You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Detect scheduled tasks created to establish persistence
Microsoft Windows
rg_functionality = "Microsoft Windows" AND baseeventid = 4698 AND (resourcecustomfield1 contains "/CREATE" AND resourcecustomfield1 contains "schtasks" AND resourcecustomfield1 contains "Wininet")
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and sourceprocessname ends with "schtasks.exe" AND (resourcecustomfield2 contains "/CREATE" AND resourcecustomfield2 contains "schtasks" AND resourcecustomfield2 contains "Wininet")
rg_functionality = "Endpoint Management Systems" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and destinationprocessname ends with "schtasks.exe" AND (resourcecustomfield1 contains "/CREATE" AND resourcecustomfield1 contains "schtasks" AND resourcecustomfield1 contains "Wininet")
Antivirus / Malware / EDR
rg_functionality = "Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and sourceprocessname ends with "schtasks.exe" AND (resourcecustomfield2 contains "/CREATE" AND resourcecustomfield2 contains "schtasks" AND resourcecustomfield2 contains "Wininet")
rg_functionality = "Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and destinationprocessname ends with "schtasks.exe" AND (resourcecustomfield1 contains "/CREATE" AND resourcecustomfield1 contains "schtasks" AND resourcecustomfield1 contains "Wininet")
Cloud Antivirus / Malware / EDR
rg_functionality = "Cloud Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and sourceprocessname ends with "schtasks.exe" AND (resourcecustomfield2 contains "/CREATE" AND resourcecustomfield2 contains "schtasks" AND resourcecustomfield2 contains "Wininet")
rg_functionality = "Cloud Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and destinationprocessname ends with "schtasks.exe" AND (resourcecustomfield1 contains "/CREATE" AND resourcecustomfield1 contains "schtasks" AND resourcecustomfield1 contains "Wininet")
Detects leveraging powershell to connect with C2
Microsoft Windows
rg_functionality = "Microsoft Windows" and (resourcecustomfield1 contains "powershell.exe" and resourcecustomfield1 contains "dllhost.exe" and resourcecustomfield1 contains "Invoke-WebRequest")
Endpoint Management Systems
rg_functionality = "Endpoint Management Systems" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and ((resourcecustomfield1 contains "powershell.exe" and resourcecustomfield1 contains "dllhost.exe" and resourcecustomfield1 contains "Invoke-WebRequest") OR (resourcecustomfield2 contains "powershell.exe" and resourcecustomfield2 contains "dllhost.exe" and resourcecustomfield2 contains "Invoke-WebRequest"))
Antivirus / Malware / EDR
rg_functionality = "Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and ((resourcecustomfield1 contains "powershell.exe" and resourcecustomfield1 contains "dllhost.exe" and resourcecustomfield1 contains "Invoke-WebRequest") OR (resourcecustomfield2 contains "powershell.exe" and resourcecustomfield2 contains "dllhost.exe" and resourcecustomfield2 contains "Invoke-WebRequest"))
Cloud Antivirus / Malware / EDR
rg_functionality = "Cloud Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and ((resourcecustomfield1 contains "powershell.exe" and resourcecustomfield1 contains "dllhost.exe" and resourcecustomfield1 contains "Invoke-WebRequest") OR (resourcecustomfield2 contains "powershell.exe" and resourcecustomfield2 contains "dllhost.exe" and resourcecustomfield2 contains "Invoke-WebRequest"))
rg_functionality = "Endpoint Management Systems" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and ((resourcecustomfield1 contains "Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart") OR (resourcecustomfield2 contains "Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart"))
Antivirus / Malware / EDR
rg_functionality = "Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and (("Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart") OR (resourcecustomfield2 contains "Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart"))
Cloud Antivirus / Malware / EDR
rg_functionality = "Cloud Antivirus / Malware / EDR" AND (deviceaction contains "Process Create" OR deviceaction contains "Childproc" OR deviceaction contains "ProcessRollup2" OR deviceaction contains "Procstart" OR deviceaction contains "Trace Executed Process") and ((resourcecustomfield1 contains "Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart") OR (resourcecustomfield2 contains "Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart"))
BPFDoor Malware
Detects empty PID file getting dropped
Unix / Linux / AIX
rg_functionality = "Unix / Linux / AIX" AND filename NOT NULL AND filename CONTAINS "haldrund.pid"
Detects the malicious binary names
Unix / Linux / AIX
rg_functionality = "Unix / Linux / AIX" AND deviceprocessname ENDS WITH "kdumpdb"
rg_functionality = "Unix / Linux / AIX" AND deviceprocessname ENDS WITH "kdumpflush"
Detects binaries run from shared memory location
Unix / Linux / AIX
rg_functionality = "Unix / Linux / AIX" AND resourcecustomfield5 NOT NULL AND resourcecustomfield5 CONTAINS "/bin/rm" AND resourcecustomfield5 CONTAINS "/bin/chmod" AND resourcecustomfield5 CONTAINS "/dev/shm/"
rg_functionality = "Unix / Linux / AIX" AND resourcecustomfield5 CONTAINS "/dev/shm/"
Detects traffic redirected to ports ranging from 42391-43391
Unix / Linux / AIX
rg_functionality = "Unix / Linux / AIX" AND resourcecustomfield5 NOT NULL AND resourcecustomfield5 CONTAINS "iptables -t nat" AND resourcecustomfield5 CONTAINS "REDIRECT –to-ports 42"
rg_functionality = "Unix / Linux / AIX" AND resourcecustomfield5 NOT NULL AND resourcecustomfield5 CONTAINS "iptables -t nat" AND resourcecustomfield5 CONTAINS "REDIRECT –to-ports 43"
F5 BIG-IP Unauthenticated RCE Vulnerability
Detects the exploit trying to abuse the vulnerability
Next Generation Firewall
rg_functionality="Next Generation Firewall" AND requesturl CONTAINS "/mgmt/tm/util/bash"
Firewall
rg_functionality="Firewall" AND requesturl CONTAINS "/mgmt/tm/util/bash"
Web Proxy
rg_functionality="Web Proxy" AND requesturl CONTAINS "/mgmt/tm/util/bash"
Traffic Manager
rg_functionality = "Traffic Manager" and rg_vendor = "F5 Networks" and deviceseverity = "notice" and resourcecustomfield2 = "Command OK" and resourcecustomfield4 CONTAINS "cmd_data=run" and resourcecustomfield4 CONTAINS " -c "