe.exe")
rg_functionality = "Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and sourceprocessname ends with "schtasks.exe" AND (resourcecustomfield2 contains "/Create" AND resourcecustomfield2 contains "/SC" AND resourcecustomfield2 contains "bguuwe.exe")
Cloud Antivirus / Malware / EDR
rg_functionality = "Cloud Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and destinationprocessname ends with "schtasks.exe" AND (resourcecustomfield1 contains "/Create" AND resourcecustomfield1 contains "/SC" AND resourcecustomfield1 contains "bguuwe.exe")
rg_functionality = "Cloud Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and sourceprocessname ends with "schtasks.exe" AND (resourcecustomfield2 contains "/Create" AND resourcecustomfield2 contains "/SC" AND resourcecustomfield2 contains "bguuwe.exe")
H0lyGh0st ransomware
Endpoint Management Systems
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND (destinationprocessname ENDS WITH “HolyRS.exe” or destinationprocessname ENDS WITH “HolyLocker.exe” or destinationprocessname ENDS WITH “BTLC.exe” or sourceprocessname ENDS WITH “HolyRS.exe” or sourceprocessname ENDS WITH “HolyLocker.exe” or sourceprocessname ENDS WITH “BTLC.exe”)
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND resourcecustomfield1 contains "cmd.exe" AND resourcecustomfield1 contains "schtasks /create" AND resourcecustomfield1 contains "lockertask"
Maui Ransomware
This query looks for process creation of maui.exe
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND (deviceaction = "Process Create" OR deviceaction = "ProcessCreate" OR deviceaction = "Process Create (rule: ProcessCreate)" OR deviceaction = "ProcessRollup2" OR deviceaction = "SyntheticProcessRollUp2" OR deviceaction = "WmiCreateProcess" OR deviceaction = "Trace Executed Process" OR deviceaction = "Process" OR deviceaction = "Childproc" OR deviceaction = "Procstart" OR deviceaction = "Process Activity: Launched") AND (destinationprocessname = "maui.exe or sourceprocessname = "maui.exe")
This query looks for the malicious files that are generated post execution of maui.exe
Endpoint Management Systems
rg_functionality= "Endpoint Management Systems" AND deviceaction IN ("PeFileWritten","MachOFileWritten","ZipFileWritten","PdfFileWritten","GenericFileWritten","file.added","XarFileWritten","DwgFileWritten","OoxmlFileWritten","DmpFileWritten","SevenZipFileWritten","OleFileWritten","JarFileWritten","filemod","RarFileWritten","RtfFileWritten","BZip2FileWritten","SuspiciousEseFileWritten","Trace File Operations","File created","IdwFileWritten","TarFileWritten","File created (rule: FileCreate)","GzipFileWritten","PngFileWritten ","JpegFileWritten","CabFileWritten","GifFileWritten","BmpFileWritten") and (filename = "maui.key" or filename = "maui.evd" OR filename = "maui.log" OR filename = "maui.exe" OR filename = "aui.exe")
Lockbit Ransomware
This query detects the reconnaissance & credentials extraction activity via malicious processes such as mimikatz / netscan
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND (deviceaction = "Process Create" OR deviceaction = "ProcessCreate" OR deviceaction = "Process Create (rule: ProcessCreate)" OR deviceaction = "ProcessRollup2" OR deviceaction = "SyntheticProcessRollUp2" OR deviceaction = "WmiCreateProcess" OR deviceaction = "Trace Executed Process" OR deviceaction = "Process" OR deviceaction = "Childproc" OR deviceaction = "Procstart" OR deviceaction = "Process Activity: Launched") AND (sourceprocessname = "mimikatz.exe" OR destinationprocessname = "mimikatz.exe" OR sourceprocessname = "netscan.exe" OR destinationprocessname = "netscan.exe"
This query detects suspicious launch of spoolfool.exe
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND (deviceaction = "Process Create" OR deviceaction = "ProcessCreate" OR deviceaction = "Process Create (rule: ProcessCreate)" OR deviceaction = "ProcessRollup2" OR deviceaction = "SyntheticProcessRollUp2" OR deviceaction = "WmiCreateProcess" OR deviceaction = "Trace Executed Process" OR deviceaction = "Process" OR deviceaction = "Childproc" OR deviceaction = "Procstart" OR deviceaction = "Process Activity: Launched") AND ((sourceprocessname = "cmd.exe" AND destinationprocessname = "spoolfool.exe")) OR ((sourceprocessname = "powershell.exe" AND destinationprocessname = "spoolfool.exe")) OR ((sourceprocessname = "powershell.exe" AND destinationprocessname = "net.exe"))
These queries detects for rare command lines and filenames executed via psexec process as well as the bypass of windows defender monitoring
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND (deviceaction = "Process Create" OR deviceaction = "ProcessCreate" OR deviceaction = "Process Create (rule: ProcessCreate)" OR deviceaction = "ProcessRollup2" OR deviceaction = "SyntheticProcessRollUp2" OR deviceaction = "WmiCreateProcess" OR deviceaction = "Trace Executed Process" OR deviceaction = "Process" OR deviceaction = "Childproc" OR deviceaction = "Procstart" OR deviceaction = "Process Activity: Launched") AND (sourceprocessname = psexec.exe OR sourceprocessname = "psexesvc.exe") | RARE filename resourcecustomfield1
rg_functionality = "Endpoint Management Systems" AND (deviceaction = "Process Create" OR deviceaction = "ProcessCreate" OR deviceaction = "Process Create (rule: ProcessCreate)" OR deviceaction = "ProcessRollup2" OR deviceaction = "SyntheticProcessRollUp2" OR deviceaction = "WmiCreateProcess" OR deviceaction = "Trace Executed Process" OR deviceaction = "Process" OR deviceaction = "Childproc" OR deviceaction = "Procstart" OR deviceaction = "Process Activity: Launched") AND sourceprocessname = "psexesvc.exe" AND resourcecustomfield1 CONTAINS "cmd.exe /c" AND (resourcecustomfield1 CONTAINS "1.cmd" OR resourcecustomfield1 CONTAINS "rdp.bat")
rg_functionality = "Endpoint Management Systems" AND (deviceaction = "Process Create" OR deviceaction = "ProcessCreate" OR deviceaction = "Process Create (rule: ProcessCreate)" OR deviceaction = "ProcessRollup2" OR deviceaction = "SyntheticProcessRollUp2" OR deviceaction = "WmiCreateProcess" OR deviceaction = "Trace Executed Process" OR deviceaction = "Process" OR deviceaction = "Childproc" OR deviceaction = "Procstart" OR deviceaction = "Process Activity: Launched") AND sourceprocessname = "powershell.exe" AND resourcecustomfield1 CONTAINS "-Command Add-MpPreference -ExclusionPath *C:\\"
This query detects the creation of accounts to elevate privileges
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND resourcecustomfield1 CONTAINS "add" AND (resourcecustomfield1 CONTAINS "C:\Windows\system32\net1 user /domain" OR resourcecustomfield1 CONTAINS "C:\Windows\system32\net1 user /domain" OR (resourcecustomfield1 CONTAINS "C:\Windows\system32\net1 group) AND resourcecustomfield1 CONTAINS "domain admins"))
This query looks for cmd.exe which creates different child processes in order to prepare the machine for encryption
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND (resourcecustomfield1 CONTAINS "vssadmin delete shadows /all /quiet" OR resourcecustomfield1 CONTAINS "bcdedit /set {default} recoveryenabled No" OR resourcecustomfield1 CONTAINS "wmic SHADOWCOPY /nointeractive" OR (resourcecustomfield1 CONTAINS "fsutil file setZeroData offset=0 length=524288" AND resourcecustomfield1 CONTAINS "C:\Windows\LockBit_"))
Microsoft Windows
rg_functionality = "Microsoft Windows" AND (filename ends with ".HLJkNskOq" or filepath ends with ".HLJkNskOq")
Antivirus / Malware / EDR
rg_functionality = "Antivirus / Malware / EDR" AND (filename ends with ".HLJkNskOq" or filepath ends with ".HLJkNskOq")
Antivirus / Malware / EDR
rg_functionality = "Antivirus / Malware / EDR" AND (filename ends with ".HLJkNskOq" or filepath ends with ".HLJkNskOq")
Cloud Antivirus / Malware / EDR
rg_functionality = "Cloud Antivirus / Malware / EDR" AND (filename ends with ".HLJkNskOq" or filepath ends with ".HLJkNskOq")
8220 Gang
Endpoint Management Systems / OSQuery
(rg_functionality = "Endpoint Management Systems" OR rg_functionality = "OSQuery") AND resourcecustomfield2 contains "bash -c" AND resourcecustomfield2 contains "curl -s http://" AND (resourcecustomfield2 contains "/spirit" OR resourcecustomfield2 contains "/pasx" OR resourcecustomfield2 contains "/masscan")
(rg_functionality = "Endpoint Management Systems" OR rg_functionality = "OSQuery") AND resourcecustomfield2 contains "wget" AND (resourcecustomfield2 contains "/spirit" OR resourcecustomfield2 contains "/pasx" OR resourcecustomfield2 contains "/masscan")
STIFF#BIZON
Next Generation Firewall / Web Application Firewall / Web Server / Web Proxy
(rg_functionality = “Next Generation Firewall” OR rg_functionality = “Web Application Firewall” OR rg_functionality = “Web Server” OR rg_functionality = “Web Proxy”) AND (requesturl CONTAINS “info.php?name=” OR requesturl CONTAINS “dn.php?name=” OR requesturl CONTAINS “up.php?name=”)
Endpoint Management Systems
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “rundll32.exe” AND resourcecustomfield1 CONTAINS ” iiiiiiii “
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND resourcecustomfield1 CONTAINS “\AppData\Local\” AND resourcecustomfield1 CONTAINS “\User Data\Local State”
rg_functionality = “Endpoint Management Systems” AND (deviceaction ENDS WITH “Written” OR deviceaction = “File created”) AND destinationprocessname ENDS WITH “powershell.exe” AND filepath CONTAINS “\appdata\local\temp\rr” AND filepath CONTAINS “.tar.gz”
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND resourcecustomfield1 CONTAINS “cd /d” AND resourcecustomfield1 CONTAINS ” dir ” AND resourcecustomfield1 CONTAINS ” /a/o-d/s ” AND resourcecustomfield1 CONTAINS ” *.”
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “expand.exe” AND resourcecustomfield1 CONTAINS “.cab” AND resourcecustomfield1 CONTAINS “-f:” AND sourceprocessname ENDS WITH “cmd.exe”
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “rundll32.exe” AND resourcecustomfield1 CONTAINS “cmd.exe” AND resourcecustomfield1 CONTAINS “/c”
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “reg.exe” AND resourcecustomfield1 CONTAINS ” add ” AND resourcecustomfield1 CONTAINS “console” AND resourcecustomfield1 CONTAINS “codepage” AND resourcecustomfield1 CONTAINS “65001”
(rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”)) AND (destinationprocessname ENDS WITH “reg.exe” AND resourcecustomfield1 CONTAINS ” add “) AND ((resourcecustomfield1 CONTAINS “system\currentcontrolset\services” AND resourcecustomfield1 CONTAINS “reg_expand_sz”) OR (resourcecustomfield1 CONTAINS “software\microsoft\windows nt\currentversion\svchost” AND resourcecustomfield1 CONTAINS “reg_multi_sz”))
rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “ProcessCreate” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “SyntheticProcessRollUp2” OR deviceaction = “WmiCreateProcess” OR deviceaction = “Trace Executed Process” OR deviceaction = “Process” OR deviceaction = “Childproc” OR deviceaction = “Procstart” OR deviceaction = “Process Activity: Launched”) AND destinationprocessname ENDS WITH “sc.exe” AND resourcecustomfield1 CONTAINS ” failure ” AND resourcecustomfield1 CONTAINS ” reset=” AND resourcecustomfield1 CONTAINS ” actions=”